Private use of non-RFC1918 IP space

Blake Pfankuch bpfankuch at cpgreeley.com
Mon Feb 2 17:58:52 UTC 2009


Using public IP space in general is typically just asking for trouble.  I worked with an "ISP" once who decided to use 192.0.0.0/24 for IP's to customers who didn't need a static ip.  They did it not knowing what they were doing (oh you mean 192.0.0.0/8 isnt rfc1918) but very quickly they had to change it.  In our current customer base we have run into it a few times where someone is using non rfc1918 space internally and propose changing it very quick as we have had several customers who don't know it, but need to get to something in that public space.

If you happen to be the funny guy who uses an IP range from some tiny foreign off the wall country because "we will never need to connect to their IP space" remember that IP address allocations change and you won't think it's so funny when the company who provides your anti-virus moves their update servers to match your internal IP space.

> There are sometimes good reasons to do this, for instance to ensure
> uniqueness in the face of mergers and acquisitions.

If you are going to force uniqueness and one of the parties in the merger was super smart in their original deployment and decided to use 10.0.0.0/8 for their network of 300 machines, force them to change to something smarter.  Remind them how layer 3 networks inside of a single building work.  Even if a network is not publically seen, you have to keep in mind how many machines see it while they might see a public network.  A specific customer had a 216.xx.xx.0/24 network for their private production network.  Their internal router also saw it and had an ACL on who could access it.  Meaning their entire staff couldn't get to their collocated webserver when their provider re addressed that floor in the datacenter.

All rambling aside, its much easier to renumber on the front end opposed to ending up with VPN natting that makes you cry on the inside.  Think of the person who will take over your network when you eventually leave your position.

>This is a bit off-topic, but I thought I'd mention that this is one reason I recommend use of the 172.16/12 block to people building
>or renumbering enterprise networks. Most people seem to use 10/8 in large organizations and 192.168/16 in smaller ones, so it raises
>your chances of not having to get into heavy natting down the road. My theory on this is that most people who don't deal with CIDR on
>a daily basis find the /12 netmask a bit confusing and just avoid the block at all.

Also a good point.  Most of "support engineers" I run into think that 172.24.0.0 is public IP space.

-----Original Message-----
From: D'Arcy J.M. Cain [mailto:darcy at druid.net]
Sent: Monday, February 02, 2009 10:20 AM
To: sthaug at nethelp.no
Cc: nanog at nanog.org
Subject: Re: Private use of non-RFC1918 IP space

On Mon, 02 Feb 2009 18:03:57 +0100 (CET)
sthaug at nethelp.no wrote:
> > What reason could you possibly have to use non RFC 1918 space on a
> > closed network?  It's very bad practice - unfortunately I do see it done
> > sometimes....
>
> There are sometimes good reasons to do this, for instance to ensure
> uniqueness in the face of mergers and acquisitions.

How does that help?  If you are renumbering due to a merger, couldn't
you just agree on separate private space just as easily?

--
D'Arcy J.M. Cain <darcy at druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 425 1212     (DoD#0082)    (eNTP)   |  what's for dinner.





More information about the NANOG mailing list