Using private APNIC range in US

Eric_Esslinger · March 19, 2010, 5:12pm

Was troubleshooting a customer's vpn trouble a few years ago at another ISP. Could connect from outside our ISP, but users of our service sometimes could and sometimes couldn't connect.

Turns out the Master Network Manager (that's what he called himself) had looked at the static IP assignment, and extrapolated back the whole /22 they were on and used it for the inside of his NAT router. When people hit that part of our network pool, they could make the initial connection but then the poor firewall would have a nervous breakdown and not pass traffic right (I don't blame it).

My solution: Renumber to a reserved private block internally. He had about 200 devices with static assigned dhcp on about 10 of them.
His solution: Every company user that gets access through our service had to get some form of other service in order to connect to his network by vpn since we 'don't know what we're doing with network configuration'. 35 people either switched away from us or got a second (usually dial up) connection for when they wanted to vpn in.
I believe his core mantra was that the private 1918's were 'not secure' for some reason he couldn't articulate to me.

This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.

Lukasz_Bromirski · March 20, 2010, 1:16pm

A lot of cheap, low-end devices (sometimes with names of well-know
vendors) use IPs like 1.1.1.1 and 1.2.3.4 as captive portal IPs to
authenticate connecting clients. A lot of "WLAN hotspots" users will
have problems reaching 1/8 unless they connect via VPN to corporate
and browse from there or something like that. The question is how
soon 1/8 will have interesting content to serve, as I know at least
one popular hotel chain in Europe using "1.1.1.1".

Graham_Beneke · March 21, 2010, 5:42am

I once had a customer who for some reason had all their printers on public
addresses they didn't own. Not advertising them outside, but internally
whenever a user browsed to a external site that happened to be one of the
addresses used, they would just receive a HP or Konica login page

I have seen quite a number of organisations using /24s that they have pirated from various places. Worst culprits seem to be small access providers who change upstream providers and are too lazy to renumber their corporated network away from the IPs that have been reclaimed. They stick in a NAT and then ignore the problem for a few years.

One particular company insisted that their pirate IP block be routable within the shiny new core network causing endless headaches making sure it doesn't leak into their BGP.

Another ISP is even using oops-I-thought-that-was-RFC1918-addresses in the vicinity of 172.50.x.x and pirate space from 6.7.8.x for their point to point links.

Mark_Smith1 · March 21, 2010, 8:12am

RFC1918 is a good place to start

Most of the issues in

"Deprecating Site Local Addresses"
http://www.rfc-editor.org/rfc/rfc3879.txt

identified in IPv6 Site-Local addressing also apply to
duplicated/overlapping IPv4 addressing.

Joel_Jaeggli · March 21, 2010, 2:10pm

It sounds like this range was just recently assigned -- is there any
document (RFC?) or source I could look through to learn more about
this, and/or provide evidence to my client

http://www.iana.org/assignments/ipv4-address-space/

Jay_Hennigan · March 28, 2010, 10:53pm

Hi all,

I have a client here in the US, that I just discovered is using a host
of private IPs that (as I understand) belong to APNIC (i.e.
1.7.154.70, 1.7.154.00-99, etc.) for their web servers.

Actually, those are public IPs. The 1/8 block is presently undergoing
testing for use as a public network. Private IPs are defined in RFC1918
and don't "belong" to a regional registry.

I'm assuming
that the addresses probably nat to a [US] public IP.

If their webservers are located in North America and visible from the
Internet, that is probably a valid assumption. "nslookup", "host" or
"dig" on the hostname should give you a more definitive answer.

I'm not familiar
enough with the use of private address space outside of ARIN (i.e.
192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and
accessible it must be working for them.

For some value of "working", that may be accurate today. It is also
going to be true for some values of "broken", if not now then in the
future.

Private address space is not part of ARIN, APNIC, etc. It is global and
defined by RFC1918.

I'm just wondering if there
is any recommendation or practice around this -- using private IP
ranges from another country. Thanks.

There is no such thing as a "private IP range from a country". Private
addresses are global.

The recommendation and practice is to use addresses from RFC1918 for
private addresses. If these resources need to be visible from the
Internet, then NAT to public addresses assigned or allocated to the
operator of the system will be needed.

Your client should renumber his private addresses to a netblock that is
defined in RC1918 such as 10/8, 172.16/12, or 192.168/16