nanog mailing list archives
Re: Whois 172/12
From: "Ted Fischer" <ted () fred net>
Date: Sun, 15 Jan 2012 03:20:17 -0500
Thanks for the replies so far, but not what I was looking for. I should have specified that I've done several ns & dig lookups just to make sure. We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a reference to 172/12 anywhere, one might be led to presume that it was allocated somehow, to someone (perhaps inadvertently not recorded) since there are - supposedly - no fresh IPv4 addresses left to allocate, and the only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735. We all know about 172.16/12 - nothing left of that horse but glue. My question is about 172/12. Where is it, what is it's supposed purpose. I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway". If someone can point out to me what was done with 172/12 I'd appreciate it. Patrick opined:
Read RFC1918.
I didn't remember seeing anything about 172/12 in RFC1918. Looked at it again. Is there something about 172/12 I missed? Thanks.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above). -- TTFN, patrick On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:As far as I know, 172.0.1.216 is not assigned, yet. whois -h whois.arin.net 172.0.1.216 [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 172.0.1.216" # # Use "?" to get help. # No match found for 172.0.1.216. # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Also, when you check BGP routing table, it is not routed at all. route-server.as3257.net>sh ip bgp 172.0.1.216 % Network not in table route-server.as3257.net> So it seems like forged IP address. Alex On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted () fred net> wrote:Hi all, Tearing what's left of my hair out. A customer is getting scanned by a host claiming to be "172.0.1.216". I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word). I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12. If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated. Thanks. Ted Fischer
Current thread:
- Whois 172/12 Ted Fischer (Jan 14)
- Re: Whois 172/12 Alex Ryu (Jan 14)
- Re: Whois 172/12 Patrick W. Gilmore (Jan 14)
- Re: Whois 172/12 Ted Fischer (Jan 15)
- Re: Whois 172/12 Jeroen Massar (Jan 15)
- Re: Whois 172/12 Jimmy Hess (Jan 15)
- RE: Whois 172/12 Keith Medcalf (Jan 15)
- Re: Whois 172/12 Justin M. Streiner (Jan 15)
- Re: Whois 172/12 Suresh Ramasubramanian (Jan 15)
- RE: Whois 172/12 Network IP Dog (Jan 15)
- Re: Whois 172/12 Suresh Ramasubramanian (Jan 15)
- Re: Whois 172/12 Patrick W. Gilmore (Jan 14)
- Re: Whois 172/12 Tom Hill (Jan 19)
- Re: Whois 172/12 Alex Ryu (Jan 14)
- Re: Whois 172/12 Robert Bonomi (Jan 15)
- Re: Whois 172/12 bmanning (Jan 15)