IPv8 Explained: The IETF Draft to Replace IPv4/IPv6
Table of contents
An Internet-Draft landed on the IETF tracker on April 14, 2026. Not from a major vendor. Not from a working group with years of consensus. From J. Thain of One Limited, a company registered in Bermuda.
The title: Internet Protocol Version 8.
The claim: a managed network protocol suite that replaces how networks of every scale are operated, secured, and monitored. OAuth2 on every packet. Eight services unified into one platform. Full backward compatibility with IPv4. No flag day. No forced migration.
That is either the most ambitious networking proposal in decades or the most delusional. Let us find out.
The Address Space: 64-Bit, ASN-Rooted
IPv8 uses a 64-bit address. Not 128-bit like IPv6. The address splits into two 32-bit fields:
- Routing prefix: the 32-bit ASN (Autonomous System Number) of the network
- Host address: a standard 32-bit host identifier
This means every ASN holder gets 4,294,967,296 host addresses. The entire current IPv4 space, per ASN.
The clever part: when the routing prefix is all zeros (0.0.0.0), the remaining 32 bits are a standard IPv4 address. IPv4 becomes a proper subset of IPv8. No translation, no tunneling, no dual-stack. An IPv4 packet is already a valid IPv8 packet.
This is the single most interesting design decision in the entire spec. IPv6 failed adoption for 25 years primarily because it broke backward compatibility. IPv8 sidesteps that entirely.
Reserved ranges include 127.0.0.0/8 for internal zones, 100.0.0.0/8 for inter-AS peering, and 222.0.0.0/8 for router links.
The Zone Server: Eight Services, One Platform
This is where the proposal gets ambitious. IPv8 defines a "Zone Server" that combines eight services into a single coherent platform:
- DHCP8 - device configuration in a single lease response
- DNS8 - name resolution with route validation
- NTP8 - time synchronization
- NetLog8 - network telemetry and logging
- OAuth8 - authentication via JWT tokens
- WHOIS8 - route registration and ownership
- ACL8 - access control lists for zone isolation
- XLATE8 - address translation
Every device on the network gets its entire configuration from one DHCP8 lease. Every packet transiting to the internet is validated at egress against a DNS8 lookup and a WHOIS8 registered route. Every manageable element is authorized via OAuth2 JWT tokens served from a local cache.
The vision: no more stitching together DHCP, DNS, RADIUS, syslog, NTP, and firewall rules from different vendors with different configs. One platform, one protocol family, one source of truth.
The BGP8 Routing Table
The current BGP routing table has over 1 million entries and keeps growing. It is one of the internet's scaling bottlenecks.
IPv8 claims to solve this structurally. Since addresses are ASN-rooted, the global routing table is bounded at one entry per ASN. With roughly 113,000 active ASNs today, that is a 10x reduction from the current table size. The spec enforces /16 minimum prefix length to prevent fragmentation.
The Cost Factor metric replaces simple hop count with a composite score combining latency, packet loss, congestion, stability, capacity, and geographic distance. This is not new conceptually (EIGRP and others have used composite metrics), but applying it at the global routing level would be.
Security: Three Layers Deep
The security model is where IPv8 gets opinionated:
Layer 1: NIC firmware validation. The network interface card itself validates that the device is authorized to be on the network. Hardware-level trust.
Layer 2: Zone Server gateway. Every packet leaving a zone is checked against ACL8 rules and OAuth8 tokens. East-west traffic between zones is isolated by default, preventing lateral movement.
Layer 3: Switch port VLAN enforcement. Physical port-level access control.
The OAuth2 JWT model means every network action carries a cryptographic proof of authorization. Tokens are cached locally to avoid round-trips. The spec claims sub-millisecond validation overhead.
What Is Genuinely Novel
Let me be fair. Several ideas here are genuinely interesting:
IPv4 as a proper subset. This is the killer feature. If it works as described, it removes the single biggest barrier that killed IPv6 adoption for a quarter century. No migration, no dual-stack, no translation layers. Your existing network is already IPv8.
ASN-rooted addressing. Tying the address space to the autonomous system structure is elegant. It makes routing inherently hierarchical and bounded.
Unified service platform. The Zone Server concept addresses a real pain point. Enterprise networks today are a patchwork of protocols from different eras. Unifying them under one coherent system is the right direction.
Structural routing table bounds. If the global table really caps at ~113K entries, that is a meaningful improvement for router memory and convergence time.
What Raises Red Flags
Now the hard questions.
OAuth2 JWT per packet. This is the claim that makes network engineers twitch. OAuth2 was designed for application-layer authorization in microservices. Applying it at the network layer, on every packet, at line rate, is a fundamentally different problem. Even with local caching, the overhead of token validation on a 100Gbps link processing millions of packets per second is non-trivial. The spec says sub-millisecond. At scale, that claim needs hardware-level proof.
Single point of failure. The Zone Server bundles eight critical services into one platform. If it goes down, you lose DNS, DHCP, auth, time sync, telemetry, access control, and translation simultaneously. The internet was designed to be resilient through distribution. Concentrating this much function in one system is architecturally risky.
NIC firmware validation. Requiring hardware-level trust means every network interface card needs to support IPv8 validation. That is a hardware upgrade cycle measured in decades, not years.
Independent submission. This is not an IETF working group draft. It is an individual submission from a company in Bermuda with no obvious track record in protocol design. That does not make it wrong, but it means it has not been through the consensus process that catches design flaws.
"Just add JWT" criticism. Hacker News commenters were blunt: "30 years later, the same proposal but garnished with JWT." The ASN-rooted addressing idea has been floated before. The unified service platform concept echoes OSI's integrated approach that lost to TCP/IP's simplicity. History suggests that elegant unified designs lose to messy but deployable incremental ones.
The IPv6 Elephant
IPv6 has been "the future" since 1998. It is still under 30% adoption globally. The reasons are well-documented: backward compatibility breaks, infrastructure costs, NAT extending IPv4's life, ISP inertia, and no immediate business value for migration.
IPv8's backward compatibility claim directly targets IPv6's primary failure. But it faces the same secondary barriers: who builds the Zone Servers? Who writes the firmware? Who funds the transition? "100% backward compatible" gets you in the door. It does not get you deployed.
The Verdict
IPv8 is a thought-provoking design document wrapped in an IETF draft. The addressing model is clever. The unified service vision is right. The backward compatibility approach is the correct lesson learned from IPv6.
But the per-packet JWT validation needs a proof of concept, not a spec. The Zone Server needs a failure mode analysis, not just a feature list. And the NIC firmware requirement needs a hardware partner, not a paragraph.
This is either the seed of something real or a well-written fantasy. The difference will be whether anyone builds it.
The full spec is at draft-thain-ipv8-00.