Hint: even IPs not pingable from the Internet are being used. Not
everyone is an ISP/Webhoster ... with public services.
I thought that was why we have RFC1918 ?
Before arin etc it was possible to request ip space and on the form specify you would not be connecting to the Internet.
Jared Mauch
I've worked in plenty of places where registered address was used on private interconnections between organisations to avoid overlaps, but never announced globally.
S
There's no such thing as "globally" anyway.
Your view of the Internet routing table != my view of the Internet routing table except in very limited circumstances.
Matthew Kaufman
I wish people would actually read RFC 1918.
Category 1: hosts that do not require access to hosts in other
enterprises or the Internet at large; hosts within
this category may use IP addresses that are
unambiguous within an enterprise, but may be
ambiguous between enterprises.
Category 2: hosts that need access to a limited set of outside
services (e.g., E-mail, FTP, netnews, remote login)
which can be handled by mediating gateways (e.g.,
application layer gateways). For many hosts in this
category an unrestricted external access (provided
via IP connectivity) may be unnecessary and even
undesirable for privacy/security reasons. Just like
hosts within the first category, such hosts may use
IP addresses that are unambiguous within an
enterprise, but may be ambiguous between
enterprises.
Category 3: hosts that need network layer access outside the
enterprise (provided via IP connectivity); hosts in
the last category require IP addresses that are
globally unambiguous.
RFC 1918 addresses for machines that fall in Categories 1 and 2.
You're assuming there that people followed the directions.
That is demonstrably false.
It's easy to say "Well, foo on them", but for those of us who provide
services or consulting to those who failed to follow the directions,
we still have to deal with it.
Just remember that if they *had* followed the directions, your
billable hours would drop...
I had intended a snappy response including mention of ponies, however,
while I was considering whether it was list-appropriate or not a
coworker emailed me in response to this thread and reminded me of the
mutual former client who grabbed 2/8 a few years ago and used it
extensively internally.
"Let's just grab 2/8, it's not routed on the Internet..."
Whose actual perpetrator was allegedly another NANOGer, so it wasn't
even brute ignorance (I am not sure it was them, so if not my
apologies).
In slight defense, this was to handle problems with extensive
conflicts where this company and a number of telcos were having
widespread 10/8 1918 space collisions and had no good solutions to it
(apparently, the telcos failed to read 1918 closely enough and
consider that any partner might ever need to route to their internal
allocations).
Thank you, anonymous coworker, for reminding me how glad I am that A)
I'm not there at that client anymore, B) That it's turning that net
off this year.
*twitch* *twitch*
-george
From: George Herbert [mailto:george.herbert@gmail.com]
"Let's just grab 2/8, it's not routed on the Internet..."
+1
I was consulting for a financial services firm in the late '90s that was acquired by a large east-coast bank; the bank's brilliant scheme was to renumber all new acquisitions *out* of RFC1918 space and into (at the time) bogon space.
If I recall, some of the arguments were "they were too big to fit into RFC1918 space" and by having all of their divisions in non-RFC1918 space it would make it easier for them to acquire new companies who used RFC1918 space internally.
I wonder what they're doing now...
From: R. Benjamin Kessler <Ben.Kessler@zenetra.com>
From: George Herbert [mailto:george.herbert@gmail.com]
"Let's just grab 2/8, it's not routed on the Internet..."
+1
I was consulting for a financial services firm in the late '90s that was
acquired by a large east-coast bank; the bank's brilliant scheme >was to
renumber all new acquisitions *out* of RFC1918 space and into (at the time)
bogon space.If I recall, some of the arguments were "they were too big to fit into RFC1918
space" and by having all of their divisions in non->RFC1918 space it would make
it easier for them to acquire new companies who used RFC1918 space internally.
I wonder what they're doing now...
<fireproof underwear = on>
If we make the assumption that the hosts which were numbered in the space
formerly known as bogon are typical enterprise hosts, it wouldn't be surprising
if they were just fine: they probably don't *want* to have end-to-end
connectivity, and are perfectly happy with the proxy-everything approach.
If you're going to NAT everything anyway, then the damage done by having 2/8 on
both sides of the NAT isn't any worse than having 10/8 on both sides of the
NAT. If it turns out that they start running across the hosts in 2/8 as
customers, those can get NATted into some third block, with probably a lot less
effort and confusion than trying to sort out the chunks of overlapping 10/8s.
David Barak
Need Geek Rock? Try The Franchise:
http://www.listentothefranchise.com
If you could really proxy everything, you'd be able to use 10/8
everywhere and never hit problems, even if two private peers overlap
in usage within 10/8.
I can assure you that the "proxy everything" statement breaks down
with every enterprise-to-enterprise interconnection project I've run
into. There are some protocols that are just not meant to do that.
You don't have to trawl back to the late 90's to find this, I know of at least 3 or 4 large enterprises using large chunks of public address (multiple /8's) that aren't their's /today/.
This "works" because 1) the Internet is only accessed through proxies, 2) devices that require direct Internet access are addressed out of registered address space (or NATed to registered address space), and 3) third party connections to others enterprises are usually src/dst NATTed to the enterprise's own ranges (with the added benefit that this NAT at 3rd party boundaries helps ensure symmetric traffic flow through firewalls).
And I've only worked at 3 or 4 large enterprises so it's probably safe to assume there's more! With my SP background I was shocked and I'm not trying to defend this practice, but in the enterprise land it seems accepted.
Sam
From: George Herbert [mailto:george.herbert@gmail.com]
"Let's just grab 2/8, it's not routed on the Internet..."
+1
I was consulting for a financial services firm in the late '90s
that was acquired by a large east-coast bank; the bank's brilliant
scheme was to renumber all new acquisitions *out* of RFC1918 space
and into (at the time) bogon space.If I recall, some of the arguments were "they were too big to fit
into RFC1918 space" and by having all of their divisions in
non-RFC1918 space it would make it easier for them to acquire new
companies who used RFC1918 space internally.You don't have to trawl back to the late 90's to find this, I know of
at least 3 or 4 large enterprises using large chunks of public
address (multiple /8's) that aren't their's /today/.This "works" because 1) the Internet is only accessed through
proxies, 2) devices that require direct Internet access are addressed
out of registered address space (or NATed to registered address
space), and 3) third party connections to others enterprises are
usually src/dst NATTed to the enterprise's own ranges (with the added
benefit that this NAT at 3rd party boundaries helps ensure symmetric
traffic flow through firewalls).
sotime it works... if you are natted (from your public scoped but
overlapping ipv4 address) but don't go through a proxy, or you go
through a transparent proxy you may still be dead because the internal
route covers you destination. Those aren't just enterprises either, some
fairly common offenders are ISPs or wireless carriers and they did use
just one or two additional /8s...
joel
On the freeways in the US, it's quite common for people to be doing 5-15 MPH over the
speed limit. This practice seems accepted.
I don't think there's a whole lot of sympathy, however, when someone receives a ticket for it.
Owen