Sunday, February 7, 2010

Remaining IPv4 /8 prefixes are dirty

As of January 2010, there is less than 10% of the IPv4 address space remaining for new networks. The current timeline is that no more address space will be available by 2012. However, the remaining IPv4 address space is not as usable and clean as one may think. Evidence has shown that many unallocated prefixes from the IANA pool are used internally by organizations or by VPN vendors. Moreover, my company does IP networking consulting and we have seen many times our customer's networks numbered with one of these unallocated prefixes. The top 10 identified were: 1.0.0.0/8 2.0.0.0/8, 5.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 46.0.0.0/8, 100.0.0.0/8, 107.0.0.0/8, 176.0.0.0/8, 111.0.0.0/8. As of writing 1.0.0.0/8 has already been allocated by IANA to APNIC.

I've written a script that parses the IANA IPv4 address registry to find the unallocated prefixes and identify the ones that have been identified as already in use. The result is astonishing. From the ~24 /8 prefixes unallocated (at time of writing), only 2 /8 prefixes are "clean" (not reported to be used internally by organizations) and 22 are "dirty" because they are already in use by some organizations. The "clean" prefixes are: 14.0.0.0/8 and 106.0.0.0/8.

However, the level of "dirtiness" is variable. Some such as 1.0.0.0/8, 2.0.0.0/8 and 100.0.0.0/8 are much more used internally in private networks and implementations than others. In fact, the recent allocation of 1.0.0.0/8 by IANA have spurred discussions and studies on this issue.

What happens if I already use one of these "dirty" to-be-allocated prefixes in my network?
When the prefix you are using start being announced on the IPv4 Internet, then the sites and networks on the Internet using that prefix will not be reachable from your network and users. It may become a support nightmare if, for example, one of the sites is a well known content site using load-balancing and only some of its servers use the prefix. Therefore, sometimes your users will be able to reach that content, sometimes not: hours of interesting troubleshooting...

Is it possible that I'm using these "dirty" prefixes without knowing?
Even you might not know if you are using the dirty prefixes! For example, maybe your VPN vendor is using that "dirty" prefix to avoid collisions with RFC1918 private address space. When your computer setup the VPN connection, the host routing table then contains a route to this prefix through the VPN interface. Therefore, your host won't be able to reach a site on the Internet that has the same prefix. VPN software is often "smart" which means they setup the VPN on demand and disconnect when not in use. That means, similar to the previous paragraph, sometimes you will be able to reach some sites (when VPN is down) and sometimes you will not be able (when VPN is up): hours of interesting troubleshooting...

What happens if I receive a chunk of these "dirty" to-be-allocated prefixes from my provider?
Your network will become a magnet for packets that, before, went nowhere. Moreover, some end-users on the Internet will not be able to reach your network and sites since they are using the same prefix internally as yours.

What is the solution?
Well, if you are in the previous situations (already using a to-be-allocated prefix), then you should start planning to renumber. You could try to put more NATs but that become pretty tricky. If you are receiving one of these "dirty" prefixes from your provider, then it will be a rocky road...

The best approach, that is future proof, is to start deploying IPv6.