This validates my hypothesis that the run-up in 2020–2022 was an artificial scarcity bubble driven largely by hyperscalers. AWS was right up there stockpiling before they shifted their pricing model. Once AWS introduced the hourly charge for public IPv4 addresses (effectively passing the scarcity cost to the consumer), their acquisition pressure vanished. The text notes Amazon stopped announcing almost 15M addresses in Nov 2025. I think they have moved from aggressive accumulation to inventory management.
We are seeing asset stranding in real-time. The market has realized that between the AWS tax and the efficacy of mobile CGNAT, the desperate thirst for public v4 space was not infinite. I'm curious to hear more takes on this.
The interesting downstream effect is on IP reputation systems. Traditional detection assumed 1 IP = 1 user. CGNAT breaks that entirely - platforms can't aggressively filter mobile carrier IPs without blocking legitimate customers by the thousands.
Makes sense the IPv4 price dropped once mobile networks proved you can serve massive user bases with relatively few public addresses.
Like you said, CG-NAT does have the benefit of making v4 address reputation less reliable, which means it's not as big a deal for the transition to v6.
heh, less reliable is doing a lot of heavy lifting there. You mean "complete and total trash". We need to get to the point where Cloudflare/AWS/some other big sites just block CG-NAT nodes for a day going this IP address is a risk.
Instead if you're a website, instead of doing an easy block by IP, you're left filtering out AI crawlers, spammers, and lots of other crap hiding behind a single IP with thousands of other users behind it, and ISPs that don't really give a shit about doing anything about it.
We need to push the value of IPv4 to nearly zero and finally move away from that crap.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
With the uptake in smart home and internet connected CCTV by consumers, things could dramatically shift.
Come to think of it, for my use cases, I would probably be fine to be behind IPv4 NAT as long as I also have an un-NATted IPv6 prefix. But a big part of the question here of course is whether IPv6 adoption is worthwhile...
At driving the majority of mobile traffic to IPv6? Otherwise, it seems hard to describe mobile CGNAT as efficacious to me.
Aka Kuiper
>stopped announcing almost 15M addresses in Nov 2025
When IPv6 was developed, over 30 years ago, connecting everything to the internet seemed like a great idea. I know that IPv6 can be made secure, but I don't have the background or research time to learn how to do so, and the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy that makes it impossible to accidentally directly connect anything to the internet.
I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next is developed with the modern proliferation of cheap insecure IoT in mind.
For some background on why IoT products are so insecure:
Hardware manufacturers don't really comprehend the idea of updates, let alone timely of security patches. Hardware has to work on the day of release, so everything is documented and tested to verify it will work. I have hardware with a TCP/IP stack that was released 20 years, (https://docs.wiznet.io/Product/Chip/Ethernet/W5500) and doesn't have a single errata published, despite widespread use. This is expected for every single component, for even the smallest 1-cent transistor, which has dozens of guaranteed performance characteristics laid out over several pages of documentation (https://en.mot-mos.com/vancheerfile/files/pdf/MOT2302B2.pdf).
When manufacturers venture into a product that runs software, they don't realize that for a given complexity, working through undocumented or, worse yet, incorrectly documented APIs takes more time than the equivalent hardware development and documentation. I've worked on multiple projects where software bugs were fixed with hardware workarounds, because it's faster, cheaper, and easier to develop, test, document, retool, and add a few cents of bill-of-materials cost per product, than to get reliable output from the already-written library that's supposed to provide the functionality.
The hardware TCP/IP stack that I linked to was developed at a time when it was the cheapest way to connect a low-power embedded system to a network. Modern low-power embedded systems have multiple cores running at hundreds to thousands of MIPS making the resources to run a softtware TCP/IP stack trivial, but the product still sells well, because when security is an absolute must, the hardware development and maintenance cost for the functionality is still cheaper than through software, even when there's no marginal cost to run the software.
IPv4 is not NAT-by-default. The reality of the world we live in today is that most home networks have a NAT, because you need multiple devices behind a single IP.
That said, I agree: it's quite unknowable how many services I've turned on on local machines with the expectation that a router firewall sat between me and potential clients.
But that doesn't go away with IPv6 - the NAT does, the router doesn't, and the firewall shouldn't either. For example, the default UniFi firewall rules for IPv6 are: 1. Allow Established/Related Traffic (outbound return traffic), 2. Block Invalid Traffic, 3. Block All Other Traffic
You must explicitly open a firewall rule for inbound IPv6 traffic. NAT is not the firewall.
NAT _is_ a firewall. And a much safer one than IPv6 firewalls, because NAT will fail safe if misconfigured.
While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably proven to be quite effective against a lot of malicious activity.
Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats.
