Some colleagues and I are running into a bit of a problem. We've been
using RFC 1918 Class A space but due to the way subnets have been
allocated we are pondering the use of public IP space. As the network in
question is strictly closed I don't anticipate any problems with this as
the addresses would be unambiguous within our environment. I'm curious if
anyone else is doing this.
I'd be very interested in corresponding off-list with anyone who's in a
similar position.
What reason could you possibly have to use non RFC 1918 space on a
closed network? It's very bad practice - unfortunately I do see it done
sometimes....
I'd recommend against it, because even though the network is not
connected to the Internet now you never know what the future holds.
Even if it's never connected there are always things that seem to pop
up and cause problems.
Also, if you're address allocation policy has been so badly managed
that you've run out of space in 10.0.0.0/8 adding more IPs to the pool
isn't going to help for very long.
Some colleagues and I are running into a bit of a problem. We've been
using RFC 1918 Class A space but due to the way subnets have been
allocated we are pondering the use of public IP space. As the network in
question is strictly closed I don't anticipate any problems with this as
the addresses would be unambiguous within our environment. I'm curious if
anyone else is doing this.
This is a *VERY BAD IDEA* - why not take the hit now rather than
exponentiate the problem and, in so doing, make it nearly impossible to
reverse later?
Fortunately, there's a /12 and a /24 still left. A /12 is more space than 99.99% of the networks on the Internet need, so why wouldn't that suffice instead of using "real" space.
Technically, yes you can use non-RFC1918 space in this way, but is definitely not a good idea. The needs of the people using the network could change at some point in the future, where some degree of Internet connectivity is needed, at which point your support headaches would multiply if you used non-1918 space in this manner.
Is there a reason that other 1918 address ranges (172.16/12, 192.168/16)
could not be used?
Some colleagues and I are running into a bit of a problem. We've been
using RFC 1918 Class A space but due to the way subnets have been
allocated we are pondering the use of public IP space. As the network in
question is strictly closed I don't anticipate any problems with this as
the addresses would be unambiguous within our environment. I'm curious if
anyone else is doing this.
Of course you can use public address space, and actually you should have
been doing that already for years.
The catch is of course that you just get it from your local RIR or LIR,
thus making sure it is globally unique, as that is where the problem of
RFC1918 lies for most people.
Another trick is of course to start moving to IPv6: get a /48 or more
from your local LIR/RIR and you have all the IPs you will ever need
(unless you plan wrong and ask for too little
What reason could you possibly have to use non RFC 1918 space on a
closed network? It's very bad practice - unfortunately I do see it done
sometimes....
There are sometimes good reasons to do this, for instance to ensure
uniqueness in the face of mergers and acquisitions.
I've even seen at a previous place (note: 'previous') that decided to
use 40.x.x.x for their internal IP space....
I find it hard to believe a company can mismanage their IP space that
10.0.0.0, 192.168.0.0, and 172.(16-31).0.0 are all used up, but then
again, I shouldn't be surprised.
Back in '96 or so, an ISP I was working at was giving out /24's for a
14.4 dialup account....
Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671 matlockk@exempla.org
They don't renumber, they end up just double-NAT or triple-NAT betweem the
merged units. I think one poor soul posted here that they had
quintuple-NAT'ing going on due to a long string of mergers....
What reason could you possibly have to use non RFC 1918 space on a
closed network? It's very bad practice - unfortunately I do see it done
sometimes....
There are sometimes good reasons to do this, for instance to ensure
uniqueness in the face of mergers and acquisitions.
Also to avoid being required to NAT at all. Security benefits IMHO from using RFC1918 space in a corporate network - you have an automatic requirement that there must be a NAT rule somewhere in order for a duplex connection to happen. However, in a more open environment like a university or a laboratory, there may be no reason to require all connections to be proxied/translated etc.
How does that help? If you are renumbering due to a merger, couldn't
you just agree on separate private space just as easily?
They don't renumber, they end up just double-NAT or triple-NAT betweem the
merged units. I think one poor soul posted here that they had
quintuple-NAT'ing going on due to a long string of mergers....
This is a bit off-topic, but I thought I'd mention that this is one reason I recommend use of the 172.16/12 block to people building or renumbering enterprise networks. Most people seem to use 10/8 in large organizations and 192.168/16 in smaller ones, so it raises your chances of not having to get into heavy natting down the road. My theory on this is that most people who don't deal with CIDR on a daily basis find the /12 netmask a bit confusing and just avoid the block at all.
Using public IP space in general is typically just asking for trouble. I worked with an "ISP" once who decided to use 192.0.0.0/24 for IP's to customers who didn't need a static ip. They did it not knowing what they were doing (oh you mean 192.0.0.0/8 isnt rfc1918) but very quickly they had to change it. In our current customer base we have run into it a few times where someone is using non rfc1918 space internally and propose changing it very quick as we have had several customers who don't know it, but need to get to something in that public space.
If you happen to be the funny guy who uses an IP range from some tiny foreign off the wall country because "we will never need to connect to their IP space" remember that IP address allocations change and you won't think it's so funny when the company who provides your anti-virus moves their update servers to match your internal IP space.
There are sometimes good reasons to do this, for instance to ensure
uniqueness in the face of mergers and acquisitions.
If you are going to force uniqueness and one of the parties in the merger was super smart in their original deployment and decided to use 10.0.0.0/8 for their network of 300 machines, force them to change to something smarter. Remind them how layer 3 networks inside of a single building work. Even if a network is not publically seen, you have to keep in mind how many machines see it while they might see a public network. A specific customer had a 216.xx.xx.0/24 network for their private production network. Their internal router also saw it and had an ACL on who could access it. Meaning their entire staff couldn't get to their collocated webserver when their provider re addressed that floor in the datacenter.
All rambling aside, its much easier to renumber on the front end opposed to ending up with VPN natting that makes you cry on the inside. Think of the person who will take over your network when you eventually leave your position.
This is a bit off-topic, but I thought I'd mention that this is one reason I recommend use of the 172.16/12 block to people building
or renumbering enterprise networks. Most people seem to use 10/8 in large organizations and 192.168/16 in smaller ones, so it raises
your chances of not having to get into heavy natting down the road. My theory on this is that most people who don't deal with CIDR on
a daily basis find the /12 netmask a bit confusing and just avoid the block at all.
Also a good point. Most of "support engineers" I run into think that 172.24.0.0 is public IP space.
Can you expand? I assume that everyone understand VPNs so connecting
over the Internet is not the issue. If you pick a public IP block you
still have to agree on that block. How is using a public block
different than agreeing on a private one?
