Author: Jakub Rozsypal (IPS FSV UK)
The issue of depletion of IPv4 address space is a long known phenomenon. Yet as of 2014 the three-decade old protocol is still very much alive and firmly in control of the global network. This paper will discuss its envisioned alternative – IPv6. The structure of the argument will start with a look on the technicalities of the concerned protocols dissecting v4 first and v6 second. Next it will discuss the current state of affairs and the issues connected to governing the structure of the network. Finally, it will put forth certain propositions related to policy matters, network growth facilitation and strategic concepts such as deterrence and compellence. The issue is far from straightforward. Even if the Network would succeed in transforming itself to the new v6 standard it is by no means clear that some of the persistent problems of cyberspace would be resolved – most importantly the attribution problem. Additionally, there is a risk that the predominantly technical matter of address exhaustion will be hijacked for policy goals that could change the prevalently liberal nature of the Global Network.
When the Internet Corporation for Assigned Names and Numbers (ICANN) – effective ruler of the internet – announced in 2011 it has run out of IPv4 (v4) addresses it came as no surprise. As a matter of fact it was a problem seen coming since the massive proliferation of global internet in early 1990s. Given the finite amount of available addresses in 32 bit space of v4 numbering just over 4,3 bn it seemed a fantasy in the 1980s, but a fairly day to day issue with the global explosion of connectivity and rather poor address space utilization. We are still far from every person owning a connectible device, but some own more and with new developments it is possible to, for example, connect every robot in a factory as a separate network device. Even the current 3g mobile network can consume more than a billion of IP addresses (IEEE-USA 2009). Moreover, the IPv4 space was designed to be used within a specialized network, predominantly scientific and familiar with other means of communication available as well. It is in fact rather ironical that the tremendous success v4 has achieved threatens to discard it. Since the 2011 announcement the problem has trickled down to two of the five Regional Internet Registries (RIRs) who ran out of new IPv4 addresses – the European RISE and Asia-Pacific APNIC – with others following in the next few years (Ermert 2013).
One notable factor of IPv4 is its underutilization. The actual utilization is measured with a lot of variation but it is quite obvious that especially early IPv4 requests were treated with light-minded approach and thus up to 70pct of allocated addresses in the US are unused (Early 2009). This is partly due to the initial system of allocation of IPv4s. The network IP allocation was classful from 1981 till 1993 and addresses were given out in portions know as classes A to D, ranging in number of addresses available. For example a class B assignment would have the network portion of the IP 16bit long, thus allowing the other 16bits to be used for unique IP addresses – corresponding to 216 or 65 536 addresses. These would be allocated to companies or institutions even though in reality they would only need a several thousand addresses (Russell 2004). This was partially addressed by the introduction of Classless Inter-Domain Routing (CIDR) in which IP allocation could be scaled more freely as a power of 2.
Even with these conservation policies, the IP allocations were not intended to become a market on its own – they were and remained essentially free, apart from an annual fee that the ISPs had to pay. However, for companies to demonstrate their need of IP addresses, it means to foresee their development or behavior of customers several years ahead which can be a daunting task. With the depletion of new IPs, pressure has been mounting to liberalize the market and allow unused IPv4s to be traded and re-assigned. These would be typically legacy IPs (pre 1993) and easily acquired addresses from the early Internet era as well as allocations from ICT underdeveloped areas and bankruptcies. Due to the nature of the network, however, it is inefficient to chop up allocated blocks and trade them, as it leads to fragmentation and longer route required to reach desired targets and thus imposing negative externalities on other network users (Edelman, Schwarz 2011). Additionally, ICANN and the five RIRs have only limited ability to influence the companies’ behavior, e.g. prevent the emergence of a black market which is a common phenomenon when faced with scarcity of resources. One notable power of these large network facilitators is the maintenance of a WHOIS list, essentially a record indicating which IPs belong to which company. The North American RIR ARIN has threatened to not update this list if transactions of IPs take place outside of its framework – basically upholding the “based on needs principle” (Mueller, Kuerbis, Asghari 2013).
