N.B.: DoD didn't "release" 11/8 in the same way that Interop "released" (i.e., gave back to ARIN) 45/8 several years ago [0].
What they did do was start advertising it into the global BGP routing table (technically, AS23352 did, as the post mentions) -- apparently ~5d6h ago, according to my routers.
In addition, AS23352 is sending the ("informational") community "23352:41216" along with this prefix, which means that it was learned by a "customer" peering session at their Chicago, Illinois, POP:
Releases is not the proper word here. It should be 'US DoD starts using 11.0.0.0/8'. Nowhere in that thread does it say the subnet is being released back into the generally available pool, just that it's started to be routed.
Bad news for some ISPs, VPN setups and sysadmins I know who used these addresses as quasi private IPs (extension of 10.x.x.x), as these were all unused before...
Yep, this is why I occasionally use reserved addresses other than the widely used RFC 1918 addresses.
I use 192.0.2/24 ("TEST-NET") at home (cf. RFC 5737), split up into various subnets. At $work (ISP), we use 100.64/10 (cf. RFC 6598) quite a bit internally (for its intended purpose, *mostly). In other networks, such as companies with many locations that will be connected via VPNs or companies that will have several VPNs to other organizations (where there's less control of the addresses used), I've used 198.18/15 (cf. RFC 2544) to avoid any conflicts.
Obviously, this is not what those address ranges are intended to be used for but it's certainly better than both a) using non-reserved address ranges (i.e. public ones that don't belong to you) and b) implementing funky NAT policies because of overlapping addresses.
It's not just about number of addresses. It's also about preventing conflicts.
Let's say my company uses 10.0.0.0/16. Now let's say I set up a VPN. Half my users will be on local networks that are also 10.0.x.x. Fail.
Even worse, let's say my company has two locations and both use 10.0.0.x and now we want to link them on a common network using a VPN or virtual Ethernet bridge. Have fun renumbering one of these two sites, or setting up abominations like internal two-way SNAT/DNAT.
The reason IPv6's address space is so huge is to allow relatively stateless assignment of addresses with extremely low probability of conflicts. An IPv6 address is basically a UUID. That's going to make lots of things easier and eliminate the need for a huge number of nasty hacks.
This was actually tech support call #1 at a hotel I worked at previously. We were only able to fully resolve it by using an obscure section of the 172.16.0.0/12 range -- almost all companies use the other two private ranges.
>. We were only able to fully resolve it by using an obscure section of the 172.16.0.0/12 range.
This is exactly why I use 172.16.104.0/21 as my home network range. Almost no one else does so it makes things really easy when I VPN home from a hotel somewhere.
Unfortunately, I've been in more than one hotel (or other location with open/public access to the network) where the implementers decided to just use either the whole 10/8 network, a /16 (or more!) out of the 172.16/12 network, or the whole 192.168/16 network in one big, flat network. That can be a real PITA and annoys me to no end.
So two way SNAT/DNAT is nastier than using a public IP block that you don't own? Pretty bad practice if you ask me. At the very most you should use a block that you own. Also I've never had any issues setting up IPSEC VPNs or Tunnels with two way NAT, if you have your configuration setup correctly.
This is the reason why I can't believe we're not all on IPv6 yet. You would think that the online advertising industry would have done everything in their power to push IPv6, at any cost. 90%+ of people on IPv6 will literally have a unique identifier FOR LIFE on every device they own. Marketers can now pinpoint down not just to an IP address that identifies a single NAT interface, but each individual device.
I hope that operating systems and/or routers will provide the option to rotate each IPv6 address on a routine basis. It would also be nice if ISPs would rotate the block that is handed out to each customer, but this is unlikely to happen. Every phone, every tablet, every PC, every thermostat, every door lock, every fridge... uniquely identifiable from the day it is hooked up to a network. :(
> I hope that operating systems and/or routers will provide the option to rotate each IPv6 address on a routine basis.
This is an issue when using SLAAC, yes, but a workaround ("Privacy Extensions") were developed years ago; cf. RFC4941 [0].
You can also assign static addresses or use DHCPv6 -- on your own networks, at least; you obviously can't control how your ISP decides to issue addresses.
Good news, privacy addressing (ex. RFC 4941) exists and is enabled by default on OS X (10.7+) and Windows 7. Privacy addressing rotates the host section of the IP address by default once a day, leaving IPv6 host detection similar to IPv4+NAT.
It seems like Linux may be a mixed bag (by distro) w/r/t it being enabled as default. I could definitely see cheap embedded devices based on a current Linux distro not bothering to change defaults to enable it.
They need to be logically accessible because they are managed devices. NAT doesn't work in this case. Of course, IPv6 is the more correct solution, if you can manage it (no pun intended).
Thanks, that's interesting, but doesn't explain why "federated net 10 islands" can't work, except to say it can't. New York (time warner) and Chicago (Comcast) are obviously managed separately. Why can't Comcast manage Boston and Chicago as separate networks? Is every single customer nationwide working off the same dhcp/update/management server, etc.?
Based on the kinds of multi-state outages they suffer from, I'd say they often are all having all modems hitting the same auth/DHCP/DNS servers. Back when I was on BellSouth DSL, every time they had a DNS outage everybody would reboot their modem and that would bring down the DHCP server, but if you used third-party DNS you could remain online while the entire SE US lost DSL for an hour or two.
