Why does Qatar use a single IP address when 800,000 IP addresses are allocated to it?

88

21

In discussions about IP address banning, IP 82.148.97.69 is often cited as an example. According to Wikipedia, this IP address is the public address of "the entire nation of Qatar". There are two things I don't quite understand:

  1. Why does Qatar use a single IP address when it was given more than 800,000 IP addresses by IANA? Did they sell all other IP addresses to someone, or do they use these IP addresses for something non-public?

  2. With a single public IP address, isn't the proxy server limited to 65,536 simultaneous connections (by the number of available TCP ports)? How do they deal with this limitation? Or is the whole country limited to 65,536 simultaneous Skype calls?

Dmitry Grigoryev

Posted 2015-12-15T12:23:34.923

Reputation: 7 505

Answers

49

It doesn't. There are plenty of ips in active use in Qatar, and even the top ones have <200 current users.

However,

Is it conceivable that back in 2009 everyone in Qatar had the same public IP address?

I think it is, at least if by "2009" you mean "back in the time of Wikipedia blockade in the news".

The wikipedia blockade occurred at 2006, so wikipedia mainly refers to that point of time. Qtel, the state provider, had a monopoly up until November of 2006, so at least the talks about only having one ISP then seem to be true. About the IP, quoting bbc news from 2007,

The 12-hour ban hit large numbers of people in the country because all web traffic in Qatar is routed through a single net address. [..] There is only one high speed internet service provider in the country which acts as a gateway for all users.

There's also a longer article published 2011 saying

Qatar's weakness is that the nation only has a single ISP provider, Qtel [..] If Qtel goes down, Qatar disappears off the face of the Web.

Since then, Qtel has been rebranded to Ooredoo. I can find some information from last month saying

Qatar’s two telecom providers have been encouraging residents to test the speed of their mobile networks in hopes of proving once and for all who is the fastest.

As well as this information targeted to foreigners:

Today Ooredoo, which was formerly QTel, and Vodafone are the major home Internet connection providers in the country.

So at least the part about only one provider isn't true anymore. However even with two providers

Internet users generally only have access to a single service provider – either Ooredoo or Vodafone – in a given area, it adds.

according to dohanews.co, but they do have a plan of adding more competition. However,

While the report references the “eventual” entry of additional internet service providers, it offers no hint as to when a third operator could arrive in Qatar to compete for customers with Ooredoo and Vodafone.

eis

Posted 2015-12-15T12:23:34.923

Reputation: 1 851

16"ISP provider" :( – Lightness Races with Monica – 2015-12-16T23:38:36.897

1@LightnessRacesinOrbit: I vote we shorten "ISP provider" to IP, then we can have "IP provider" or IPP for short :D – slebetman – 2015-12-17T03:58:42.060

2@LightnessRacesinOrbit: Well, as far as I afaik, you could sort of call tier 1 or tier 2 ISPs "ISP providers" since they provide service to ISPs – user1686 – 2015-12-17T06:03:17.390

@grawity: Haha​ – Lightness Races with Monica – 2015-12-17T10:34:09.727

@grawity: But who provides for the providers of ISP providers? :) – Juha Untinen – 2015-12-17T12:08:44.367

3@JuhaUntinen That's what all those turtles are there for. – zxq9 – 2015-12-17T13:32:26.140

5@LightnessRacesinOrbit Well, had he used "IS provider" it would've sounded like they are funding terrorists. – BMWurm – 2015-12-17T14:31:31.587

55

Why does Qatar use a single IP address when it was given more than 800000 IPs by IANA?

At first glance, this doesn't seem to be true – according to WHOIS, 82.148.97.69 is part of a larger "Mobile-Broadband-Pool-No-6" having ~90 addresses. So maybe it's only a slight exaggeration – many mobile ISPs in other countries also put thousands of customers behind a tiny address pool.

(However, note that the Wikipedia userpage was created in 2009 – it's quite possible that the address could have been repurposed since then.)

A reverse search for "mnt-by: QTEL-NOC" in RIPE's WHOIS server shows a large amount of IP blocks used for various purposes – there are FTTH pools, schools, point-to-point links, each internet café has its own inetnum entry. There are even some IPv6 allocations (2001:1a10::/32).

This seems detailed enough to be real, but at the same time detailed enough to be suspicious... But many of those addresses are actually routed via AS8781, AS42298 (Ooredoo, the Qatar ISP) and AS198499 (Qatar University).

It could be that some hosts are assigned public IP addresses as usual, but outgoing connections are NATed once they leave the country's network... Yes, NAT works with any address, not necessarily "private" ones. I can't imagine why though.

The reverse search can be done using whois -r -i mnt-by QTEL-NOC, optionally with -T to request only specific records such as "route" or "inetnum". However, be careful with reverse searches as the WHOIS server may temporarily block you very quickly due to requesting massive amounts of results.

Did they sell all other IPs to someone, or do they use these IPs for something non-public?

As a side note, some other places actually do that – for example, the US Dept. of Defense owns the address range 26.0.0.0/8, but none of it is routable from the public Internet – it's only used for their private networks.

With a single public IP, isn't the proxy server limited to 65536 simultaneous connections (by the number of available TCP ports)? How do they deal with this limitation? Or is the whole country limited to 65536 simultaneous Skype calls?

Each TCP connection is identified by two IP addresses and two ports. Just like you can open multiple connections to the same host because they use different source (or destination) ports, the opposite is also perfectly valid – connections to different hosts may use the same ports, as long as at least one value from (src-ip, dst-ip, src-port, dst-port) differs.

So if the gateway is sufficiently smart, in total it could handle 65535 connections towards each host:port. (Port zero is not used since it causes problems in many systems.)

user1686

Posted 2015-12-15T12:23:34.923

Reputation: 283 655

Not needed external support: through successive whois requests, the whole bunch 82.148.97.x belong to Mobile-Broadband-Pool-No-6, ISP infrastructure... Some used IP from Qatar...

– Hastur – 2015-12-15T13:19:22.447

Does this mean that I can establish more than 65536 connection from a single computer as long as destination addresses/ports are different? This goes against my (limited) knowledge of TCP/IP. – Dmitry Grigoryev – 2015-12-15T13:20:01.440

5@DmitryGrigoryev: You certainly can as far as TCP is concerned, though usually the OS will impose other kinds of resource limits. (For example, one process is usually limited to ~1000 open files on Linux, and that includes TCP connections.) – user1686 – 2015-12-15T13:29:22.133

2"Does this mean that I can establish more than 65536 connection from a single computer as long as destination addresses/ports are different?" there is no reason why a TCP implementation allowing this could not be written. Whether any of them actually do support it is another matter. – plugwash – 2015-12-15T15:57:31.983

@plugwash TCP/UDP ports are limited to 16 bits (65,536). No TCP implementation could open more ports than that; as there is no way in the TCP/UDP protocol to put it. – Ian Boyd – 2015-12-16T02:39:25.890

2@IanBoyd: But you can use the same port for more than one connection. Think about it – how does a web server handle hundreds of connections to the same server IP & port 80? Because those connections differ in source IP and port. – user1686 – 2015-12-16T06:15:05.797

@grawity Web servers are not a particularly good example, because they don't initiate connections like proxies do. But I get the idea. – Dmitry Grigoryev – 2015-12-16T11:29:12.240

3@DmitryGrigoryev: Whether you initiate a connection or accept it does not matter to TCP, as there's still one IP address and one port at either end. In the webserver's case, the "local IP" and "local port" are the same across all connections, for a proxy the "local IP" and "remote port" are the same, but either way that leaves two variables and the same amount of possible connections. (The TCP/IP spec even allows both sides to initiate the same connection at once.) – user1686 – 2015-12-16T13:01:40.173