Another tool that was implemented to mitigate the problem of v4 address exhaustion is Network Address Translation (NAT). This approach would effectively shield a network behind a router that has only one public IP and then distributes data to hosts that need not have unique IP. While it performs the task of prolonging the feasibility of v4 internet, it does place constraints on what is possible – notably direct Peer2Peer connections and effective implementation of security features into layer 3 (IP) protocol. The inability of devices to connect directly to each other does require more work from servers to take of the routing. Possibly more importantly, the IPSec protocol, a simple cryptographic method using hashes to determine whether data has been tampered with is not functional under NAT due to the middle step of subnetworking.
Another IPv4-conserving instrument is the current usage of dynamic IP allocation. This means that IP addresses are not fixed to a particular network interface but are reallocated on the ISP level to make more effective use of unused IPs. The DHCP protocol allows for more clients to share one IP at different times. The downside of this is only limited usability of caching of DNS mappings, which slows down the Network as such. Additionally, with addresses being untied from network interfaces it is rather hard to attribute particular network activity to a particular actor. Similarly to NAT, it reduces the possibility to communicate directly via end to end solution with any desired device. It is estimated that there can be currently up to 3 bn connected devices, even though unique IP utilization itself is around 40 % (2 bn) which shows that underutilization was mitigated (Huston 2013a).
The usage of v4 has both widened and deepened to make use of a theoretical analogy. One of the core characteristics that have made v4 so widespread – that is its simplicity – also causes worries to strategic analysts and policy makers. One can argue that the virtual security-effectiveness trade-off is skewed toward the latter in the current structure of the global Network. The following section will discuss if v6 can serve to address the perceived shortcomings, what are the strategic implications of these changes and whether a more regulated internet is about to emerge.
IPv6 – the silver bullet or just silver lining?
IPv6 was designed to address the shortcomings of v4 discussed above and significantly push the Internet’s boundaries. With address space of 128bits it can provide an almost unimaginable number of unique addresses. The IPsec protocol originally designed for v6, but due to periods of delayed implementation also adapted to v4, is built into the protocol header itself. With this enormous amount of possible addresses there is no need for NAT and DHCP and thus the hash cryptography can function as intended. Furthermore, CIDR which was also implemented later in v4 is now an integral part of v6 and addresses do not have to be allocated in either too small or too big chunks. Additionally, the Stateless Auto Configuration enables devices to connect to a network even without the help of a server. This plug-and-play feature can be cost-effective as well as socially enhancing by lowering the barriers to successful connection i.e. narrowing the digital divide. Moreover, the possibility of static or interface specific IPs enables peer to peer connections on a massive scale as well as enhanced user-activity attribution – at least for the common user.
The new version has been designed well before the discussed scarcity problem was a day to day concern. The Internet Engineering Task Force published call for white papers regarding “next generation” IP addressing in 1993 (Mankin, Bradner 1993). One can say that shortage-mitigation tools of v4 had adverse effects on the development and implementation of v6. The quasi ruler of the network ICANN added v6 routing to root servers in 2008 (ICANN 2008). The official launch of IPv6 was the IPv6 day in 2011 (ENISA 2011). The data in figure 1 present a clear trend of v6 adoption, albeit still on a small scale. Figure 1 only depicts IPv6 accesses to Google servers, which is certainly a relevant indicator but not descriptive of the overall network traffic as such. The figure probably comes closer to reality with estimated total native v6 traffic being only 0.2% of v4 traffic, yet with over 100% year to year increase.
The new protocol and its implementation has its downsides as well. Firstly, it is not a fundamental game changer as it is sometimes presented. The method of delivering packets stays the same and it would only be the layer 3 internet protocol that would change. Moreover, security breaches occur mostly on application level, quite often through human factor errors and exploitations (Convery, Miller 2004) Secondly, due to the need of tunnelling that is encapsulating v6 traffic in existing v4 infrastructure creates potential attack surface on both protocols thus arguably lowering the added value of security enhancements built into v6 (Geers 2011, pp. 89-91). Possibly, one of the crucial decisions made by v6 designers to make it incompatible with v4 has complicated the matters deeply. The user-friendly nature of auto configuration is offset by security concerns e.g. rogue router responding to legitimate queries and redirecting user to illicit servers to handle its traffic (Barker 2013).
