Private use of non-RFC1918 IP space
Hi, y'all - Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this. I'd be very interested in corresponding off-list with anyone who's in a similar position. Cheers, --Trey ++----------------------------------------------------------------------------++ Kingfisher Operations Trey Darley - Principal
What reason could you possibly have to use non RFC 1918 space on a closed network? It's very bad practice - unfortunately I do see it done sometimes.... Paul -----Original Message----- From: Trey Darley [mailto:trey@kingfisherops.com] Sent: February 2, 2009 10:48 AM To: nanog@nanog.org Subject: Private use of non-RFC1918 IP space Hi, y'all - Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this. I'd be very interested in corresponding off-list with anyone who's in a similar position. Cheers, --Trey ++---------------------------------------------------------------------- ------++ Kingfisher Operations Trey Darley - Principal ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
What reason could you possibly have to use non RFC 1918 space on a closed network? It's very bad practice - unfortunately I do see it done sometimes....
There are sometimes good reasons to do this, for instance to ensure uniqueness in the face of mergers and acquisitions. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Some nitwits just grab one out of fat air. I've seen 192.169.xx and 192.254.xx randomly used before. On Feb 2, 2009 12:03pm, sthaug@nethelp.no wrote:
What reason could you possibly have to use non RFC 1918 space on a
closed network? It's very bad practice - unfortunately I do see it done
sometimes....
There are sometimes good reasons to do this, for instance to ensure
uniqueness in the face of mergers and acquisitions.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
I've even seen at a previous place (note: 'previous') that decided to use 40.x.x.x for their internal IP space.... I find it hard to believe a company can mismanage their IP space that 10.0.0.0, 192.168.0.0, and 172.(16-31).0.0 are all used up, but then again, I shouldn't be surprised. Back in '96 or so, an ISP I was working at was giving out /24's for a 14.4 dialup account.... Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk@exempla.org -----Original Message----- From: mikelieman@gmail.com [mailto:mikelieman@gmail.com] Sent: Monday, February 02, 2009 10:16 AM To: sthaug@nethelp.no; pstewart@nexicomgroup.net; nanog@nanog.org Subject: Re: Re: Private use of non-RFC1918 IP space Some nitwits just grab one out of fat air. I've seen 192.169.xx and 192.254.xx randomly used before. On Feb 2, 2009 12:03pm, sthaug@nethelp.no wrote:
What reason could you possibly have to use non RFC 1918 space on a
closed network? It's very bad practice - unfortunately I do see it done
sometimes....
There are sometimes good reasons to do this, for instance to ensure
uniqueness in the face of mergers and acquisitions.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On 2009/02/02 07:16 PM mikelieman@gmail.com wrote:
Some nitwits just grab one out of fat air.
I've seen 192.169.xx and 192.254.xx randomly used before.
Seen 198/8, 196.200/16 and 172.<whatever the hell the admin felt like>/16 And these people are shocked when I tell them to renumber before I'll touch their network..
On Mon, Feb 02, 2009 at 11:06:42PM +0200, Colin Alston wrote:
On 2009/02/02 07:16 PM mikelieman@gmail.com wrote:
Some nitwits just grab one out of fat air.
I've seen 192.169.xx and 192.254.xx randomly used before.
Seen 198/8, 196.200/16 and 172.<whatever the hell the admin felt like>/16
And these people are shocked when I tell them to renumber before I'll touch their network..
I've seen 11/8.
On Mon, 02 Feb 2009 18:03:57 +0100 (CET) sthaug@nethelp.no wrote:
What reason could you possibly have to use non RFC 1918 space on a closed network? It's very bad practice - unfortunately I do see it done sometimes....
There are sometimes good reasons to do this, for instance to ensure uniqueness in the face of mergers and acquisitions.
How does that help? If you are renumbering due to a merger, couldn't you just agree on separate private space just as easily? -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
On Mon, 02 Feb 2009 12:20:25 EST, "D'Arcy J.M. Cain" said:
On Mon, 02 Feb 2009 18:03:57 +0100 (CET) sthaug@nethelp.no wrote:
What reason could you possibly have to use non RFC 1918 space on a closed network? It's very bad practice - unfortunately I do see it done sometimes....
There are sometimes good reasons to do this, for instance to ensure uniqueness in the face of mergers and acquisitions.
How does that help? If you are renumbering due to a merger, couldn't you just agree on separate private space just as easily?
They don't renumber, they end up just double-NAT or triple-NAT betweem the merged units. I think one poor soul posted here that they had quintuple-NAT'ing going on due to a long string of mergers....
On 02.02.2009, at 18:38, Valdis.Kletnieks@vt.edu wrote:
On Mon, 02 Feb 2009 12:20:25 EST, "D'Arcy J.M. Cain" said:
On Mon, 02 Feb 2009 18:03:57 +0100 (CET) sthaug@nethelp.no wrote:
What reason could you possibly have to use non RFC 1918 space on a closed network? It's very bad practice - unfortunately I do see it done sometimes....
There are sometimes good reasons to do this, for instance to ensure uniqueness in the face of mergers and acquisitions.
Also to avoid being required to NAT at all. Security benefits IMHO from using RFC1918 space in a corporate network - you have an automatic requirement that there must be a NAT rule somewhere in order for a duplex connection to happen. However, in a more open environment like a university or a laboratory, there may be no reason to require all connections to be proxied/translated etc.
How does that help? If you are renumbering due to a merger, couldn't you just agree on separate private space just as easily?
They don't renumber, they end up just double-NAT or triple-NAT betweem the merged units. I think one poor soul posted here that they had quintuple-NAT'ing going on due to a long string of mergers....
