I work in the IPv4 address market, which means a new addressing proposal hits my inbox the moment it goes public. Most are noise. draft-thain-ipv8, submitted to the IETF in April 2026, is more interesting than most - not because it'll ship (it won't), but because its architecture is a clean case study in how a well-intentioned spec can accidentally specify a surveillance platform. Let's read it like engineers.
The naming collision (skip if you already know)
Three unrelated things share the name "IPv8":
- py-ipv8 - a working P2P overlay from TU Delft over UDP, using Curve25519/Ed25519 identities. Nothing to do with TCP/IP replacement. The name is a joke about IPv6 adoption.
- PIP (historical IPv8) - Paul Francis, 1992, RFC 1621/1622. Lost the IPng race to SIPP because variable-length addresses were murder in hardware. Historic since 2016.
- draft-thain-ipv8 - the 2026 individual submission everyone is arguing about. This post is only about that one.
The addressing model
IPv8 defines a 64-bit address laid out as r.r.r.r.n.n.n.n - eight octets:
+-------------------+-------------------+
| ASN (32 bits) | Host (32 bits) |
+-------------------+-------------------+
r.r.r.r n.n.n.n
The high 32 bits carry an ASN; the low 32 bits are a host address with IPv4 semantics. The backward-compatibility hook is the part worth pausing on:
if (asn_prefix == 0.0.0.0) {
// treat as legacy IPv4, standard rules apply
}
So 0.0.0.0.a.b.c.d is IPv4. Clean idea on paper.
The consequences are large:
- Each ASN holder gets
2^32host addresses (~4.3 billion). Exhaustion stops being a meaningful constraint at any org scale. - The global routing table - currently 900k+ prefixes with no structural ceiling - gets capped near one entry per ASN (~175k today), because deaggregation below /16 is forbidden. That's the architecturally bounded BGP table people have wanted for years.
- Header cost: +8 bytes vs IPv4 (source and destination each grow 32 → 64 bits). TTL, Protocol, Flags, Checksum are unchanged.
This is the genuinely attractive half of the draft. If you've ever stared at the routing table growth curve and winced, the bounding mechanism is hard not to like.
The Zone Server
Here's where it stops being an addressing proposal and becomes a platform. IPv8 mandates a per-segment Zone Server, active/active, that consolidates basically everything:
| Service | Role |
|---|---|
| DHCP8 | Address assignment |
| DNS8 | Resolution |
| NTP8 | Time |
| OAuth8 | Authentication (OAuth2 + JWT) |
| WHOIS8 | Route validation |
| ACL8 | Access control |
| NetLog8 | Telemetry / logging |
| XLATE8 | IPv4 ↔ IPv8 translation |
A device joins, fires one DHCP8 request, and gets every service endpoint in a single reply. Auth is JWT validated locally, no round trip to an external IdP. From an ops perspective, the "one box, one request" story is genuinely elegant.
Routing decisions run on a 32-bit Cost Factor, accumulated from seven inputs: RTT, packet loss, congestion window state, session stability, link capacity, economic policy, and great-circle distance as a speed-of-light floor. That last one is sharp - any path claiming to beat the physics floor is flagged as anomalous by definition. I like it as a design instinct.
Transition avoids a flag day via 8to4 tunnelling encapsulated over HTTPS, so it slips through firewalls without per-box config.
Where it breaks (the ordinary objections)
The community pushback is fair and mostly consistent:
- No process. IPv6 came out of a multi-year working-group bake-off (CATNIP, TUBA, SIPP). This is a solo I-D with no WG, no sponsor, and a datatracker page that says outright it isn't endorsed. It expires Oct 19, 2026 absent adoption.
- Layering violation. OAuth2/JWT is Layer 7 logic shoved into Layer 3. Access switches, industrial controllers, and basic routers aren't built to do application-level authz at line rate. I'm softer on this than most - hardware refreshes on 7-10 year cycles regardless, and ISPs ship ~180M CPE units a year - but "the silicon could eventually do it" is not the same as "the ecosystem will require it."
