DoD's /8s are usually squatted by networks that run out of private IPv4 space.
Even though it is very risky to steal resources from an organization
that can deploy a black helicopter or a nuclear warhead over you, for
some reason like it not appearing in the DFZ people seem to like it.
Even though it is very risky to steal resources from an organization
that can deploy a black helicopter or a nuclear warhead over you
Seems a bit dramatic. Companies all over the world have been using other peopleās public IPs internally for decades. I worked at a place 20 odd years ago that had an odd numbering scheme internally, and it was someone elseās public space. When I asked why, the guy who built it said āWell I just liked the pattern.ā
If youāre not announcing someone elseās space into the DFZ, or otherwise trying to do anything shady, the three letter agencies arenāt likely to come knocking. Doesnāt mean anyone SHOULD be doing it, but still.
For many years, a large customer (telco/VOIP/ISP carrier that should have known better) of a former employer was using 11.0.0.0/8 as an extension of 10.0.0.0/8 and literally forced said employer to carry their routes to those prefixes in those tables (or lose an extremely lucrative contract). At the time, 11/8 was IANA resrved, and my point that it was likely to be allocated to an RIR and subsequently some real entitie(s) on the internet was utterly lost in the pursuit of the almighty dollar. I left that job for greener pastures before IANA allocated that prefix, but Iām sure there were some definite interesting results there when it happened.
If you're using 20.20.20.0/24 which is not "yours" (as I've seen happen), then certainly your customers can't get to the real 20.20.20.x
And even if that's not announced and used /today/ - this can change quickly...
If you are using IPv4 address that belong to someone else internally you really are in a prime position to use IPv6 only internally and use one of the IPv4AAS mechanisms to reach the IPv4 internet. After a quarter of a century all your equipment should be IPv6 capable.
Itās unfortunate, but quite common. Iāve seen similar occurrences in several companies I worked for previously. For instance, one of my former employers utilized public IP addresses belonging to others for IPMI server access, even though it was solely for management purposes and not communicated to any peers internally. Consequently, none of the customers could access these public IPs. The reason for this? When the company initially acquired these IPs, they were part of a leased range. Upon termination of the agreement, instead of changing all the IPs, they opted to continue using them due to the perceived hassle. Similarly, another service provider used IPs from its leased range for DNS servers. When the agreement ended and IPs were reallocated, they persisted with the old IPs because updating DNS server settings on customer CPEs lacked automation and thought it was too much trouble.
Unfortunately, such examples are not uncommon, and certainly donāt represent best practices
Yes, absolutely. Thatās part of the technical risk that you take if you decide to do such things.
If itās a āgoodā choice or not is entirely situational. Some organizations are fine with kicking that tech debt down the road, others like to double down and create a house of cards.
A network that wants to be creative and utilize an address block thatās assigned to others
for their own internal purposes runs two distinct risks:
An address block thatās not utilized today may easily become publicly routed tomorrow
(either by the original address holder or by their assignee/successor) and it is not possible
to reliably predict whether your customers will need access to the resources that end up
on that address space.
If you should leak routes publicly for anotherās address space, there are organizations that
will object ā and in the case US government networks, this can include some uncomfortable
conversations. [1]
None of this suggests that one cannot configure their routers any way that they wish ā just that
itād be best if done with appropriate care and an upfront understanding of the risks involved.
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
Youād need to ask someone who speaks for the USG to address that question ā and thatās
definitely not my job.
However, I will observe in the time since then, the DoD has taken to occasionally publicly
routing some of its address blocks, so the probability of inadvertent routing impact has
almost certainly increased.
Thanks,
/John
John Curran
President and CEO
American Registry for Internet Numbers