The overall picture is such that the network, decentralized as it is, has been rather slow in moving in one direction. From a policy standpoint most governments and international organizations would state support for v6 yet fail to provide robust incentives to private ISPs and other network facilitators to move forward with the implementation. The need for more IPs is also globally skewed. The US has about four IPv4 addresses per capita, while states in Western Europe have one or two. Africa and Asia hold even significantly fewer v4 addresses than inhabitants (van Beijnum 2011). This presents a very real development hurdle in a world where connectivity is integral to business, functioning of government, various societal functions as well as modern armed forces. Europe is leading in IPv6 deployment and could break the apparent “waiting game” that is related to v6 (Huston 2013b). While the cyberspace is predominantly cooperative, with states’ and businesses’ united in support for universal connectivity, the infrastructure shows signs of common goods in that no one is willing to lead the way in investment in the new technology. The quasi market with v4 addresses could further reduce motivations to invest in v6 if means are instead spent on acquisition of the legacy addresses. As of now however it seems that v4 IP market and v6 growth are taking place side by side (Mueller, Kuerbis, Asghari 2013). This is interesting from a theoretical point of view and research on the tipping point toward favouring v6 would certainly be illuminating.
The fluid nature of cyberspace creates an almost universal problem of attribution as issues stand now with the applicability of international jurisdiction. Assigning unique addresses to every interface would theoretically solve the problem. However with options like onion routing, that is randomizing routes to make the origin of data impossible to find the problem, would stay the same under v6. As a matter of fact it is likely that privacy would decrease for the common user not using these anonymizing methods whilst allowing anyone who chooses to hide his or her identity, including state actors, to stay in the grey zone. To put it in the wise of words of Sun Tzu: “all warfare is based on deception”. Thus with comprehensive penetration of ICT into military and strategic matters one can see the motivation of states to leave the virtual space as fluid as it is now and take advantage of it. The most common hostile cyber-activity CNE would fit into the category of espionage which is currently also non-regulated by international law. Cyber in this case serves the age-old endeavour of espionage albeit with different means. If CNE operations are understood as an act of force or act of war, then a dangerous casus belli is present virtually always (Libicki 2009, pp. 64-66).
With cyber penetrating traditional security categories a proliferation of cyber strategies has emerged in the recent years. One of the discussed postures is cyber-deterrence and possibly compellence in the form of cyber-sanctions. In the case of deterring hostile activity the core assumptions lie in knowing who is responsible. In the complex man-made domain of cyberspace this can prove close to impossible. Whether IPv6 can serve to provide this crucial tenet of deterrence remains to be seen. But due to other means of evading attribution one has a reason to be sceptical. Current cyber realm landscape makes passive defence always one step behind, especially with Advanced Persistent Threats that can go unnoticed for months or even years. Thus cyber-attacks are deemed to be cheap and cyber-defence expensive. As for attribution which is crucial for deterrence to prove effective, several potential problems are present. Firstly, with the lack of forensic evidence, attribution rarely rests on solid ground. Secondly, it is possible that attackers would deliberately use false-flagging – that is attempting to put the blame on another state. Misattribution would also run the risk of having to deal with two enemies – the original attacker and the wrongfully accused / counter-attacked. Thirdly, with lack of “flags” in cyber-space retaliation could be framed by third parties as aggression (Libicki 2009). Additionally, with offensive cyber-capabilities resting on exploiting vulnerabilities threatened retaliation might not be repeatable.