If memory serves, T-Mobile was using 5/8 internally for a long time (because they exhausted 10/8). I imagine they had a lot of fun renumbering out of that once netblocks began to be issued out of it.
I remember working with an airline around '01-'02. The CTO was very excited they had migrated all of their network infrastrucutre to new private lines and gotten off of that "terrible 10-dot network".
I asked which private network they switched to and he said "We switched to 11-dot, because no one else uses it and it'll be unique for the future growth of our private network."
Needless to say, he was not pleased to learn it was not private, or unique and was assigned to the DoD.
The problem with ipv6 is that it doesn't consider that people are still remembering and typing ip addresses everyday. IPv6 is more effort on the mind and hand.
A shorthand version would be better.
Ideally if the router ip address is 1, Subnet would be 1.0/24, Client 1.2
Client IP: 1.1
Router: 1
Subnet: 1.0/24
Gateway: 1
I'm too lazy for ipv6. Nothing to celebrate about ipv6 except for a bigger pool and some other minor +.
What are you talking about? Users aren't entering IPs for anything other than maybe custom DNS servers. Unless you mean 'advanced' users that set up static machines?
Either way if those users want routable IPs going forward and not be stuck behind CGNAT then they'll have to use their brains and learn something new.
The truly lazy people like yourself and remain in some sort of segmented Internet I suppose.
The last sentence echoes the OP's last sentence, which was as follows:
> I'm too lazy for ipv6. Nothing to celebrate about ipv6 except for a bigger pool and some other minor +.
Symmetrical construction is nice. :)
Additionally, it's pretty appropriate to say:
> Either way if [advanced users who are setting up static, globally routable IPs for machines] want routable IPs going forward and not be stuck behind CGNAT then they'll have to use their brains and learn something new.
Any sysadmin who is configuring a server that requires a globally routeable IP is expected to use his brain. Moreover, he will be expected to have to use that brain to learn new things from time to time, lest his systems become crusty and unmaintained.
There are many things that can go wrong when you configure a machine as an Internet peer. Some amount of savvy and smarts is required.
> Good point. But I found the OP's statement inappropriate, either. [sic]
OP (workworksleep) was calling himself lazy. You consider it inappropriate to call oneself lazy?
> Everyone is expected to use their brain.
If you work in a technical field, and have not had the inhuman good fortune of never working with C or D players, you will know that some sorts of people will -not infrequently- fail to meet expectations by failing to engage their brain. This isn't an insult, it's a statement of fact.
A Comp Sci student who requests that others write his 1xx or 2xx level homework for him would be quite rightly accused of not using his brain.
Hell, on my worst days, I've failed to use my brain and spent 8+ hours writing code that was -at best- hilariously roundabout and overly complex or -at worst- didn't even solve the problem I had intended to solve. When reviewing days like that, I openly admit to not using my brain and accept the shame and wasted effort that came from my failure.
What would you call a network administrator who knew IPX/SPX inside and out but refused to learn IP networking, declaring -like workworksleep did in his OP- that he was "too lazy" to do so and that there wasn't enough benefit to overcome his laziness?
Indeed, "use your brain" is not an insult if you say that to people you know pretty well, especially if they just did something extremely stupid that was easily avoidable.
However, I still find it inappropriate to say that to strangers on the internet which you don't know. Of course you can try to extract a lot of character information out of a single sentence that somebody said, but the error rate is quite high.
How would you solve to propose the growing need for IP addresses and the hard limit imposed by IPv4? It seems like increasing the address space is an absolute necessity, and I see no way to accomplish it without hurting the ability to memorize and type them proportionally.
fc00::whatever isn't really harder than 10.whatever. the addresses potentially look scary and they are harder to communicate by voice, but that's pretty much the only thing against them and the price that has to be paid for having those 128 bits.
Why is the US DoD permitted to own a /8? They are the greatest force against peace and for suffering the world has ever known. Their robots kill civilians daily and they have compromised the security of the Internet for the sole purpose of expanding and maintaining their power. Every ISP has a duty to block traffic to and from 11/8 until such a time as the DoD relinquishes it to the proper authorities for distribution to legitimate users.
Are you aware that the Internet evolved out of a connection of academic institutions with the DoD's network as the backbone? The DoD was literally the first implementators of TCP/IP as well as where the research was started and funded. Vint Cerf was a DARPA manager.
You want a realistic answer? "Finders keepers. We made it."
Now, I do agree that it's a massive chunk and it could be better used given up to the rest of the internet, but honestly we should be pushing harder on ipv6 instead.
The whole "They are the greatest force against peace and for suffering the world has ever known" part is a matter of opinion and I disagree with that statement.
What they did do was start advertising it into the global BGP routing table (technically, AS23352 did, as the post mentions) -- apparently ~5d6h ago, according to my routers.
In addition, AS23352 is sending the ("informational") community "23352:41216" along with this prefix, which means that it was learned by a "customer" peering session at their Chicago, Illinois, POP:
The other communities attached to this prefix indicate that:a) ServerCentral is a Level 3 customer, and
b) Level 3 is receiving the announcement from SC in Chicago.
FWIW, I'm receiving the routes via Level 3 peering connections in both Chicago and Cincinnati, Ohio.
[0]: http://evilrouters.net/2010/10/20/arin-regains-458-from-inte...