This is a bit off-topic, but I thought I'd mention that this is one reason I recommend use of the 172.16/12 block to people building or renumbering enterprise networks. Most people seem to use 10/8 in large organizations and 192.168/16 in smaller ones, so it raises your chances of not having to get into heavy natting down the road. My theory on this is that most people who don't deal with CIDR on a daily basis find the /12 netmask a bit confusing and just avoid the block at all. Cheers, Chris
On Mon, 2 Feb 2009 18:50:49 +0100 Chris Meidinger <cmeidinger@sendmail.com> wrote:
On 02.02.2009, at 18:38, Valdis.Kletnieks@vt.edu wrote:
What reason could you possibly have to use non RFC 1918 space on a closed network? It's very bad practice - unfortunately I do see
Of course, this is a different question. the discussion started over people using randomly selected non RFC 1918 space. Using your own public IP block in a closed network is another issue. I see no operational issue there. There is the social issue of using up scarce resources of course.
Also to avoid being required to NAT at all. Security benefits IMHO from using RFC1918 space in a corporate network - you have an automatic requirement that there must be a NAT rule somewhere in order for a duplex connection to happen. However, in a more open environment like a university or a laboratory, there may be no reason to require all connections to be proxied/translated etc.
In which case you are using properly assigned IP space.
This is a bit off-topic, but I thought I'd mention that this is one reason I recommend use of the 172.16/12 block to people building or renumbering enterprise networks. Most people seem to use 10/8 in large organizations and 192.168/16 in smaller ones, so it raises your chances of not having to get into heavy natting down the road. My theory on this is that most people who don't deal with CIDR on a daily basis find the /12 netmask a bit confusing and just avoid the block at all.
My office is small so I just grabbed 192.168.250.0/24. The 250 was taken from the office address. It was a level of randomness that made conflict with future VPN arrangements less likely. Not impossible, of course. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
There are sometimes good reasons to do this, for instance to ensure uniqueness in the face of mergers and acquisitions.
How does that help? If you are renumbering due to a merger, couldn't you just agree on separate private space just as easily?
It would ensure that you could get the networks to communicate, without IP address conflicts, *before* you started any renumbering. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On Mon, 02 Feb 2009 18:44:42 +0100 (CET) sthaug@nethelp.no wrote:
How does that help? If you are renumbering due to a merger, couldn't you just agree on separate private space just as easily?
It would ensure that you could get the networks to communicate, without IP address conflicts, *before* you started any renumbering.
Can you expand? I assume that everyone understand VPNs so connecting over the Internet is not the issue. If you pick a public IP block you still have to agree on that block. How is using a public block different than agreeing on a private one? I apologize if I'm just being dense this morning. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
How does that help? If you are renumbering due to a merger, couldn't you just agree on separate private space just as easily?
It would ensure that you could get the networks to communicate, without IP address conflicts, *before* you started any renumbering.
Can you expand? I assume that everyone understand VPNs so connecting over the Internet is not the issue. If you pick a public IP block you still have to agree on that block. How is using a public block different than agreeing on a private one?
Company A uses public IP block A internally. Company B uses public IP block B internally. Company A and B later merge, and connect their networks. No conflict, no renumbering needed (at least not right away). Compare this with company A and B both using overlapping part of for instance 192.168.0.0/16, and then merging. Conflict ensues, renumbering or NATs required in order to connect the networks. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
What about this? Genius from company A chooses public IP block A. Genius from company B chooses public IP block A. Genius collision detected... On Feb 2, 2009, at 4:06 PM, sthaug@nethelp.no wrote:
Company A uses public IP block A internally. Company B uses public IP block B internally. Company A and B later merge, and connect their networks. No conflict, no renumbering needed (at least not right away).
Compare this with company A and B both using overlapping part of for instance 192.168.0.0/16, and then merging. Conflict ensues, renumbering or NATs required in order to connect the networks.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Andre Sencioles Vitorio Oliveira asenci@gmail.com
Andre Sencioles Vitorio Oliveira wrote:
What about this?
Genius from company A chooses public IP block A. Genius from company B chooses public IP block A.
Genius collision detected... That's pretty nasty. However this should be able to mitigate some of the ugly scenarios brought up in this thread:
http://undeadly.org/cgi?action=article&sid=20090127205841 Mind you, proper due-diligence could avoid most of these, and/or companies not all choosing to use the default 192.168.{0,1}.0/24 that their SOHO Netgear/Linksys router ships configured with. -Tico
On Feb 2, 2009, at 4:06 PM, sthaug@nethelp.no wrote:
Company A uses public IP block A internally. Company B uses public IP block B internally. Company A and B later merge, and connect their networks. No conflict, no renumbering needed (at least not right away).
Compare this with company A and B both using overlapping part of for instance 192.168.0.0/16, and then merging. Conflict ensues, renumbering or NATs required in order to connect the networks.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Andre Sencioles Vitorio Oliveira asenci@gmail.com
--On måndag, måndag 2 feb 2009 16.15.06 -0200 Andre Sencioles Vitorio Oliveira <asenci@gmail.com> wrote:
What about this?
Genius from company A chooses public IP block A. Genius from company B chooses public IP block A.
Genius collision detected...
