nanog mailing list archives

RE: Private use of non-RFC1918 IP space


From: Blake Pfankuch <bpfankuch () cpgreeley com>
Date: Mon, 2 Feb 2009 10:58:52 -0700

Using public IP space in general is typically just asking for trouble.  I worked with an "ISP" once who decided to use 
192.0.0.0/24 for IP's to customers who didn't need a static ip.  They did it not knowing what they were doing (oh you 
mean 192.0.0.0/8 isnt rfc1918) but very quickly they had to change it.  In our current customer base we have run into 
it a few times where someone is using non rfc1918 space internally and propose changing it very quick as we have had 
several customers who don't know it, but need to get to something in that public space.

If you happen to be the funny guy who uses an IP range from some tiny foreign off the wall country because "we will 
never need to connect to their IP space" remember that IP address allocations change and you won't think it's so funny 
when the company who provides your anti-virus moves their update servers to match your internal IP space.

There are sometimes good reasons to do this, for instance to ensure
uniqueness in the face of mergers and acquisitions.

If you are going to force uniqueness and one of the parties in the merger was super smart in their original deployment 
and decided to use 10.0.0.0/8 for their network of 300 machines, force them to change to something smarter.  Remind 
them how layer 3 networks inside of a single building work.  Even if a network is not publically seen, you have to keep 
in mind how many machines see it while they might see a public network.  A specific customer had a 216.xx.xx.0/24 
network for their private production network.  Their internal router also saw it and had an ACL on who could access it. 
 Meaning their entire staff couldn't get to their collocated webserver when their provider re addressed that floor in 
the datacenter.

All rambling aside, its much easier to renumber on the front end opposed to ending up with VPN natting that makes you 
cry on the inside.  Think of the person who will take over your network when you eventually leave your position.

This is a bit off-topic, but I thought I'd mention that this is one reason I recommend use of the 172.16/12 block to 
people building
or renumbering enterprise networks. Most people seem to use 10/8 in large organizations and 192.168/16 in smaller 
ones, so it raises
your chances of not having to get into heavy natting down the road. My theory on this is that most people who don't 
deal with CIDR on
a daily basis find the /12 netmask a bit confusing and just avoid the block at all.

Also a good point.  Most of "support engineers" I run into think that 172.24.0.0 is public IP space.

-----Original Message-----
From: D'Arcy J.M. Cain [mailto:darcy () druid net]
Sent: Monday, February 02, 2009 10:20 AM
To: sthaug () nethelp no
Cc: nanog () nanog org
Subject: Re: Private use of non-RFC1918 IP space

On Mon, 02 Feb 2009 18:03:57 +0100 (CET)
sthaug () nethelp no wrote:
What reason could you possibly have to use non RFC 1918 space on a
closed network?  It's very bad practice - unfortunately I do see it done
sometimes....

There are sometimes good reasons to do this, for instance to ensure
uniqueness in the face of mergers and acquisitions.

How does that help?  If you are renumbering due to a merger, couldn't
you just agree on separate private space just as easily?

--
D'Arcy J.M. Cain <darcy () druid net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 425 1212     (DoD#0082)    (eNTP)   |  what's for dinner.



Current thread: