> Once again as a final note: your corporate network may be using the formerly unused DoD space internally, and if so, there is a risk you could be leaking it out to a party that is actively collecting it. How could you know? Using Kentik’s Data Explorer, you could quickly and easily view the stats of exactly how much data you’re leaking to AS8003 (now AS749). May be worth a check, and if so, start a free trial of Kentik to do so.
Not that I don't appreciate the free trial offer. But before getting into data characteristics, I'm curious which addresses should be examined in a cursory internal look-see?
If you're going to look for one such risk you might as well look for them all - if it's public space and you don't own it you should get off it regardless what isn't advertised on the internet today.
Was it ever common to use 11/8 internally? Did people just roll dice because it wasn't being announced? The reference in the post is the first I've heard of people possibly using it.
Squatting on DoD / MoD ranges is rampant. Rogers and T-Mobile have done it.
My employer squats on... another popular range... for a secondary non-routed network. They can't be bothered to egress filter it on the primary routed network so we sometimes have misconfigured systems trying to ship data off to random servers on another continent.
I once worked at a place that used 100.0.0.0/8. At the time that range was not in use on the Internet. Not sure if that was intentional or a fat finger. That place was ran by idiots though, so it was probably the latter.
I mean... yes. And then there's the real world where your parent company has bought a dozen small companies over the years who have things spread across all of the 1918 ranges and you're setting up VPNs and static NAT and RIP and IS-IS paths and... you just do something easier. It's not a _good_ idea, but it's definitely a thing that happens (fortunately, for me at least, it's been a good long time since I've had to deal with that brand of network badness).
There's probably some group of network operators out there who decided amongst themselves that it'd be cheaper and easier to squat the dod ranges when shuffling traffic amongst themselves, than having to wrap each packet with a tunneling header. Or who knows maybe some third world dictator told their isps to use the dod ranges because they mistakenly assumed it would isolate their nation's traffic from the rest of the world. It's a real shame that the linked article doesn't divulge what's actually happening.
The DOD owns all IPs starting with 6, 7, 11, 21, 22, 26, 28, 29, 30, 33, 55, 214, and 215. To a network operator who spends his day filling out forms explaining why he needs each and every /32 I imagine it must make you feel like someone who spends half his income to live in a tiny crumby apartment in a city surrounded by vacant unsecured mansions. The owners of these mansions haven't set foot in them for thirty years. So surely it must be safe to just move in right?
Some corporations have exhausted the RFC1918 address space. After exhausting that they tend to fall back to the space allocated to CGNAT. And once that is finally exhausted they tend to fall back to privately used public IP addresses (PUPI addresses). We allow all of this on GCP in our VPCs: https://cloud.google.com/vpc/docs/vpc#valid-ranges
The problem is that every one reuses the same RFC1918 space and this becomes a problem when you join them all together. For instance I discovered this year there is a electronic payments processor here in Australia that uses the 29/8 space. I'm doing a project for a large retail company that has to route payments to lots of providers. Each one has a different way of handling the conflict - either through properly registered public space, or through NATting to their own or the customers space. I did raise the issue that 29/8 was now actually routable on the internet, and maybe the provider should pick another strategy. But I don't think they see it as an issue mainly because these networks are quite closed and separated from regular internet space
Formerly. But now we have wide v6 adoption so there
is much less incentive to use ambiguous addresses given the security, monitoring, internetworking, complexity etc costs & risks.
Not that I don't appreciate the free trial offer. But before getting into data characteristics, I'm curious which addresses should be examined in a cursory internal look-see?