If these known and exploitable vulnerabilities are fixed it would throw the deterrence equilibrium off balance – in a similar vein as effective ABM defence threatened to imbalance Cold war nuclear deterrence. Even with these problematic aspects it seems that cyber-deterrence has moved into mainstream strategic thinking at least in the US with conventional reaction to cyber-attacks on the table and the perceived environment of cyber hostilities currently shifting from “exploitation to disruption to destruction”(Lynn 2011). Tools of coercive diplomacy such as cyber-sanctions would also rest on attribution and targeting correct systems. Denying communication and ostracizing a state that is violating the rules can be effective since it does not require physical coercion such as a military blockade would require (Even, Siman-tov 2012). UNSC could authorize the use of cyber-sanctions under chapter VII of the UN charter and possibly even authorize regional organizations to enforce these under chapter VIII provisions (Benatar, Gombeer 2011). With the attribution problem and decentralized nature of the network these potential tools can inflict either disproportionate damage on civilian population as well as sub-par effects on prepared hostile governments. It is important to distinguish though that cyber means should not be used for collective punishment by extension of the customary international law (Schmitt 2013. p. 193)
The Internet so to speak has outgrown itself, yet there are no robust institutional mechanisms in place. The limited powers of ICANN and RIRs leave a lot of space for harmful activities that are being reported as rising in all categories, including state-sponsored cyber exploitation (ENISA 2013). Any form of an international regulatory body is subject to consensus and thus problematic. The US is steadfast in signalling that intergovernmental approach should work best and resists relegation of regulatory power to an independent UN-backed body. Russia on the other hand seeks to introduce a tighter regime, constraint cyber offence and shift Network regulation onto a more neutral ground with a lot of space being left to states to control their national networks (e.g. the Great Firewall of China)(Markoff, Kramer 2009). Moreover, the EU together with the US would hold Budapest convention on cybercrime as a model, whereas Russia would seek to build a regime more similar to the CWC.
While it is true that militaries are increasingly dependent on information technologies, it seems plausible to argue in line with Thomas Rid (2012) that war in virtual space is as of now within the realm of (science) fiction. Moreover, the shift in framing cyber space as a military-strategic domain comes with its own costs and threatens to fundamentally change the decentralized, emancipated structure of the internet (Cavelty 2012). These questions of a political and social nature are however qualitatively different to the predominantly technical nature of v6 addressing. On the other hand, just as the designers of v4 in “Internet stone age” did not foresee what was to come, we might also be forced to expand our frameworks to grasp possible future developments e.g. the “internet of things” – a notion that every device, appliance, computer, car, robot will connected independently to the network of networks. With the driver of address exhaustion cited as the most pressing issue companies signal they will eventually switch to v6 protocol (ENISA 2009).
The v6 addressing protocol will not by itself make the internet a safer place. It is my position that the enormous advantages of the network that have revealed themselves are necessarily offset by a variable degree of cyber in/security. Networks do not form randomly even in unregulated space, but follow cluster formations and generally create focal points (see Barabasi 2003). This does not mean that networks will become secure by themselves. Thus another dilemma presents itself: whether to regulate or aim to regulate the global network which runs the risk of fundamentally altering it and initiate undesired outcomes such as balkanization. I would argue that a possible scenario that can unfold is the tying of implementation of v6, which is a predominantly technical issue, with overall political control of the internet – which as of now is still seen as neutral. Clearly it is not neutral in the sense that it originates in the Western world and serves as a carrier of inherent liberal values.
To conclude, it is fair to say that IPv6 is not a silver bullet, but rather an almost necessary upgrade. The silver lining of this reform ought not to be used to constrain the emancipatory nature of the global web. As a rule of thumb, v6 should make the internet safer in the fact that hash cryptography will work more efficiently and show whether data transfer has been tampered with – this could prove priceless in CIP as well as military affairs. The attribution problem however will likely keep its daunting characteristics and it is naïve to believe that IPv6 will change this fundamental facet of the global Network. Additionally, there is a privacy concern where v6 implementation can be used or abused by governments to enact tighter control over network users, possibly making it harder for unsophisticated hackers to mount an attack while still leaving considerable space for the more advanced and evermore commonly state-sponsored cyber-attacks. Strategic concepts originating in the traditional security thinking such as deterrence, identification of armed force, distinction between combatants and civilians that come from a different era will continue to struggle no matter what address protocol the Network uses.
