IP Addresses Through 2025
potaroo.net173 points by petercooper 18 hours ago
173 points by petercooper 18 hours ago
The collapse in IPv4 transfer prices is what caught my eye here, dropping from a ~$55 peak in 2021 to a mean of $22 in early 2026 (figure 12).
This validates my hypothesis that the run-up in 2020–2022 was an artificial scarcity bubble driven largely by hyperscalers. AWS was right up there stockpiling before they shifted their pricing model. Once AWS introduced the hourly charge for public IPv4 addresses (effectively passing the scarcity cost to the consumer), their acquisition pressure vanished. The text notes Amazon stopped announcing almost 15M addresses in Nov 2025. I think they have moved from aggressive accumulation to inventory management.
We are seeing asset stranding in real-time. The market has realized that between the AWS tax and the efficacy of mobile CGNAT, the desperate thirst for public v4 space was not infinite. I'm curious to hear more takes on this.
The CGNAT point is underrated. Carriers have zero incentive to move away from it - thousands of users per public IP, no transition cost.
The interesting downstream effect is on IP reputation systems. Traditional detection assumed 1 IP = 1 user. CGNAT breaks that entirely - platforms can't aggressively filter mobile carrier IPs without blocking legitimate customers by the thousands.
Makes sense the IPv4 price dropped once mobile networks proved you can serve massive user bases with relatively few public addresses.
Expect CG-NAT boxes are expensive, and introduce another point of failure into the network. Most mobile carriers are running IPv6 first networks these days anyway.
Like you said, CG-NAT does have the benefit of making v4 address reputation less reliable, which means it's not as big a deal for the transition to v6.
>CG-NAT does have the benefit of making v4 address reputation less reliable
heh, less reliable is doing a lot of heavy lifting there. You mean "complete and total trash". We need to get to the point where Cloudflare/AWS/some other big sites just block CG-NAT nodes for a day going this IP address is a risk.
Instead if you're a website, instead of doing an easy block by IP, you're left filtering out AI crawlers, spammers, and lots of other crap hiding behind a single IP with thousands of other users behind it, and ISPs that don't really give a shit about doing anything about it.
We need to push the value of IPv4 to nearly zero and finally move away from that crap.
[flagged]
Why? How is it "discrimination" if it actually corresponds to a single user, who has been doing bad things to your server (e.g. slamming it with requests)? Do you expect to be able to go and knock on people's doors all day and not have them tell you off?
Anecdotally on how this affects the day to day user experience: I just deployed T-Mobile 5G Business Internet to a temporary pop-up art space (it's only active for a few months) and I'd say twice daily I get a CAPTCHA challenge on Google search.
And I hope it gets worse for users behind CG-NAT to the point that websites and ISPs move to IPv6.
I wonder if all these new tools that punch through CGNAT like tailscale will end up breaking it when they force these NAT boxes to maintain tons of long lived connections.
With the uptake in smart home and internet connected CCTV by consumers, things could dramatically shift.
I personally hate CGNAT, but I cannot deny that nowadays, the overwhelmingly vast majority of customers most likely does not care (and much less know) that they are behind CGNAT, so this is valid.
Come to think of it, for my use cases, I would probably be fine to be behind IPv4 NAT as long as I also have an un-NATted IPv6 prefix. But a big part of the question here of course is whether IPv6 adoption is worthwhile...
It is noteworthy that in 2020 AWS had very limited ipv6 support, but these days they have at least some support in the most critical services.
> efficacy of mobile CGNAT
At driving the majority of mobile traffic to IPv6? Otherwise, it seems hard to describe mobile CGNAT as efficacious to me.
Amazon LEO
Aka Kuiper
>stopped announcing almost 15M addresses in Nov 2025
As someone with a background in electronics who doesn't manage any internet-connected equipment but has multiple embedded devices connected to a WAN, I'm glad that IPv4 still seems to have a bit of life left in it.