Maybe, maybe not, but regardless 99% of people are not protected by a NAT. They are protected by a "proper firewall," which happens to support NAT (and typically, is enabled for IPv4 networks.)
That is to say, while most home routers support NATs, they also ship with a default-deny firewall turned on. Typically, enabling NAT mappings also configures the firewall for users. But they are not the same thing and we need to stop conflating them because it causes a lot of confusion when people think that IPv6 is "open by default" and that IPv4 is "protected by NAT." It's not. They are both protected by your router using the same default-deny firewall.
That's because it's exploitable only if you control the next hop from the NAT router, which is typically within the ISP infrastructure. So the attacker will need to either hack your ISP or mess with your NAT router's physical uplink.
Both cases require a very dedicated attacker.
NAT is not a firewall. It is address translation. It will not drop packets.
In IPv6 it becomes absolutely essential. If you forget to include it, your network becomes wide open. And you don't have an easy way to detect this because you need an external service to probe your network.
> NAT is not a firewall. It is address translation. It will not drop packets.
Yes, it is a firewall because it enables the address space isolation.
Otherwise, the router would happily pass the packet along to any IP address it finds in a packet it receives. That's the job of a router, after all.
To get the "unsolicted traffic is rejected or dropped" behavior of the typical IPv4 NAT, forward inbound traffic that's related to an established connection and drop or reject the rest.
You can also use the exact same NAT techniques you use for IPv4 addresses with IPv6 addresses. The only differences are that instead of you using RFC 1918 Private Internets addresses (10./8 and friends) you use RFC 4193 ULA addresses (fd00::/8), and you need the usual NAT rules on your edge router, except for IPv6, rather than IPv4. Remember that IPv6 is still IP, just with larger addresses.
It's recommended that you generate your ULA subnet rather than selecting one by hand, but absolutely nothing stops you from choosing fd::/64. If you're statically assigning addresses to your LAN hosts, then your router could be -say- fd::1 and you count up from there. Also note that DHCP exists for IPv6 [0] and is used by every non-toy OS out there except for Android.
> I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next...
IPvnext is not happening in either of our lifetimes. You're either going to have to buy edge gear that's set up with a "reject or drop unsolicited inbound forwarding traffic" firewall, or learn how to set it up yourself. Either path is not hard. Well, I guess there's secret option #3: "Die without doing either.". That's also not hard.
[0] It has been around for nearly twenty-three years.
Regarding Android OS, I'm not convinced it isn't a toy OS. I feel like they threw in the Linux kernel, but didn't bother including most of the useful features, and pat themselves on the back whenever they add one back. It took almost a decade before they figured out that you could install fonts without reinstalling the operating system. If they ever discover DKMS, we can stop throwing our phones away every few years, and have some actually useful hardware. Then again, it took Apple two years to add copy and paste to a phone, so maybe it's an industry-wide problem. If I could buy a modern Jornada 700 series running Linux or BSD, I'd never need to pick up an Android or iOS device again.
Since you're in the mood for experimentation, you might try OpenWRT. They even have a somewhat-fancy-shmancy configuration GUI called LuCI.
Even that is only a partial solution - UPNP hole punching exploits holes in this logic to allow peer-to-peer traffic into a network which otherwise has a default-deny ACL.
Also, if you have devices connected to WAN, then they are insecure because they are not NATed.
If I have an IPv6 router, I can miss-configure it in a way where all of my internal communications between IoT devices work as expected, but they also have discoverable addresses on the internet. This would give the firewall something to do, but I'd rather there be no route in the first place.
Also, if I trusted myself to properly configure my router for IPv6, I would put all of my IoT equipment on ULAs, which much like an IPv4 NAT would leave me with nothing to configure in the firewall.
If I were to take your claims at face value, using GUAs with packet filtering is far more reliable and secure than ULAs, and that seems preposterous.
A properly configured firewall for sure adds security, but isolation always wins out.
With IPv6 you at least say "Holy crap, anyone could connect to this, I better secure it from outside and inside attacks" which is how actual security works.
Luckily, common EU home routers have firewalls, even for IPv6. And it's so much easier to punch holes on purpose! Instead of messing with port forwarding and internal and external IP addresses, you can just say "this device is a server, please allow traffic on port 80 and 443, thank you"
Also, everyone I know that lives in Europe (although most of them not within EU countries) imports their IoT controllers directly from China or the US, because there is very little available from manufacturers in Europe.
https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address...
"As you may know, IPv4 addresses are an increasingly scarce resource and the cost to acquire a single public IPv4 address has risen more than 300% over the past 5 years. This change reflects our own costs and is also intended to encourage you to be a bit more frugal with your use of public IPv4 addresses and to think about accelerating your adoption of IPv6 as a modernization and conservation measure."