What you do is go to your LIR and ask for a /24 and tell them "I am going to use this for <purpose> which is at best semi-internal". It has worked for me; I got a PI /24 for the facility management system in a datacenter. (MODBUS over IP stuff, windows machines and embedded boxes sending email alarms about burning UPSes and sauna-hot computer rooms) My colleagues argued that "this network won't ever be connected to anything" but it took all of one week before they were proved wrong and the first contractor VPN box was installed. QED. The really, really, nice thing with registered PI or PA space is that it is pretty unique, bar fatfingering and route hijacking. Once there is a merger, the company with a RIPE db entry for the nonrouted space will have a most convincing position in merger negotiations: "This is our space: _you_ will renumber." Burning v4 space is good. Gets us v6 faster. -- Måns Nilsson M A C H I N A HUGH BEAUMONT died in 1982!!
On Mon, 02 Feb 2009 19:06:58 +0100 (CET) sthaug@nethelp.no wrote:
Company A uses public IP block A internally. Company B uses public IP
OK, so we start out with a bad network design then.
block B internally. Company A and B later merge, and connect their networks. No conflict, no renumbering needed (at least not right away).
Maybe. What if they both happened to choose 1.2.3.4/8? Is this just a matter of decreasing the odds of a conflict? It still seems like bad network management to me.
Compare this with company A and B both using overlapping part of for instance 192.168.0.0/16, and then merging. Conflict ensues, renumbering or NATs required in order to connect the networks.
Right. One side needs to change a config file in their DHCP server and maybe their internal DNS. If they need to change much more than that then its time for a network re-engineering anyway. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
Company A uses public IP block A internally. Company B uses public IP
OK, so we start out with a bad network design then.
No. We start with blocks A and B which are both properly allocated by the relevant addressing authorities.
block B internally. Company A and B later merge, and connect their networks. No conflict, no renumbering needed (at least not right away).
Maybe. What if they both happened to choose 1.2.3.4/8? Is this just a matter of decreasing the odds of a conflict? It still seems like bad network management to me.
My assumption throughout this whole discussion, which clearly has not been understood, is that the public IP block used internally is a properly allocated by the relevant addressing authority. That is, for me, the whole point of using public addresses to guarantee uniqueness. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Yeah, agreed.... I had a customer last week call us because we were "blocking them from an important site". After someone called them they found we could access the website no problem... upon further investigation we found their internal IP space had been numbered as 157.166.226.0/24. When we asked them why this IP was used, they told us that a $200/hour network consultant had upgraded their network last week with new Windows servers, new router, new etc. etc. etc.... and that this new IP numbering "sounded like a good number"... Politely told them they were paying too much and next time call someone who knows what they are doing.... "you got ripped off, sorry about your luck".... Oh, and their internal IP space = www.cnn.com ;) Paul -----Original Message----- From: sthaug@nethelp.no [mailto:sthaug@nethelp.no] Sent: February 2, 2009 1:56 PM To: darcy@druid.net Cc: nanog@nanog.org Subject: Re: Private use of non-RFC1918 IP space
Company A uses public IP block A internally. Company B uses public IP
OK, so we start out with a bad network design then.
No. We start with blocks A and B which are both properly allocated by the relevant addressing authorities.
block B internally. Company A and B later merge, and connect their networks. No conflict, no renumbering needed (at least not right away).
Maybe. What if they both happened to choose 1.2.3.4/8? Is this just a matter of decreasing the odds of a conflict? It still seems like bad network management to me.
My assumption throughout this whole discussion, which clearly has not been understood, is that the public IP block used internally is a properly allocated by the relevant addressing authority. That is, for me, the whole point of using public addresses to guarantee uniqueness. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
I see 2 problems off the top of my head with using public IP blocks for private networks. 1) You're not going to be able to reach servers/services/etc that actually have allocated those IP blocks. (May or may not affect you, but that's your issue to deal with in the future). 2) (and more important) It really makes it easy to 'accidentally' announce that public IP block out in the future, unless you have proper announce filters in place (And if something as basic as subnetting isn't done properly, I doubt route filtering is either). This one not only affects you, but affects the netblock that gets mistakenly announced out. RFC1918 space was designed to prevent these issues. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk@exempla.org -----Original Message----- From: sthaug@nethelp.no [mailto:sthaug@nethelp.no] Sent: Monday, February 02, 2009 11:56 AM To: darcy@druid.net Cc: nanog@nanog.org Subject: Re: Private use of non-RFC1918 IP space
Company A uses public IP block A internally. Company B uses public IP
OK, so we start out with a bad network design then.
No. We start with blocks A and B which are both properly allocated by the relevant addressing authorities.
block B internally. Company A and B later merge, and connect their networks. No conflict, no renumbering needed (at least not right away).
Maybe. What if they both happened to choose 1.2.3.4/8? Is this just a matter of decreasing the odds of a conflict? It still seems like bad network management to me.
My assumption throughout this whole discussion, which clearly has not been understood, is that the public IP block used internally is a properly allocated by the relevant addressing authority. That is, for me, the whole point of using public addresses to guarantee uniqueness. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On Mon, 02 Feb 2009 19:55:49 +0100 (CET) sthaug@nethelp.no wrote:
My assumption throughout this whole discussion, which clearly has not been understood, is that the public IP block used internally is a properly allocated by the relevant addressing authority. That is, for me, the whole point of using public addresses to guarantee uniqueness.
OK, I understand. My assumption was that the IP space was assigned randomly since that was the premise that started this discussion. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
Using public IP space in general is typically just asking for trouble. I worked with an "ISP" once who decided to use 192.0.0.0/24 for IP's to customers who didn't need a static ip. They did it not knowing what they were doing (oh you mean 192.0.0.0/8 isnt rfc1918) but very quickly they had to change it. In our current customer base we have run into it a few times where someone is using non rfc1918 space internally and propose changing it very quick as we have had several customers who don't know it, but need to get to something in that public space. If you happen to be the funny guy who uses an IP range from some tiny foreign off the wall country because "we will never need to connect to their IP space" remember that IP address allocations change and you won't think it's so funny when the company who provides your anti-virus moves their update servers to match your internal IP space.
