Hi Bill, On Fri, 26 Mar 2021 at 22:16, William Herrin <bill@herrin.us> wrote:
On Fri, Mar 26, 2021 at 1:42 PM Lukas Tribus <lukas@ltri.eu> wrote:
In production, you may be able to troubleshoot this a few months from now, but how will the on-duty junior engineer handle this at 03 AM?
Hi Lukas,
In the network Vom describes, he is surely the only network engineer.
Actually I think it's more likely that he's a contractor/consultant, but either way, contractor/consultant or employee ... all of them change over time. This falls into the kind of duct-tape "solutions" that inevitably cause issues down the line, which then have to be diagnosed by engineers at other networks. I'm that engineer at the other network, diagnosing the issue because quote "it must be your fault because we only have the issue with that single IP address of yours. Also Youtube works just fine here."
Vom's question was how to carve off some addresses without being stuck at 1/2 the allocation as his maximum subnet size. At the sacrifice of some complexity, it can be done. As described, you can even recapture 3 addresses that would normally be lost to you were you not attempting to carve off addresses.
Almost anything can be done by increasing complexity. But here the cure is worse than the disease.
What you are suggesting is to configure public IP address space that isn't yours, this should be a big nono.
That's one way of looking at it. Here's a different one: It is an entirely legitimate network configuration to give your LAN a 0.0.0.0 netmask and rely on proxy arp to route off of it for non-local addresses. Nobody does it this way, it's inefficient and gets very complex when there's more than one router, but it in no way implies configuring yourself address space which is not yours.
You are configuring a prefix that is not assigned to you and not specifically reserved for local connectivity like 1918 (instead it is almost certainly partially assigned to another AS for IPv4 unicast use on the public Internet). That is the very definition of configuring address space which is not yours, whether you're successful or not at reducing the impact with proxy-arp. Sure, in this specific case 0.0.0.0 and 255.255.255.255 truly will never be used by anyone on the Internet (and also your hosts/router will almost certainly crash, because ARP tables are not designed for hundreds of thousands of entries), but that's not the point. It's not legitimate in my book, when we are talking about hosts on the public Internet which are required to connect to the rest of the Internet, maybe even host services. If the bar is "can I be sued for this?" than you are certainly right.
At the very least you can't reach the public IP addresses 10.0.0.0 and 10.0.3.255 from the hosts, because they won't be sending ARP requests for subnet and broadcast addresses.
In the described configuration, those addresses are almost guaranteed to be base addresses or broadcast addresses of someone else's network which you wouldn't be able to reach or access anyway. There is a tiny chance that someone else did the same thing you did or decided to use a /32 route to capture and use those two addresses as unicast, but you've a better chance of winning the lottery or being hit by lightning than finding those two addresses in use.
Eyeball networks assign /32 to end users including .0 and .255. Of course the likelihood that those two addresses are actually requiring end-to-end connectivity to this AS is not huge. But the fact of the matter is that you are knowingly breaking a valid configuration in other people's networks with a non-null likelihood of it causing problems, and for what? To avoid 1918 addressing on a single P2P link of an enterprise stub-AS? This cure truly is worse than the disease and it would certainly be unacceptable in my book. Now let's talk about the likelihood of the OP leaking the /22 to the transits (which hopefully filter strictly) in the process of setting this up. I won't need lottery or lightning analogies for that. Lukas Lukas