- The Version field. Every ASIC checks the IP Version field and drops anything that isn't 4 or 6. A Version 8 packet dies at hop one. XLATE8 is the answer - legacy devices behind an IPv8 gateway emit plain IPv4 and never send a Version 8 packet - but the whole transition story rests on XLATE8 being as transparent in production as the spec claims, and nobody has tested that.
- Provenance. GPTZero reportedly flagged ~76% of the text as likely AI-generated. The author acknowledges AI assistance. The concern isn't the tool; it's whether the design reflects lived operational experience.
- Timing. Two weeks before the draft argued IPv6 had failed, Google's IPv6 traffic crossed 50% for the first time. The premise aged badly in real time.
The part the technical critique mostly misses
All of the above is solvable in principle. The thing that isn't solvable by iteration is what the Zone Server becomes once you treat it as a threat model instead of a feature list.
Walk the mechanisms as an adversary would:
-
DNS8 is not swappable. Today, DNS censorship is the weakest control - flip your resolver to
1.1.1.1and you're out. Under IPv8, resolution lives in the mandatory egress box. There is no "use another resolver." Unresolved destination → dropped locally, before the packet ever leaves your segment. - WHOIS8 is a registry-level kill switch. Every destination ASN must be present and valid in WHOIS8 or the packet is dropped, and unvalidated routes are never installed at the BGP8 level at all. So censorship stops requiring DPI or border filtering - pressure the registry, remove the record, and the target is unreachable at the protocol layer everywhere IPv8 runs. No record, no route, no reachability.
- OAuth2/JWT ends anonymous connections by design. Every managed device authenticates before its first packet. The stated goal is killing malware C2 - legitimate. The side effect is that the anonymity Tor and VPNs rely on stops existing at the IP layer, and whoever holds the identity infrastructure can attribute every connection.
- NetLog8 makes logging mandatory. Real-time telemetry at every Zone Server - every auth, connection, and policy hit, timestamped. "Observability for operators" and "comprehensive surveillance record for a state actor" are the same dataset.
And the spec is silent exactly where it shouldn't be: no governance model for who runs the Zone Server, no oversight on WHOIS8 record removal, no judicial-review path for ACL8 rules or JWT revocation. The entire thing assumes good-faith operators. That assumption does not survive contact with a meaningful chunk of the world's governments.
We've seen this shape before. Huawei's 2020 "New IP" pitch to the ITU-T proposed per-packet, authenticated, government-controllable filtering at the network layer and was rejected by the IETF, ISOC, and several governments precisely because it baked control into the protocol. IPv8 reaches a structurally identical endpoint through different mechanisms - apparently without the author intending it. Intent doesn't edit the architecture.
The clean way to put it: today a national firewall is expensive overlay infrastructure fighting a protocol built for openness. IPv8 inverts the relationship. The authenticated, logged, gateway-validated network becomes the base layer, and the open internet becomes the overlay you have to fight to reach.
Why an IPv4 trader cares
Short term: nothing. The draft expires without WG adoption, no vendor or RIR backs it, and IPv4 leasing is unaffected.
Longer term, two things are worth watching:
- The addressing logic. If a future, better-sponsored proposal inherits the "each ASN holder gets a giant block" model while keeping IPv4 backward compatibility, it attacks both pillars the secondary IPv4 market rests on - scarcity and IPv6 transition cost - simultaneously. That's speculative and distant, but it's the scenario to model.
- The control pattern. Consolidating resolution, identity, route validation, and logging into one mandatory platform will resurface in proposals that do have momentum. When it does, the only question that matters is who controls the platform.
Takeaway
draft-thain-ipv8 is not going to standardize. But it's a useful artifact: it proves you can bound the BGP table and unify network management at the protocol layer - and it proves that the same consolidation, done without a governance model, hands you a censorship substrate for free. The address format being elegant doesn't change that. The end-to-end principle is the thing keeping those two outcomes separable, and it's worth defending precisely when the alternative looks this tidy.
Full technical write-up with the rest of the spec breakdown is here: https://ipbnb.com/blog/ipv8-internet-protocol
Top comments (0)