Their move disgusted me and I moved from AWS to OCI.
"As the Internet continues to evolve, it is no longer the technically innovative challenger pitted against venerable incumbents in the forms of the traditional industries of telephony, print newspapers, television entertainment and social interaction. The Internet is now the established norm. The days when the Internet was touted as a poster child of disruption in a deregulated space are long since over, and these days we appear to be increasingly looking further afield for a regulatory and governance framework that can challenge the increasing complacency of the very small number of massive digital incumbents.
It is unclear how successful we will be in this search for responses to this oppressive level of centrality in many aspects of the digital environment. We can but wait and see."Don't bring technology to a political fight, the hoarders've got more tech than you, "wait and see" is what a bag of sand does at the gun range.
China already de-facto owns half of Africa so it's natural they would prey on their scarce IP resources as well.
When you see AI scraping at a massive scale originating from $AFRICAN_COUNTRY IP space, and that country's GDP is smaller than Rhode Island, you sure as shit know someone else is behind it.
In the case of China, I believe it's government or CCP-controlled entities, and the end-game is something more nefarious.
For India, IMO it's private industry. They're just trying to make a buck.
And, I'd say, the US is known to do this. I'll lead with 'Project Azorian' to back it up.
Almost all the Indian subreddits are against the current government. You will be banned from a subreddit even if you rightly speak in support of current government on Reddit.
It's hard to take your rest of your comment seriously if you are blatantly dishonest about this.
In the case of IP address purchases, these are publicly tied to specific public and private entities and can be easily queried through the regional registries. These private entities are frequently the same kind of shell company you'll get with hiding shady financial details.
You have to take these issues with nuance instead of looking at them black and white.
If the US government gives you a billion dollar subsidy to do some particular action, is the action that is done the will of the corporation or the will of the government?
If the US government is paying private companies to 'gain information on' foreign entities, is that the will of the private companies or of the government itself?
If when a US company acquires a resource the US government can ask nicely for it with the threat of implied violence if you don't give it, is that a private resource or not?
And, note, I'm talking about the US that has relatively strong property rights and not about China where the government has far more leeway with the operation of companies, and absolutely uses them for nation state level information gathering.
In China, there is no meaningful difference between the party and any Chinese company. Companies are seed funded by the state and carry the will of the state. There is no "come back with a court order" in China. And even if there was, the courts are also just another arm of the party.
For websites and services I don’t care. Some hosting platforms publish via CNAME, and some via A and AAAA records. Most seem to use a mix of v4 and v6 addressing.
The falling price of IPv4 addresses looks to me like we’ve made it to other side of the IPv6 rollout: demand for IPv4 is falling faster than supply now. Not clear if those prices are adjusted for inflation; the post-COVID spike looks like a lot of other nominal price graphs. If not, then the recent price drop is even more dramatic than it appears.
Perhaps in the long run, IPv4 becomes an artisanal choice for uses that depend on stable IP reputation: email sending, primarily. And everyone else relies on TLS for reputation signals, not caring about the IP address.
Hm...
It's more likely that the widespread deployment of CGNAT and 464XLAT in mobile networks made the IPv4 scarcity a non-issue. The some CGNAT solutions can multiplex more than 20000 devices onto a single IPv4 address.
I'm a very early adopter of IPv6, and I _still_ have operational issues with it.
The same is true for amazon.fr.
I'm thinking about going full on IPv6 now with NAT64, but that a stretch already, because it needs upgrading a gear.
I think around 2000 every new LIR at RIPE got a /19 allocation. Smaller companies are now almost 30 years old and the founders divest their assets step by step unless someone buys everything.
For example, Walmart has electronic eink shelf tags they can update remotely. Each one needs a unique address. I wouldn't think it needs ipv4. It doesn't have to connect to the SpaceJam website.
I would think that as time goes by, the number of these new devices would swamp the number of old ones that need ipv4. v4 would still be around and might even seem important to the fogies using web browsers on laptops...meanwhile the street lamp has five ipv6 addresses and no ipv4 ones.
While I don't think a couple administration's website archives are enough to drive adoption, one could imagine there might be some government resources that might.
Sadly browsers don't seem to warn users that they couldn't connect because of the lack of IPv6 (and doing so would be difficult for IPv6-only DNS servers), so it just looks like a regular connection failure.
However, there are network upstarts like Jio (India) which made huge v6 investments from day one which use 464xlat for subscribers to access v4-only resources.
That's my point; why is it still difficult? What exactly are the pain points for a fully commercialized native IPV6-only business, and why do we think it will be easier to maintain the status quo?
Most of it is not any particular difficulty for you, but because of someone else.