When IPv6 was developed, over 30 years ago, connecting everything to the internet seemed like a great idea. I know that IPv6 can be made secure, but I don't have the background or research time to learn how to do so, and the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy that makes it impossible to accidentally directly connect anything to the internet.
I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next is developed with the modern proliferation of cheap insecure IoT in mind.
For some background on why IoT products are so insecure:
Hardware manufacturers don't really comprehend the idea of updates, let alone timely of security patches. Hardware has to work on the day of release, so everything is documented and tested to verify it will work. I have hardware with a TCP/IP stack that was released 20 years, (https://docs.wiznet.io/Product/Chip/Ethernet/W5500) and doesn't have a single errata published, despite widespread use. This is expected for every single component, for even the smallest 1-cent transistor, which has dozens of guaranteed performance characteristics laid out over several pages of documentation (https://en.mot-mos.com/vancheerfile/files/pdf/MOT2302B2.pdf).
When manufacturers venture into a product that runs software, they don't realize that for a given complexity, working through undocumented or, worse yet, incorrectly documented APIs takes more time than the equivalent hardware development and documentation. I've worked on multiple projects where software bugs were fixed with hardware workarounds, because it's faster, cheaper, and easier to develop, test, document, retool, and add a few cents of bill-of-materials cost per product, than to get reliable output from the already-written library that's supposed to provide the functionality.
The hardware TCP/IP stack that I linked to was developed at a time when it was the cheapest way to connect a low-power embedded system to a network. Modern low-power embedded systems have multiple cores running at hundreds to thousands of MIPS making the resources to run a softtware TCP/IP stack trivial, but the product still sells well, because when security is an absolute must, the hardware development and maintenance cost for the functionality is still cheaper than through software, even when there's no marginal cost to run the software.
> the NAT-by-default of IPv4
IPv4 is not NAT-by-default. The reality of the world we live in today is that most home networks have a NAT, because you need multiple devices behind a single IP.
That said, I agree: it's quite unknowable how many services I've turned on on local machines with the expectation that a router firewall sat between me and potential clients.
But that doesn't go away with IPv6 - the NAT does, the router doesn't, and the firewall shouldn't either. For example, the default UniFi firewall rules for IPv6 are: 1. Allow Established/Related Traffic (outbound return traffic), 2. Block Invalid Traffic, 3. Block All Other Traffic
You must explicitly open a firewall rule for inbound IPv6 traffic. NAT is not the firewall.
> NAT is not the firewall.
NAT _is_ a firewall. And a much safer one than IPv6 firewalls, because NAT will fail safe if misconfigured.
NAT is not a firewall: all it does is rewrite packets, it does not drop them.
You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall.
The article actually remarks on this kind of argument.
While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably proven to be quite effective against a lot of malicious activity.
Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats.
> Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Maybe, maybe not, but regardless 99% of people are not protected by a NAT. They are protected by a "proper firewall," which happens to support NAT (and typically, is enabled for IPv4 networks.)
That is to say, while most home routers support NATs, they also ship with a default-deny firewall turned on. Typically, enabling NAT mappings also configures the firewall for users. But they are not the same thing and we need to stop conflating them because it causes a lot of confusion when people think that IPv6 is "open by default" and that IPv4 is "protected by NAT." It's not. They are both protected by your router using the same default-deny firewall.
This is BS. "Default deny" or "default accept" makes no practical difference with NAT. You can leave the "default accept" rule with NAT and you'll be perfectly fine except in some weird edge cases.
That's because it's exploitable only if you control the next hop from the NAT router, which is typically within the ISP infrastructure. So the attacker will need to either hack your ISP or mess with your NAT router's physical uplink.
Both cases require a very dedicated attacker.
A default deny firewall is a good idea to protect services everywhere in your network, including those which run on the router itself (e.g. many routers run a local DNS server.) Without NAT, packets are not dropped, they simply do not have their destination rewritten to another device on the network. The traffic is still destined for the router and will be processed by it. This is why routers ship with a default-deny firewall rule.
NAT is not a firewall. It is address translation. It will not drop packets.