Sunday, February 7, 2010

Remaining IPv4 /8 prefixes are dirty

As of January 2010, there is less than 10% of the IPv4 address space remaining for new networks. The current timeline is that no more address space will be available by 2012. However, the remaining IPv4 address space is not as usable and clean as one may think. Evidence has shown that many unallocated prefixes from the IANA pool are used internally by organizations or by VPN vendors. Moreover, my company does IP networking consulting and we have seen many times our customer's networks numbered with one of these unallocated prefixes. The top 10 identified were: 1.0.0.0/8 2.0.0.0/8, 5.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 46.0.0.0/8, 100.0.0.0/8, 107.0.0.0/8, 176.0.0.0/8, 111.0.0.0/8. As of writing 1.0.0.0/8 has already been allocated by IANA to APNIC.

I've written a script that parses the IANA IPv4 address registry to find the unallocated prefixes and identify the ones that have been identified as already in use. The result is astonishing. From the ~24 /8 prefixes unallocated (at time of writing), only 2 /8 prefixes are "clean" (not reported to be used internally by organizations) and 22 are "dirty" because they are already in use by some organizations. The "clean" prefixes are: 14.0.0.0/8 and 106.0.0.0/8.

However, the level of "dirtiness" is variable. Some such as 1.0.0.0/8, 2.0.0.0/8 and 100.0.0.0/8 are much more used internally in private networks and implementations than others. In fact, the recent allocation of 1.0.0.0/8 by IANA have spurred discussions and studies on this issue.

What happens if I already use one of these "dirty" to-be-allocated prefixes in my network?
When the prefix you are using start being announced on the IPv4 Internet, then the sites and networks on the Internet using that prefix will not be reachable from your network and users. It may become a support nightmare if, for example, one of the sites is a well known content site using load-balancing and only some of its servers use the prefix. Therefore, sometimes your users will be able to reach that content, sometimes not: hours of interesting troubleshooting...

Is it possible that I'm using these "dirty" prefixes without knowing?
Even you might not know if you are using the dirty prefixes! For example, maybe your VPN vendor is using that "dirty" prefix to avoid collisions with RFC1918 private address space. When your computer setup the VPN connection, the host routing table then contains a route to this prefix through the VPN interface. Therefore, your host won't be able to reach a site on the Internet that has the same prefix. VPN software is often "smart" which means they setup the VPN on demand and disconnect when not in use. That means, similar to the previous paragraph, sometimes you will be able to reach some sites (when VPN is down) and sometimes you will not be able (when VPN is up): hours of interesting troubleshooting...

What happens if I receive a chunk of these "dirty" to-be-allocated prefixes from my provider?
Your network will become a magnet for packets that, before, went nowhere. Moreover, some end-users on the Internet will not be able to reach your network and sites since they are using the same prefix internally as yours.

What is the solution?
Well, if you are in the previous situations (already using a to-be-allocated prefix), then you should start planning to renumber. You could try to put more NATs but that become pretty tricky. If you are receiving one of these "dirty" prefixes from your provider, then it will be a rocky road...

The best approach, that is future proof, is to start deploying IPv6.

6 comments:

Leo said...

This is an interesting set of results. It would be great if you could share your methodology and results with us and the RIRs so that we can review them in the context of the existing work in this field. I've posted a short article about that on the ICANN blog.

Marc said...

Leo,
methodology is super simple: At the time of the posting, I took all the non-allocated prefixes from IANA. Then I took all prefixes reported by others (referred in the blog entry) as being used internally. Then I compared the two sets. Only 2 /8 were in IANA unallocated pool and not in the reported prefixes used internally. this is it. Marc.

Will said...

Thanks for this post. I've run into this issue on two sites using 107.0.0.0/8 on what appear to be Amazon cloud servers: http://community.articulate.com and http://cloud.scorm.com

So I appreciate the explanation for why I am unable to reach these at work.

Anurag said...

Good job! This is the kind of information that must be shared across the Web.Thanks for sharing.
PC optimization
Setup, Configure and Troubleshoot Wireless Network (Wi-Fi)
operating system support

seo services said...

This helps user refine the search term instantly, because the search results change as users type.
Setup, Configure and Troubleshoot Wireless Network (Wi-Fi)

Home network support

operating system support

markjacktechnicalsupport said...

I'm hoping that they completely remove storage limits. Do it for April Fools Day. Then buy Dropbox and do the same thing.
operating system support
Setup, Configure and Troubleshoot Wireless Network (Wi-Fi)
computer repair