There are sometimes good reasons to do this, for instance to ensure uniqueness in the face of mergers and acquisitions.
If you are going to force uniqueness and one of the parties in the merger was super smart in their original deployment and decided to use 10.0.0.0/8 for their network of 300 machines, force them to change to something smarter. Remind them how layer 3 networks inside of a single building work. Even if a network is not publically seen, you have to keep in mind how many machines see it while they might see a public network. A specific customer had a 216.xx.xx.0/24 network for their private production network. Their internal router also saw it and had an ACL on who could access it. Meaning their entire staff couldn't get to their collocated webserver when their provider re addressed that floor in the datacenter. All rambling aside, its much easier to renumber on the front end opposed to ending up with VPN natting that makes you cry on the inside. Think of the person who will take over your network when you eventually leave your position.
This is a bit off-topic, but I thought I'd mention that this is one reason I recommend use of the 172.16/12 block to people building or renumbering enterprise networks. Most people seem to use 10/8 in large organizations and 192.168/16 in smaller ones, so it raises your chances of not having to get into heavy natting down the road. My theory on this is that most people who don't deal with CIDR on a daily basis find the /12 netmask a bit confusing and just avoid the block at all.
Also a good point. Most of "support engineers" I run into think that 172.24.0.0 is public IP space. -----Original Message----- From: D'Arcy J.M. Cain [mailto:darcy@druid.net] Sent: Monday, February 02, 2009 10:20 AM To: sthaug@nethelp.no Cc: nanog@nanog.org Subject: Re: Private use of non-RFC1918 IP space On Mon, 02 Feb 2009 18:03:57 +0100 (CET) sthaug@nethelp.no wrote:
What reason could you possibly have to use non RFC 1918 space on a closed network? It's very bad practice - unfortunately I do see it done sometimes....
There are sometimes good reasons to do this, for instance to ensure uniqueness in the face of mergers and acquisitions.
How does that help? If you are renumbering due to a merger, couldn't you just agree on separate private space just as easily? -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
i am surprised that no one has mentioned that it is not unusual for folk, even isps, to use space assigned to the us military but never routed on the public internet. i was exceedingly amused when first i did a traceroute from bologna. randy
It's not unheard of to see the government cyber squatting unallocated /8 blocks too. -----Original Message----- From: Randy Bush [mailto:randy@psg.com] Sent: Monday, February 02, 2009 3:49 PM To: sthaug@nethelp.no Cc: nanog@nanog.org Subject: Re: Private use of non-RFC1918 IP space i am surprised that no one has mentioned that it is not unusual for folk, even isps, to use space assigned to the us military but never routed on the public internet. i was exceedingly amused when first i did a traceroute from bologna. randy
Randy Bush wrote:
i am surprised that no one has mentioned that it is not unusual for folk, even isps, to use space assigned to the us military but never routed on the public internet. i was exceedingly amused when first i did a traceroute from bologna.
randy
Consider it mentioned, first hand experience for 11/8 rollouts.
unless a site you want to reach is on the ip you are using... On Mon, Feb 2, 2009 at 9:18 PM, Trey Darley <trey@kingfisherops.com> wrote:
Hi, y'all -
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
I'd be very interested in corresponding off-list with anyone who's in a similar position.
Cheers, --Trey ++----------------------------------------------------------------------------++ Kingfisher Operations Trey Darley - Principal
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Mon, Feb 2, 2009 at 9:48 AM, Trey Darley <trey@kingfisherops.com> wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
I'd recommend against it, because even though the network is not connected to the Internet now you never know what the future holds. Even if it's never connected there are always things that seem to pop up and cause problems. Also, if you're address allocation policy has been so badly managed that you've run out of space in 10.0.0.0/8 adding more IPs to the pool isn't going to help for very long. -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"
On Feb 2, 2009, at 10:57 AM, Jeffrey Ollie wrote:
On Mon, Feb 2, 2009 at 9:48 AM, Trey Darley <trey@kingfisherops.com> wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
I'd recommend against it, because even though the network is not connected to the Internet now you never know what the future holds. Even if it's never connected there are always things that seem to pop up and cause problems.
Also, if you're address allocation policy has been so badly managed that you've run out of space in 10.0.0.0/8 adding more IPs to the pool isn't going to help for very long.
It will if you manage it better. Fortunately, there's a /12 and a /24 still left. A /12 is more space than 99.99% of the networks on the Internet need, so why wouldn't that suffice instead of using "real" space. -- TTFN, patrick
On Feb 2, 2009, at 10:57 AM, Jeffrey Ollie wrote:
On Mon, Feb 2, 2009 at 9:48 AM, Trey Darley <trey@kingfisherops.com> wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
I'd recommend against it, because even though the network is not connected to the Internet now you never know what the future holds. Even if it's never connected there are always things that seem to pop up and cause problems.
Also, if you're address allocation policy has been so badly managed that you've run out of space in 10.0.0.0/8 adding more IPs to the pool isn't going to help for very long.
It will if you manage it better.
Fortunately, there's a /12 and a /24 still left.
And a /16. (What's the /24?) And possibly some other space that is reserved-for-other-purposes.
A /12 is more space than 99.99% of the networks on the Internet need, so why wouldn't that suffice instead of using "real" space.
