This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. IEEE/ACM TRANSACTIONS ON NETWORKING 1 IPv4 Address Sharing Mechanism Classification and Tradeoff Analysis Nejc Škoberne, Olaf Maennel, Iain Phillips, Randy Bush, Jan Zorz, and Mojca Ciglaric Abstract—The growth of the Internet has made IPv4 addresses andonlyone/22prefix (1024 IPv4 addresses). Such allocations a scarce resource. Due to slow IPv6 deployment, IANA-level IPv4 are too small to satisfy current growth rates. address exhaustion was reached before the world could transition The only long-term solution to the IPv4 address exhaustion to an IPv6-only Internet. The continuing need for IPv4 reacha- bility will only be supported by IPv4 address sharing. This paper problem is transition to the IPv6 protocol, which enables ad- reviews ISP-level address sharing mechanisms, which allow In- dressing large numbers of Internet devices [2]. However, today ternet service providers to connect multiple customers who share we observe little IPv6 deployment. IPv6 penetration at content a single IPv4 address. Some mechanisms come with severe and un- providers (top 500 Web sites) is about 24% globally [3] as of predicted consequences, and all of them come with tradeoffs. We March 15, 2013, while is somethingmorethan1%attheuser propose a novel classification, which we apply to existing mech- anisms such as NAT444 and DS-Lite and proposals such as 4rd, side [4] as of the same date. As IPv4 and IPv6 are incompatible, MAP, etc. Our tradeoff analysis reveals insights into many prob- IPv6 designers envisioned a dual-stack deployment [5], with the lems including: abuse attribution, performance degradation, ad- aim that by the time the IPv4 address space became depleted, dress and port usage efficiency, direct intercustomer communica- IPv6 would be universally deployed. Unfortunately, this did not tion, and availability. happen, though some Internet service provider (ISP) backbones Index Terms—Address family translation, address plus port have moved to dual-stack in the last few years. Thus, the IPv4 (A+P), carrier grade NAT (CGN), IPv4 address sharing, IPv6 protocol remains the predominant protocol and will do for some transition, network address translation (NAT). time during which the coexistence of both Internets needs to be maintained [6]. Eventually, IPv6 will become ubiquitous, and IPv4 no longer of interest. I. INTRODUCTION Some ISPs do not have enough IPv4 addresses to provide a dedicated IPv4 address to each customer. To support continued growth, individual IPv4 addresses will have to be shared be- N FEBRUARY 3, 2011, the Internet Assigned Num- tween multiple customers, which we refer to as “ISP-level ad- O bers Authority (IANA) announced that the pool of dress sharing.” However, the consequences of deployment of public IPv4 Internet addresses had become depleted. Conse- these mechanisms for the Internet users is not well understood. quently, Regional Internet Registries (RIRs) were left with Unfortunately, ISPs often do not have enough information only the addresses they had been assigned prior to this date. On about the potential consequences of their decisions. April 15, 2011, the Asia-Pacific Network Information Center • Would the deployment of a double network address trans- (APNIC) activated its “last /8 address policy” [1]. Similarly, lation (NAT) mechanism prevent Xbox LIVE customers on September 14, 2012, the Réseaux IP Européens Network who share the same IP address from playing games online Coordination Centre (RIPE NCC) activated its last /8 policy. and ultimately lead to loss of many customers and poten- This means that any organization applying to these RIRs for tially to a bad reputation for that ISP? IPv4 address space will receive a maximum allocation of one • Will cyber-criminals be untraceable because content providers (today) only log time and IP address of the attacker, but not source ports? Manuscript received May 25, 2012; revised October 30, 2012; accepted Feb- ruary 18, 2013; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Ed- •Doesthedeployment of a particular mechanism create itorM.Allman.ThisworkwassupportedinpartbytheEuropeanUnion,the provider lock-in, so that the customers have to use, say, the European Social Fund, and the Cisco University Research Program Fund, a Internet TV service of their ISP as competitors’ services corporate-advised fund of Silicon Valley Community Foundation, under Grant 2011–89493(3696). fail to work? N. Škoberne is with Viris, Ljubljana 1000, Slovenia (e-mail: [email protected]). •Willthe End-to-End Principle, which is one of the core O. Maennel, I. Phillips are with the Department of Computer Science, Lough- principles of the Internet [7], become even more endan- borough University, Loughborough LE11 3TU, U.K. (e-mail: olaf@maennel. net; [email protected]). gered with ISP-level address sharing? R. Bush is with the Internet Initiative Japan, Kapa’au, HI 96755 USA (e-mail: •Willall new protocols have to tunnel over HTTP as this [email protected]). may be the only remaining application-layer protocol that J. Zorz is with the Go6 Institute, Skofja Loka 4220, Slovenia (e-mail: [email protected]). traverses address sharing devices? M. Ciglaric is with the University of Ljubljana, Ljubljana 1000, Slovenia This paper presents a systematic approach to classifying and an- (e-mail: [email protected]). alyzingexistingIPv4addresssharingmechanisms.Tocompare Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. and to understand them, we abstract some of their details and ex- Digital Object Identifier 10.1109/TNET.2013.2256147 plore the whole solution space. First, we define the classification 1063-6692/$31.00 © 2013 IEEE This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. 2 IEEE/ACM TRANSACTIONS ON NETWORKING as it is infeasible to change deployed hosts, e.g., it was years after the IPv6 RFC was published until Windows XP had pro- duction-ready IPv6 support. Second, every customer is assumed to have a CPE, even though some mechanisms allow for con- necting end-host directly to the access network. CPE, however, may be modified or replaced for the purpose of deploying some mechanism. This paper has four main contributions. First, it provides a classification of IPv4 address sharing mechanisms by proposing and explaining five dimensions. Each has multiple properties Fig. 1. ISP topology. For the sake of simplicity, two customer networks are (Section III-B). shown, though realistically there could be thousands or millions of them. Next, we classify the mechanisms into nine classes and re- view them. We aim to find general similarities that facilitate un- derstanding and discussion of such technologies (Section III-C). dimensions and properties. Then, we infer nine classes catego- Third, we discuss the properties of the mechanisms based rizing existing mechanisms. Similar mechanisms are classified on the proposed classification. We also identify and describe into the same class. the most important practical technical issues related to specific Our main research objective is to propose a classification for properties of each approach (Section IV). IPv4 address sharing mechanisms. We feel the need for such Finally, we present an analysis qualitatively describing the classification is significant: revealing gaps and conflicts, while tradeoffs between the classification dimensions. The analysis new Internet Drafts of address sharing proposals keep coming, aims at guiding ISPs through their decisions and at providing many of them expiring after a year or two. Other networking re- a grounding for future research in this area (Section V). search papers focus on these drafts arbitrarily, while they could focus on whole classes instead and thus gain more universal II. BACKGROUND AND RELATED WORK value. Additional classes might be defined in the future. Further- more, our results will inform the design of new address sharing CPEs can share a public IPv4 address in two ways: mechanisms. 1) Carrier-Grade NAT (CGN): using a translator with a Net- We consider networks where address sharing must be used, work Address and Port Translation (NAPT) function lo- including broadband ISPs providing internet access to large cated in the core of the ISP’s network, which multiplexes numbers of customers. However, this excludes mobile ISPs multiple CPEs on a single IPv4 address; even though their number of subscribers have long surpassed 2) Address-Plus-Port (A+P): by communicating in a port-re- the number of wired subscriptions. We believe ISP-level stricted manner, where bits from the port field are used to address sharing will have stronger impact on wired users extend the IPv4 address field, i.e., choosing a source port than on mobile ones, as nonmobile end-hosts usually have for outgoing packets from a subset of the whole 16-bit port higher requirements, e.g., peer-to-peer networking, than mobile range and receiving incoming packets destined to a port end-hosts. Moreover, it is common practice for mobile users from the same subset. For this to work, the CPEs have to use WiFi networks when available, so their device becomes to port-restrict outgoing packets and the gateways have to another end-host in our topology. We only consider unicast; route incoming packets using the destination port. multicast is out of scope. We use the terms port and flow in the We only consider A+P CPE and not A+P end-hosts. A+P CPE context of transport-layer protocols like TCP and UDP. therefore must perform a (port restricted) NAPT function to sup- First, we review terms we use for the topology of an ISP; see port multiple end-hosts. Fig. 1: In the time of dial-up Internet access, IP addresses were • ISP network: the network of the Internet service provider, shared over time using Dynamic Host Configuration Pro- which also contains the access network; tocol (DHCP) or other provisioning protocols.