The address allocation authorities distribute chunks of host-address space to individual organizations that manage component networks that make up the Internet as a whole. These chunks must be globally reachable by multiple Internet Service Providers according to routing information exchanged via the Border Gateway Protocol (BGP). Used locally and exchanged with peers, BGP information refers to address chunks in terms of an IP address and a mask called a CIDR block. For example, an address of 220.127.116.11 with a mask of 24 bits (written 192.172.226/24) indicates an IP address chunk (and likely a corresponding routing table entry) starting at address 18.104.22.168 and including all addresses that have the same values for the first 24 bits. The remaining (32-24)=8 bits can assume any value, so this block contains 256 individual IP addresses. Each routing table associates this address/mask pair with a `next hop' IP address, and routers forward all traffic destined for this network to the next hop listed in their local routing table.
[HWB97a] has attempted to show how much of the available IPv4 address space is in use in the global Internet core using a simple image mapping. For manageability we looked at routing entries of at least 256 hosts, for a maximum of (2^32)/256=16,777,216 possible clusters of hosts. Since the square root of the maximum number of clusters (sqrt((2^32)/256)) is 4096, we visualized the global address space as a 4096x4096 image, with each pixel representing one cluster of addresses. Hence, each pixel corresponds to a `/24' CIDR block's amount of IP address space, and potentially includes as many as 256 individual active Internet hosts. Within the image, the color of each pixel maps to a specific attribute, e.g. whether the cluster was `routeable' (i.e. covered by BGP advertisements), or allocated to some organization. We have extended this original 1997 analysis by superimposing a map of 'traffic activity' on top of the routeable/announced depiction. In the image below, the yellow areas are routeable, and the black areas show segments of the address space that include either source or destination addresses that appear in our set of collected packet traces.
Our set of packet traces currently derives from only a single measurement location (FIX-West, NASA Ames), which constrains any temptation to generalize to overall address usage. Nonetheless, definite patterns characterize these traffic samples, in particular in the three segments of address space that roughly correspond to the pre-CIDR classful network address allocations. The old class C address space is by far the most densely covered region of the image. There are fairly distinct vertical features in the image (bands of black pixels as one travels from left to right across the image), likely due to a proportionately larger number of host address allocations from the beginning of the allocated CIDR blocks. Similar vertical features are also quite distinct in the old class B address space: many class B networks have more host addresses allocated toward the beginning of their address block rather than toward the end.
The old class A address space is by far the most sparsely covered, which may indicate that these large network blocks are primarily used for internal communication, as opposed to connectivity to the Internet as a whole. Since IANA originally allocated most of these address segments to large corporations and government or military uses, it seems plausible that most of the traffic generated from/to such addresses may not pass through our measurement point. However, vertical features are still visible, indicating similar address allocation patterns. The most interesting aspect of this region is the pattern of addresses seen in the old 22.214.171.124/8 net. In those areas where CIDR blocks have been reallocated, both the usage and host allocations follow the pattern seen in the old class C address space.
Our traffic measurements were based on three packet traces. The first trace was taken on May 5, 1998 at 15:40 PDT and ran for 12 1/2 min., the second on May 9, 1998 at 20:12 PDT and ran for 15 1/2 min., and the third was collected on May 18, 1998 at 11:06 PDT and ran for 11 min. These three traces contained 66.8 million packets, and we used both source and destination addresses in placement of the black pixels. There were a significant number of in the traces that had source or destination addresses that were outside the routeable area of the map, and consequently we discarded 140,000 addresses (0.10% of the total packets) from the data in the traces. Many of these addresses were from the private address blocks specified in RFC 1918 [RFC1918], indicating routing configuration problems with at least one site using these addresses. The BGP routing table used to generate the yellow overlay on the image below reflects data collected on 18 May 1998 from the University of Oregon Route Views project[Meyer97], and includes BGP routes from 15 peers spread throughout the Internet.
We recognize the limitations of this analysis. Our methodology does not show IP addresses used by transport devices (e.g. routers, switches, hubs, etc.), since as a rule they do not send significant amounts of traffic through the Internet backbone. Furthermore, all our trace data comes from a single measurement point, so at best we can only hope to collect a representative sample that shows us a reasonable cross-section of the addresses in use. Verifying how representative a sample it is will require collecting traces from a wider variety of measurement locations. Nevertheless, the difference in coverage patterns among the three regions of the image is dramatic, and we suspect reflective of the overall pattern of address allocation today.
Here are closeups of the interesting portions of the image above:
Issues of efficiency in address space usage, such as depicted in the first image above, are potentially relevant for evolving the Internet address architecture. CIDR has helped with amorphously allocated address space, but stopped short of 'biting the bullet': rearranging the address block assignments to create larger clusters and reduce core routing table sizes. Increasingly popular Network address translation (NAT) technologies and products also seem to be significantly mitigating the pressure and perceived imminent emergency of exhaustion of the Internet address space.
Other ways to usefully extend this visualization include coloring by ASes/ISPs (i.e. map a prefix to its primary-announcing AS in a sample core routing table), and coloring by the ten largest CIDR blocks allocated to providers. We also note that Bill Manning of ISI has an ongoing project to walk the reverse DNS tree every quarter (traversal requires a month to complete), from which one could vividly illustrate the accuracy of the reverse tree: e.g., coloring in green that address space which is allocated, in use, and with correct reverse dns; in red allocated and in use address space with incorrectly configured reverse DNS information; in yellow allocated but unused (i.e,. unannounced into the core), and in white unallocated.
references1. [HWB97a]. Hans-Werner Braun, http://moat.nlanr.net/IPaddrocc/ BGP-system usage of 32 bit Internet address space, 15 November 1997 (December IETF plenary presentation).
2. [RFC1918], RFC 1918, ``Address Allocation for Private Internets'', http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1918.txt Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot & E. Lear.'', February 1996.
3. [Meyer97], University of Oregon Route Views Project, http://www.routeviews.org, Advanced Network Technology Center, David Meyer (now at Cisco Systems).
Thanks to Hans-Werner Braun and NLANR/MOAT for supplying the packet trace data and the vertical axis for this image. Sean McCreary and kc claffy, 8/27/98