If you absolutely, positively *had* to allocate another /8, it'd probably be best to look through Class A space for networks that are not likely to ever appear on the Internet. ISTR a bunch of them are assigned to the US military, for example. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote:
On Feb 2, 2009, at 10:57 AM, Jeffrey Ollie wrote:
On Mon, Feb 2, 2009 at 9:48 AM, Trey Darley <trey@kingfisherops.com> wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
I'd recommend against it, because even though the network is not connected to the Internet now you never know what the future holds. Even if it's never connected there are always things that seem to pop up and cause problems.
Also, if you're address allocation policy has been so badly managed that you've run out of space in 10.0.0.0/8 adding more IPs to the pool isn't going to help for very long.
It will if you manage it better.
Fortunately, there's a /12 and a /24 still left.
And a /16. (What's the /24?) And possibly some other space that is reserved-for-other-purposes.
A /12 is more space than 99.99% of the networks on the Internet need, so why wouldn't that suffice instead of using "real" space.
If you absolutely, positively *had* to allocate another /8, it'd probably be best to look through Class A space for networks that are not likely to ever appear on the Internet. ISTR a bunch of them are assigned to the US military, for example.
... JG
For which the unauthorized use of could be construed as a military attack if those pirated addresses ever appear on the open Internet from this ISP... No that's also a really bad idea. I find it really troublesome to believe that the subnetting on a site was so complex that it ate an entire /8. What I am betting is that for some reason that ISP wants its addressing to be totally flat and not replicated. Todd
TSG wrote:
I find it really troublesome to believe that the subnetting on a site was so complex that it ate an entire /8. What I am betting is that for some reason that ISP wants its addressing to be totally flat and not replicated.
The subnetting doesn't need to be "complex"; they may simply have a large number of small sites, or a moderate number of relatively large sites, that will eat up more than a /8's worth of addresses. There _do_ exist companies with 100,000+ locations and a few dozen devices per location; throw in the necessary aggregation so the routers don't fall over and you're looking at NATing multiple instances of 10/8 -- and I know from experience that's not fun. However, the OP implies that his problem is caused by a poor subnetting scheme in 10/8; the correct solution in that case is to fix the subnetting -- but mgmt may not be willing to pay the labor (or other) costs of that. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trey Darley wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
This is a *VERY BAD IDEA* - why not take the hit now rather than exponentiate the problem and, in so doing, make it nearly impossible to reverse later? Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkmHGCgACgkQQv9rrgRC1JLWrACfTxrfxz/6DFCCByldBqMv/MjL ssYAn3Se0GRA+s3Szn9dMUN8c7AlQzj/ =FZWG -----END PGP SIGNATURE-----
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network. -----Original Message----- From: Michael Butler [mailto:imb@protected-networks.net] Sent: Monday, February 02, 2009 5:59 PM To: trey@kingfisherops.com Cc: nanog@nanog.org Subject: Re: Private use of non-RFC1918 IP space -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trey Darley wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
This is a *VERY BAD IDEA* - why not take the hit now rather than exponentiate the problem and, in so doing, make it nearly impossible to reverse later? Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkmHGCgACgkQQv9rrgRC1JLWrACfTxrfxz/6DFCCByldBqMv/MjL ssYAn3Se0GRA+s3Szn9dMUN8c7AlQzj/ =FZWG -----END PGP SIGNATURE-----
On Feb 2, 2009, at 11:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Until IANA runs out and gives that space to Google or MS or Comcast or $WHATEVER_THAT_NETWORK_TALKS_TO. -- TTFN, patrick
On 02/02/2009 8:10, "Bruce Grobler" <bruce@yoafrica.com> wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
1.0.0.0/8 will be allocated in the not too distant future. All currently unallocated unicast IPv4 /8s will be allocated in the not too distant future. Regards, Leo Vegoda
On a related note, do you think that 0.0.0.0/8 (excluding 0.0.0.0/32, of course :) ) will be feasible for allocation and use ? On Mon, Feb 2, 2009 at 12:57 PM, Leo Vegoda <leo.vegoda@icann.org> wrote:
On 02/02/2009 8:10, "Bruce Grobler" <bruce@yoafrica.com> wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
1.0.0.0/8 will be allocated in the not too distant future. All currently unallocated unicast IPv4 /8s will be allocated in the not too distant future.
Regards,
Leo Vegoda
On 02/02/2009 10:45, "Dorn Hetzel" <dhetzel@gmail.com> wrote:
On a related note, do you think that 0.0.0.0/8 <http://0.0.0.0/8> (excluding 0.0.0.0/32 <http://0.0.0.0/32> , of course :) ) will be feasible for allocation and use ?
0.0.0.0/8 is reserved for self-identification. See RFC 1700: (b) {0, <Host-number>} Specified host on this network. Can only be used as a source address. Regards, Leo Vegoda
Does anyone actually use any part of 0/8 other than 0/32 for self identification? On Mon, Feb 2, 2009 at 2:02 PM, Leo Vegoda <leo.vegoda@icann.org> wrote:
On 02/02/2009 10:45, "Dorn Hetzel" <dhetzel@gmail.com> wrote:
On a related note, do you think that 0.0.0.0/8 <http://0.0.0.0/8> (excluding 0.0.0.0/32 <http://0.0.0.0/32> , of course :) ) will be feasible for allocation and use ?
0.0.0.0/8 is reserved for self-identification. See RFC 1700:
(b) {0, <Host-number>}
Specified host on this network. Can only be used as a source address.
Regards,
Leo Vegoda
On Feb 2, 2009, at 8:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Is this true? This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years... Regards, -drc
On Feb 2, 2009, at 2:47 PM, David Conrad wrote:
On Feb 2, 2009, at 8:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Is this true?