BARABASI, Albert-Laszlo, 2003, Linked: The New Science Of Networks Science Of Networks. Basic Books. ISBN 0786746963.
BARKER, Keith, 2013, The security implications of IPv6. Network Security [online]. June 2013. No. 6, p. 5–9. [Accessed 17 January 2014]. DOI 10.1016/S1353-4858(13)70068-0. Available from: http://linkinghub.elsevier.com/retrieve/pii/S1353485813700680
BENATAR, M and GOMBEER, K, 2011, Cyber Sanctions: Exploring a Blind Spot in the Current Legal Debate. ESIL 2011 4th Research Forum [online]. 2011. No. 9, p. 26–28. [Accessed 12 February 2014]. Available from: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1989786
CAVELTY, Myriam Dunn, 2012, The militarisation of cyber security as a source of global tension. In : Strategic Trends 2012 [online]. Zurich : Center for Security Studies, ETH Zurich. ISBN 978-3-905696-36-3. Available from: http://www.css.ethz.ch/publications/pdfs/Strategic-Trends-2012-Cyber.pdf
CONVERY, Sean and MILLER, Darin, 2004, IPv6 and IPv4 Threat Comparison and Best- Practice Evaluation ( v1 . 0 ) 1 Introduction.
EARLY, James P., 2009, An Introduction to IPv6 by James P. Early, Ph.D. [online]. 2009. Project Advance. Available from: http://www.youtube.com/watch?v=uNb7wd0-jpI
EDELMAN, Benjamin and SCHWARZ, Michael, 2011, Pricing and Efficiency in the Market for IP Addresses. WINE [online]. 2011. P. 1–25. [Accessed 16 January 2014]. Available from: http://www.benedelman.org/publications/ipmarkets-060913.pdf
ENISA, 2009, STOCK TAKING REPORT ON THE TECHNOLOGIES ENHANCING RESILIENCE OF PUBLIC COMMUNICATION NETWORKS IN THE EU MEMBER STATES. Athens.
ENISA, 2011, World IPv6 Day -8th June; time to take action & switch to the future — ENISA. [online]. 2011. [Accessed 14 January 2014]. Available from: http://www.enisa.europa.eu/media/news-items/world-ipv6-day-8th-june-time-to-take-action-switch-to-the-future
ENISA supports the World IPv6 Day, 8th June, and encourages more companies, authorities and organisations to take action and start using IPv6.
ENISA, 2013, ENISA Threat Landscape 2013 Overview of current and emerging cyber-threats. Athens.
ERMERT, Monika, 2013, Dispute over future IP address policy – stop managing scarcity? | Internet Policy Review. Internet Policy Review [online]. 2013. [Accessed 12 January 2014]. Available from: http://policyreview.info/articles/news/dispute-over-future-ip-address-policy-%E2%80%93-stop-managing-scarcity/130130
EVEN, Shmuel and SIMAN-TOV, David, 2012, Concepts and Strategic Trends Cyber Warfare : Tel Aviv.
