3 min

Tags in this article

, ,

Through a public letter, Vincentas Grinius (CEO of IPXO) warns of the security dangers that the increasing price and shortage of IPv4 addresses brings.

Every device that wants to connect to the Internet needs a unique IP address. This address is provided by an Internet service provider. Address protocol IPv4 has been the standard since the early 1980s. Most of today’s traffic runs on the standard. The problem is that unique IPv4 addresses are finite. The world has too many devices to provide each new connection with a new IPv4 address. In 2019, the pot became empty. RIPE NCC — the party responsible for allocating IPv4 addresses in Europe, the Middle East and Central Asia — announced that networks in these regions could no longer be supplied with new IPv4 addresses.

IPv6, a newer protocol, offers a solution. A larger number of unique combinations support what IPv4 lacks. Unfortunately, the transition from IPv4 to IPv6 is more nuanced than the flipping of a switch. Manufacturers of network equipment and Internet service providers must support the standard. That won’t happen overnight. While some providers facilitated more than half of all their network traffic via IPv6 by the end of 2020, the global share of IPv6 was estimated at a meagre 30 percent.

The problem

From the moment that all providers of all global networks make the transition, IPv6 will offer a solution. That will take some time — and until then, we’re left with a problem. Suppose you develop a laptop, aiming to sell it to customers in a region connected by a provider that has not yet switched to IPv6. You risk delivering a product that can’t connect to the Internet. The regional provider might have some addresses left. The regional provider might have none, but being first-next on RIPE NCC’s waiting list, stand to receive a batch in the next few days. Lots of maybe’s. Certainty is lacking.

Luckily, you could supply the provider with a currently unused IPv4 address to ensure the connection of the marketed laptop. New addresses are running out, but not every IPv4 address is actively used. There are an estimated 800 million inactive IPv4 addresses worldwide. A good portion is traded to, among other things, supply regions without IPv6 with the required IPv4 addresses for marketing devices. To this end, Amazon spent $108 million on IPv4 addresses in 2019. Two years before that, Google stocked up on 1,048,576 addresses.

The threat

Every address has a price — and according to IP leasing organization IPXO, that price is dangerously high. In Q1 2021, the company found that the average price of an address was $32. Now IPXO’s CEO is going public with a pressing letter. Vincentas Grinius argues that the price increase is encouraging organizations to make address purchases on the black market. Without regulation, behind closed doors. Activity on this black market would, in turn, encourage cybercriminals to target the theft of unused IPv4 addresses.

The theft mentioned by Grinius is demonstrable. Inactive IPv4 addresses are known for poor security, and reports of occurrences are widespread. The subject of a ‘black market’, on the other hand, is tricky. The challenge lies in the definition. We have no visibility into commerce that takes place underground or behind closed doors. Information about the suggested market is scant or nonexistent. We can’t confirm nor rule out the existence of the said market.

As such, the seriousness is difficult to underline. Nevertheless, a mention of IPXO’s proposed solution remains important. According to Grinius, the price increase encourages organizations to guard the ownership of inactive IPv4 addresses. A method of retaining ownership while still making the IPv4 addresses available could provide a solution. Organizations such as IPXO, as well as Brander Group and LARUS, facilitate IPv4 addresses in a subscription form. Critical to the solving of scarcity, according to IPXO.