This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years...
Just like the "endless entertainment" when IANA has allocated any new / 8 recently. Anyone filtering without either daily (weekly?) checks, or using an automated system (e.g. Team Cymru) is being silly. -- TTFN, patrick
I'm curious - Any particular technical reason not to assign out of 0.0.0.0/8? Can't say I've ever tried to use it, but I'd think it should work. David Conrad wrote:
Is this true?
This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years...
Yep!, go ahead and trace it. -----Original Message----- From: David Conrad [mailto:drc@virtualized.org] Sent: Monday, February 02, 2009 9:48 PM To: Bruce Grobler Cc: NANOG list Subject: Re: Private use of non-RFC1918 IP space On Feb 2, 2009, at 8:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Is this true? This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years... Regards, -drc
I can mtr to 1.1.1.1 via Qwest :-) Bruce Grobler wrote:
Yep!, go ahead and trace it.
-----Original Message----- From: David Conrad [mailto:drc@virtualized.org] Sent: Monday, February 02, 2009 9:48 PM To: Bruce Grobler Cc: NANOG list Subject: Re: Private use of non-RFC1918 IP space
On Feb 2, 2009, at 8:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Is this true?
This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years...
Regards, -drc
Well Quest is stupid for allowing unallocated space to transit it's network. I've seen ISP's in which a traceroute to 192.168.0.1 got into their network, and to their upstreams before being killed off at some point.... sheesh -----Original Message----- From: David Coulson [mailto:david@davidcoulson.net] Sent: Tuesday, 3 February 2009 7:11 AM To: Bruce Grobler Cc: 'NANOG list' Subject: Re: Private use of non-RFC1918 IP space I can mtr to 1.1.1.1 via Qwest :-) Bruce Grobler wrote:
Yep!, go ahead and trace it.
-----Original Message----- From: David Conrad [mailto:drc@virtualized.org] Sent: Monday, February 02, 2009 9:48 PM To: Bruce Grobler Cc: NANOG list Subject: Re: Private use of non-RFC1918 IP space
On Feb 2, 2009, at 8:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Is this true?
This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years...
Regards, -drc
OK, I will make an (what looks to this list) embarrassing admission. We use 1.0.0.0/8 for our internal ranges, but this is on a small scale. We do it because of the kind of business we do... we manage many other much larger networks which already use every possible overlapping RFC1918 network you can imagine... we have half a dozen networks using 192.168.0, and even more using many varied masks in the 10.0.0.0/8. We already have issues with the overlapping networks as is, without making it worse for us by using on of them. I chose to go the 1.0.0.0 path because: - It wont conflict with my customers and us doing our business - As long as it is not APNIC who gets it, the chances of it conflicting will be extremely minimal (rolls dice) - We don't design customer networks with non-RFC1918 ranges unless there is some extreme reason - Yes it is potentially allocate-able in the future, but if it happens I will deal with it then - just renumber or see the next point - We will be fully IPv6 within 6-9 months with a separate VLAN which will support legacy equipment with NAT-PT... this will still be an issue interconnecting to customer networks, but we will think of something. ..Skeeve -----Original Message----- From: David Conrad [mailto:drc@virtualized.org] Sent: Tuesday, 3 February 2009 6:48 AM To: Bruce Grobler Cc: NANOG list Subject: Re: Private use of non-RFC1918 IP space On Feb 2, 2009, at 8:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Is this true? This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years... Regards, -drc
OK. Following myself up, and referencing a link someone else gave me in regards to IPv6 http://en.wikipedia.org/wiki/Private_network Has the entry: Private use of other reserved addresses Several other address ranges, in addition to the official private ranges, are reserved for other or future uses, including 1.0.0.0/8 and 2.0.0.0/8[1]. In recent years, large companies have begun to use this address space internally. Though discouraged, it appears to have become an accepted practice among larger companies to use these reserved address spaces when connecting two private networks, to eliminate the chance of address conflicts when using standards-based private ranges. --- Now I'm not using this as justification.... just interesting to see people have put it up there, and comment that a lot of large companies are using 1/8 and 2/8 for private networking. ...Skeeve -----Original Message----- From: Skeeve Stevens [mailto:skeeve@skeeve.org] Sent: Wednesday, 4 February 2009 9:48 AM To: 'David Conrad'; 'Bruce Grobler' Cc: 'NANOG list' Subject: RE: Private use of non-RFC1918 IP space OK, I will make an (what looks to this list) embarrassing admission. We use 1.0.0.0/8 for our internal ranges, but this is on a small scale. We do it because of the kind of business we do... we manage many other much larger networks which already use every possible overlapping RFC1918 network you can imagine... we have half a dozen networks using 192.168.0, and even more using many varied masks in the 10.0.0.0/8. We already have issues with the overlapping networks as is, without making it worse for us by using on of them. I chose to go the 1.0.0.0 path because: - It wont conflict with my customers and us doing our business - As long as it is not APNIC who gets it, the chances of it conflicting will be extremely minimal (rolls dice) - We don't design customer networks with non-RFC1918 ranges unless there is some extreme reason - Yes it is potentially allocate-able in the future, but if it happens I will deal with it then - just renumber or see the next point - We will be fully IPv6 within 6-9 months with a separate VLAN which will support legacy equipment with NAT-PT... this will still be an issue interconnecting to customer networks, but we will think of something. ..Skeeve -----Original Message----- From: David Conrad [mailto:drc@virtualized.org] Sent: Tuesday, 3 February 2009 6:48 AM To: Bruce Grobler Cc: NANOG list Subject: Re: Private use of non-RFC1918 IP space On Feb 2, 2009, at 8:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
Is this true? This will cause endless entertainment when IANA allocates 1.0.0.0/8 sometime within the next two or three years... Regards, -drc
On Wed, Feb 04, 2009 at 11:57:36AM +1100, Skeeve Stevens wrote:
OK.