GEERS, Kenneth, 2011, Strategic cyber security [online]. Tallinn : CCD COE Publication. [Accessed 25 April 2013]. ISBN 9789949904051. Available from: http://books.google.com/books?hl=en&lr=&id=4h6KIDAfGhAC&oi=fnd&pg=PA9&dq=Strategic+Cyber+Security&ots=sUl23FeiED&sig=sztDn3KPQMgrzSeo3iCQ1xqQKqs
GOOGLE, 2014, IPv6 – Google Statistics. [online]. 2014. [Accessed 12 January 2014]. Available from: http://www.google.com/ipv6/statistics.html#tab=ipv6-adoption
HUSTON, Geoff, 2013a, Valuing IP Addresses. RIPE Labs [online]. 2013. [Accessed 12 January 2014]. Available from: https://labs.ripe.net/Members/gih/valuing-ip-addresses
HUSTON, Geoff, 2013b, Launch + 365. [online]. 2013. [Accessed 12 January 2014]. Available from: https://ripe67.ripe.net/presentations/115-2013-10-16-ipv6-launch-365.pdf
ICANN, 2008, IPv6 Address Added for Root Servers in the Root Zone | Addition enhances end-to-end connectivity for IPv6 networks. [online]. 2008. [Accessed 14 January 2014]. Available from: http://www.icann.org/en/news/announcements/announcement-04feb08-en.htm
ICANN, 2011, Available Pool of Unallocated IPv4 Internet Addresses Now Completely Emptied. Press Release [online]. 2011. [Accessed 10 January 2014]. Available from: http://www.icann.org/en/news/press/releases/release-03feb11-en.pdf
IEEE-USA, 2009, Next Generation Internet : IPv4 Address Exhaustion , Mitigation Strategies and Implications for the U . S . [online]. Available from: http://www.ieeeusa.org/policy/whitepapers/IEEEUSAWP-IPv62009.pdf
LIBICKI, MC, 2009, Cyberdeterrence and cyberwar [online]. Santa Monica : Rand Corporation. [Accessed 11 February 2014]. ISBN 9780833047342. Available from: http://books.google.com/books?hl=en&lr=&id=MJX6jL6IeF0C&oi=fnd&pg=PP1&dq=Cyberdeterrence+and+Cyberwar&ots=HrticJwZFk&sig=B8cMfeA39YAnDJIts3ssieMscB8
LYNN, William, 2011, Remarks on Cyber at the RSA Conference [online]. [Accessed 7 February 2014]. Available from: http://www.defense.gov/speeches/speech.aspx?speechid=1535
MANKIN, A. and BRADNER, S., 1993, IP: Next Generation (IPng) White Paper Solicitation [online]. [Accessed 15 January 2014]. Available from: http://tools.ietf.org/html/rfc1550
MARKOFF, John and KRAMER, Andrew E., 2009, U.S. and Russia Differ on a Treaty for Cyberspace. The New York Times [online]. New York, 2009. [Accessed 11 February 2014]. Available from: http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all&_r=1&
MUELLER, Milton, KUERBIS, Brenden and ASGHARI, H, 2013, Dimensioning the elephant: an empirical analysis of the IPv4 number market. info [online]. 2013. Vol. 15, no. September, p. 1–14. [Accessed 16 January 2014]. Available from: http://www.emeraldinsight.com/journals.htm?articleid=17099271&show=abstract
NASH, Steve, 2013, IPv6 Trends Worldwide Infrastructure Security Report & Arbor ATLAS IPv6 Roll-Out Moves Forward.
RID, Thomas, 2012, Cyber war will not take place. Journal of strategic studies [online]. 2012. Vol. 35, no. April. [Accessed 31 May 2013]. Available from: http://books.google.com/books?id=hSolAQAAIAAJ&pgis=1
RUSSELL, Brian, 2004, IPv4 Will Not Be Sufficient For The Next 30 Years. [online]. 2004. [Accessed 10 January 2014]. Available from: http://www.cs.rutgers.edu/~rmartin/teaching/fall04/cs552/papers/001.pdf
SCHMITT, Michael N, 2013, Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge : Cambridge University Press. ISBN 1107024439.
TZU, Sun, 2010, On The Art of War. Aziloth Books. ISBN 978-1907523175.
VAN BEIJNUM, Iljitsch, 2011, Trading IPv4 addresses will end in tears | Ars Technica. Ars Technica [online]. 2011. [Accessed 12 January 2014]. Available from: http://arstechnica.com/tech-policy/2011/08/trading-ipv4-addresses-will-end-in-tears/
 (ICANN 2011)
 The possible combinations equal 3.4×1038
 (Tzu 2010, article 18)
 Computer Network Exploitation
 For a comprehensive list see for example https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world