[123969] in North American Network Operators' Group
Re: Using private APNIC range in US
daemon@ATHENA.MIT.EDU (Daniel Senie)
Thu Mar 18 14:50:50 2010
From: Daniel Senie <dts@senie.com>
In-Reply-To: <CF6199A6-B1BA-4676-8064-B6951B12712B@delong.com>
Date: Thu, 18 Mar 2010 14:50:11 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 18, 2010, at 2:25 PM, Owen DeLong wrote:
>=20
> On Mar 18, 2010, at 9:34 AM, Fred Baker wrote:
>=20
>> Are they using them only within their domain(s), and ARIN addresses =
outside, or are they advertising them to their upstream(s) to be =
readvertised into the backbone?
>>=20
>> If they are using them internally and NAT'ing to the outside, they're =
not hurting themselves or anyone else. I would personally let them =
alone.
>>=20
> Except you're missing a keyword on the "not hurting themselves" part =
of that... It's "YET".
>=20
> Once 1.0.0.0/8 starts getting used in the wild for legitimate sites, =
it means that this
> customer won't be able to reach the legitimate 1.0.0.0/8 sites from =
within their
> environment and it won't be immediately intuitive to debug the =
failures.
While the analysis above is correct, the original poster talked about =
the 1/8 addressing being used on web server farms with translation of =
incoming connections. Sounds like load balancers using 1/8 for the =
addresses behind them and on the servers that are providing the service.
As such, prospective users of the web site(s) provided by the outfit =
will not function for broadband users and such who get allocated =
addresses from 1/8.
Reality of course is that both are true, but in terms of "who gets hurt" =
the issue here may well be a large server farm that is inaccessible from =
consumer networks in places in Asia.
As you note, debugging this type of thing is often not intuitive, as =
everything appears to work from almost everywhere.
>=20
>> If they are advertising them outside, it adds a small prefix in the =
ARIN domain that doesn't get aggregated by the upstream. Among 300K such =
prefixes it is probably noise, but gently suggesting that they use =
something aggregatable into their upstream's allocation would help a =
little bit in that regard. What they are most likely hurting is =
themselves, really; a datagram sent to the address from an ISP outside =
themselves probably travels via Australia or an Australian ISP.
>>=20
> The route announcement notwithstanding, they're using space that does =
not
> belong to them and will belong to someone else in the near future. If =
you
> think that is OK, please let me know what your addresses are so that I =
can
> start re-using them.
A scenario repeated many times over the years. In the 1990s, it was =
common to see leakage of the address blocks of vendors that were used in =
documentation for routers, workstations, etc., as people would look at =
examples in the manual, and use the exact IP addresses shown, not =
understanding the "go get your own addresses first" part of the process.
>=20
> Owen
>=20
>> On Mar 18, 2010, at 8:52 AM, Jaren Angerbauer wrote:
>>=20
>>> Hi all,
>>>=20
>>> I have a client here in the US, that I just discovered is using a =
host
>>> of private IPs that (as I understand) belong to APNIC (i.e.
>>> 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. I'm =
assuming
>>> that the addresses probably nat to a [US] public IP. I'm not =
familiar
>>> enough with the use of private address space outside of ARIN (i.e.
>>> 192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and
>>> accessible it must be working for them. I'm just wondering if there
>>> is any recommendation or practice around this -- using private IP
>>> ranges from another country. Thanks.
>>>=20
>>> --Jaren
>>>=20
>>=20
>> http://www.ipinc.net/IPv4.GIF
>>=20
>=20
>=20