Following myself up, and referencing a link someone else gave me in regards to IPv6
http://en.wikipedia.org/wiki/Private_network
Has the entry:
Private use of other reserved addresses
Several other address ranges, in addition to the official private ranges, are reserved for other or future uses, including 1.0.0.0/8 and 2.0.0.0/8[1]. In recent years, large companies have begun to use this address space internally.
[citation required] - Matt
I agree... I'd love to know where they got that from... who even wrote it? ...Skeeve -----Original Message----- From: Matthew Palmer [mailto:mpalmer@hezmatt.org] Sent: Wednesday, 4 February 2009 12:26 PM To: nanog@nanog.org Subject: Re: Private use of non-RFC1918 IP space On Wed, Feb 04, 2009 at 11:57:36AM +1100, Skeeve Stevens wrote:
OK.
Following myself up, and referencing a link someone else gave me in regards to IPv6
http://en.wikipedia.org/wiki/Private_network
Has the entry:
Private use of other reserved addresses
Several other address ranges, in addition to the official private ranges, are reserved for other or future uses, including 1.0.0.0/8 and 2.0.0.0/8[1]. In recent years, large companies have begun to use this address space internally.
[citation required] - Matt
On Tue, 03 Feb 2009 20:29:36 -0500, Skeeve Stevens <skeeve@skeeve.org> wrote:
I agree... I'd love to know where they got that from... who even wrote it?
I see you've never done business with EDS. They've been using 1/8 for over a decade. Also, over the years, I've seen a number of universities and supercomputing facilities number nodes out of 1/8 -- however, those systems are never supposed to see the internet anyway, so they could technically number them however they want. Personally, I've used 1/8 in lab setups. --Ricky
--On onsdag, onsdag 4 feb 2009 17.44.20 -0500 Ricky Beam <jfbeam@gmail.com> wrote:
On Tue, 03 Feb 2009 20:29:36 -0500, Skeeve Stevens <skeeve@skeeve.org> wrote:
I agree... I'd love to know where they got that from... who even wrote it?
I see you've never done business with EDS. They've been using 1/8 for over a decade. Also, over the years, I've seen a number of universities and supercomputing facilities number nodes out of 1/8 -- however, those systems are never supposed to see the internet anyway, so they could technically number them however they want. Personally, I've used 1/8 in lab setups.
Last time I built a supercomputer (as in a cluster of run-of-the-mill servers) RIPE gave us a /21 -- I wanted a /20 for the expected upgrade but was told I had to reapply. The compute nodes need to read files from AFS from CERN or another university, so NAT'ing them is so not an option. -- Måns Nilsson M A C H I N A Sign my PETITION.
I see you've never done business with EDS. They've been using 1/8 for over a decade. Also, over the years, I've seen a number of universities and supercomputing facilities number nodes out of 1/8 -- however, those systems are never supposed to see the internet anyway, so they could technically number them however they want. Personally, I've used 1/8 in lab setups.
brilliant! i think all my competitors should do that. randy
Clarification here: 1/8 was never on the EDS backbone. Was only used locally in one site, as far as I can determine. On Feb 4, 2009, at 7:29 PM, Randy Bush wrote:
I see you've never done business with EDS. They've been using 1/8 for over a decade. Also, over the years, I've seen a number of universities and supercomputing facilities number nodes out of 1/8 -- however, those systems are never supposed to see the internet anyway, so they could technically number them however they want. Personally, I've used 1/8 in lab setups.
brilliant! i think all my competitors should do that.
randy
James R. Cutler james.cutler@consultant.com
On Wed, 04 Feb 2009 20:35:15 -0500, James R. Cutler <james.cutler@consultant.com> wrote:
Clarification here:
1/8 was never on the EDS backbone. Was only used locally in one site, as far as I can determine.
They might have done that for other customers as well. (to avoid 10/8 collisions.) Personally, I'd think if they were going to NAT at the edge, they'd only set it up for the machines we were supposed to use, instead, we could see, well, a lot more than we should have. --Ricky
On Feb 3, 2009, at 5:25 PM, Matthew Palmer wrote:
On Wed, Feb 04, 2009 at 11:57:36AM +1100, Skeeve Stevens wrote:
OK.
Following myself up, and referencing a link someone else gave me in regards to IPv6
http://en.wikipedia.org/wiki/Private_network
Has the entry:
Private use of other reserved addresses
Several other address ranges, in addition to the official private ranges, are reserved for other or future uses, including 1.0.0.0/8 and 2.0.0.0/8[1]. In recent years, large companies have begun to use this address space internally.
[citation required]
- Matt
I've added a blurb to this page expressing the risks associated with such use. Owen
On 3/02/2009, at 5:10 AM, Bruce Grobler wrote:
Most ISP's, if not all, null route 1.0.0.0/8 therefore you shouldn't encounter any problems using it in a private network.
route-views.oregon-ix.net>sh ip bgp 1.0.0.0 BGP routing table entry for 0.0.0.0/0, version 3321685 ... I think you will find that "most ISPs, if not all" in the DFZ "null route" 0.0.0.0/0. If they don't have a route covering 1.0.0.0/8, of course packets destined to that prefix will be dropped. -- Nathan Ward
On Tue, Feb 03, 2009, Nathan Ward wrote:
I think you will find that "most ISPs, if not all" in the DFZ "null route" 0.0.0.0/0.
