On Sun, 15 Jan 2012, Ted Fischer wrote:
Thanks for the replies so far, but not what I was looking for.
I should have specified that I've done several ns & dig lookups just to make sure.
We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a reference to 172/12 anywhere, one might be led to presume that it was allocated somehow, to someone (perhaps inadvertently not recorded) since there are - supposedly - no fresh IPv4 addresses left to allocate, and the only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735.
While IANA allocated the last of the free IPv4 address pool to the 5 recognized RIRs on 3 Feb 2011, that doesn't mean that all of those IPv4 addresses were immediately assigned to providers or end-users. The RIRs will exhaust their supplies of assignable IPv4 address space at different times, depend on their 'end game' assignment strategies and their overall consumption rate. APNIC exhausted most of their available address space by last April. 172/8 was a legacy block, from which 172.16/12 was allocated for RFC 1918. Looking at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml shows many of the legacy allocations being administered by ARIN, but also a few being administered by RIPE and APNIC. There is a difference between an RIR being tasked with administering a chunk of legacy space and being officially allocated a chunk of space by IANA. In the case of 172/8, it was allocated in the InterNIC days, so users could be scattered all over the world, but ARIN handles in-addr.arpa delegation for it. Since ARIN was not (as far as I know) formally tasked with allocating remaining space from 172/8, that space it will not be assigned to SPs or users by ARIN.
My question is about 172/12. Where is it, what is it's supposed purpose. I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway".
As others have pointed out, if 172.0.0.0/12 or some subset of it doesn't exist in the global routing table, then the packets you saw are either coming from outside of your network - spoofed - or coming from somewhere inside your network.
If someone can point out to me what was done with 172/12 I'd appreciate it.
I'm not aware of anything more detailed that what I've noted above or what other posted have contributed to this thread. jms