[148415] in North American Network Operators' Group
Re: Whois 172/12
daemon@ATHENA.MIT.EDU (Ted Fischer)
Sun Jan 15 03:21:07 2012
In-Reply-To: <36A214A4-0627-4921-83B0-37766996844A@ianai.net>
Date: Sun, 15 Jan 2012 03:20:17 -0500
From: "Ted Fischer" <ted@fred.net>
To: nanog@nanog.org
Reply-To: ted@fred.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks for the replies so far, but not what I was looking for.
I should have specified that I've done several ns & dig lookups just to
make sure.
We were supposed to have lit up the last of IPv4 last year. I would have
presumed that meant that there was nothing left. Since I can't find a
reference to 172/12 anywhere, one might be led to presume that it was
allocated somehow, to someone (perhaps inadvertently not recorded) since
there are - supposedly - no fresh IPv4 addresses left to allocate, and the
only reference to this block is that 172/8 is allocated to ARIN. It
doesn't even appear in RFC 5735.
We all know about 172.16/12 - nothing left of that horse but glue.
My question is about 172/12. Where is it, what is it's supposed purpose.
I'm almost sure it's an internal box. I just find it better to give a
professional answer to "why can't I use this" than just "you can't use
this and why is this address scanning you for udp/137 anyway".
If someone can point out to me what was done with 172/12 I'd appreciate it.
Patrick opined:
> Read RFC1918.
I didn't remember seeing anything about 172/12 in RFC1918. Looked at it
again. Is there something about 172/12 I missed? Thanks.
> Likely a machine on his local network (i.e. behind the same NAT box) is
> hitting him.
>
> But that is not guaranteed. A packet with a source address of 172.0.x.x
> could be hitting his machine. Depends on how well you filter. Many
> networks only look at destination IP address, source can be anything -
> spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back
> to it (unless it was on the local LAN, as I mention above).
>
> --
> TTFN,
> patrick
>
>
> On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:
>
>> As far as I know, 172.0.1.216 is not assigned, yet.
>>
>> whois -h whois.arin.net 172.0.1.216
>> [whois.arin.net]
>> #
>> # Query terms are ambiguous. The query is assumed to be:
>> # "n 172.0.1.216"
>> #
>> # Use "?" to get help.
>> #
>>
>> No match found for 172.0.1.216.
>>
>>
>>
>> #
>> # ARIN WHOIS data and services are subject to the Terms of Use
>> # available at: https://www.arin.net/whois_tou.html
>> #
>>
>> Also, when you check BGP routing table, it is not routed at all.
>>
>> route-server.as3257.net>sh ip bgp 172.0.1.216
>> % Network not in table
>> route-server.as3257.net>
>>
>> So it seems like forged IP address.
>>
>> Alex
>>
>>
>> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted@fred.net> wrote:
>>> Hi all,
>>>
>>> Tearing what's left of my hair out.
>>>
>>> A customer is getting scanned by a host claiming to be "172.0.1.216".
>>>
>>> I know this is bogus, but I want to go back to the customer with as
>>> much authoritative umph as I can (heaven forbid they just take my
>>> word).
>>>
>>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or
>>> something like that. All I can find now is that 172/8 is "administered
>>> by
>>> ARIN". Lots of information on 172.16/12, but not a peep about
>>> 172/12.
>>>
>>> If anybody could provide some insight as to the
>>> allocation/non-allocation of this block, it would be much appreciated.
>>>
>>> Thanks.
>>>
>>> Ted Fischer
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
>