If they don't have a route covering 1.0.0.0/8, of course packets destined to that prefix will be dropped.
Damn those backup default routes then... violet:~ adrian$ ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: icmp_seq=0 ttl=246 time=584.909 ms 64 bytes from 1.1.1.1: icmp_seq=1 ttl=246 time=478.598 ms ... 6 mumble.gblx.net (69.x.y.z) 11.907 ms 14.086 ms 16.931 ms 7 ge-2-0-0-10g.scr2.nyc1.gblx.net (67.17.108.233) 18.269 ms 16.460 ms 16.369 ms 8 64-76-84-39.static.impsat.com.co (64.76.84.39) 218.169 ms * 136.983 ms $ Reminds me of when I found various ISPs in Asia "leaking" routes somehow, and large chunks of RFC1918 space suddenly became reachable. Imagine my surprise when someone started seeing SNMP data for some "auto detected" SNMP agent IPs suddenly started returning statistics. For SNMP community "public". For randomly named kit, like "netgear" and "cisco" hostnames. Adrian (ObAmusing: said corporate suddenly thought they had more assets and wanted us to track it down for them; they wouldn't take "its not yours" as an answer. Why? Because RFC1918 addresses are private, right, and obviously that means they're -only- visible on -their- network. Thankfully I was a consultant and that was absolutely not in my scope of responsibility..)
On Mon, 2 Feb 2009, Trey Darley wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
I'd be very interested in corresponding off-list with anyone who's in a similar position.
Technically, yes you can use non-RFC1918 space in this way, but is definitely not a good idea. The needs of the people using the network could change at some point in the future, where some degree of Internet connectivity is needed, at which point your support headaches would multiply if you used non-1918 space in this manner. Is there a reason that other 1918 address ranges (172.16/12, 192.168/16) could not be used? jms
Trey Darley wrote:
Hi, y'all -
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
Of course you can use public address space, and actually you should have been doing that already for years. The catch is of course that you just get it from your local RIR or LIR, thus making sure it is globally unique, as that is where the problem of RFC1918 lies for most people. Another trick is of course to start moving to IPv6: get a /48 or more from your local LIR/RIR and you have all the IPs you will ever need (unless you plan wrong and ask for too little ;) Greets, Jeroen
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space.
What you are suggesting is unacceptable. You need to allocate your private space more efficiently. It should be enough for anyone.
As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
No. Nobody else is doing this. You should never make use of address space that has not been assigned to you (either through a regional authority or an RFC) for use, regardless of how closed you think your network is.
I'd be very interested in corresponding off-list with anyone who's in a similar position.
I think you need to post a new request asking for help on how to efficiently allocate RFC 1918 space.
From your website it looks like you're a consultant... If you're acting as a consultant for someone please do not violate the RFCs, they exist for a reason. Ultimately you're creating a nightmare for the person who comes next and is tasked to clean your mess.
Trey Darley wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
"Closed" networks nearly always end up getting connected to public networks, either by intent or by accident. If you act as if your network will remain "closed" forever, e.g. by using public addresses that are (or will be) assigned to someone else, you're going to cause a lot of headaches for yourself or your replacement down the road, eventually. Contrary to popular belief, ARIN (and possibly other RIRs) _will_ assign public IPs for private/closed networks if you can explain why RFC1918 space will not suffice for your needs, e.g. because you are running a private internetwork between multiple companies and thus NAT/RFC1918 is simply not viable due to the number of ASes and the difficulty in avoiding collisions or the sheer number of hosts... S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Stephen Sprunk wrote:
Trey Darley wrote:
Some colleagues and I are running into a bit of a problem. We've been using RFC 1918 Class A space but due to the way subnets have been allocated we are pondering the use of public IP space. As the network in question is strictly closed I don't anticipate any problems with this as the addresses would be unambiguous within our environment. I'm curious if anyone else is doing this.
"Closed" networks nearly always end up getting connected to public networks, either by intent or by accident. If you act as if your network will remain "closed" forever, e.g. by using public addresses that are (or will be) assigned to someone else, you're going to cause a lot of headaches for yourself or your replacement down the road, eventually.
Contrary to popular belief, ARIN (and possibly other RIRs) _will_ assign public IPs for private/closed networks if you can explain why RFC1918 space will not suffice for your needs, e.g. because you are running a private internetwork between multiple companies and thus NAT/RFC1918 is simply not viable due to the number of ASes and the difficulty in avoiding collisions or the sheer number of hosts...
Or you can always get some PA space from an ISP rather easily. ~Seth
participants (40)
-
Adrian Chadd -
Andre Sencioles Vitorio Oliveira -
Blake Pfankuch -
Bruce Grobler -
Chris Meidinger -
Chuck Anderson -
Colin Alston -
D'Arcy J.M. Cain -
David Conrad -
David Coulson -
Dorn Hetzel -
James R. Cutler -
Jeffrey Ollie -
Jeroen Massar -
Joe Greco -
Joe Maimon -
Justin M. Streiner -
Leo Vegoda -
Matlock, Kenneth L -
Matthew Palmer -
Michael Barker -
Michael Butler -
mikelieman@gmail.com -
Måns Nilsson -
Nathan Ward -
Owen DeLong -
Patrick W. Gilmore -
Paul Stewart -
Randy Bush -
Ricky Beam -
Seth Mattinen -
Skeeve Stevens -
Soucy, Ray -
Stephen Sprunk -
sthaug@nethelp.no -
Suresh Ramasubramanian -
Tico -
Trey Darley -
TSG -
Valdis.Kletnieks@vt.edu