North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: 2008.02.20 NANOG 42 IPv4 PTR queries for unallocated space

  • From: michael.dillon
  • Date: Wed Feb 20 14:29:50 2008

> Doesn't know how to measure truly private internal use; if 
> you have ideas, let him know.

Make official requests to companies who operate networks along
with assurances of confidentiality. Include the NDA that you
are willing to sign along with your request. Try to find a legal
contact for each company and submit the requests to them as well
as to IP addressing folks and engineering/ops folks.

Note that "companies who operate networks" does not include
"network operators". A second approach that is more likely
to get results, but less likely to answer the whys and
wherefores, is to go to "network operators" who are in
the VPN or private lines business and ask them for stats
on what address ranges (and how many instances) their
customers use on private IP networks. Probably need the
same NDA and approach to legal contacts.

I know of a nonISP that has three separate non-overlapping
and non-connected private IP networks which use 1/8 addresses.
I know of a company that uses 1/8 through 8/8 on private
IP networks. I know of a company that chose to use 126/8 
addresses because it seemed that 126/8 would be the last
IP block for RIRs to allocate. Then big cable companies
started running out of 10/8 space...

I've even seen an ISP using a /24 carved out of 196/8 in
their internal network management systems. I wasn't able 
to find out if that started life as a typo of 192.168.?.?
and I can't remember the exact /24 range.

I've received SPAM reports for a former customer who connected
in 1994, received a /24, disconnected in 1996 but kept using
that /24 internally behind NATs. One day a bright salesperson
decided to SPAM some advertising. Since the SPAM content matched
this former customer's business, I chased it up and discovered
the reason why our address range was in the mail headers.
Is it possible to measure this? Maybe sniffing ISP nameserver
traffic to identify matching A and PTR queries where the PTR 
name is clearly located in a different address range?

> 2/8, 1/8, 23/8, 5/8, 100/8 is there at #5, which is odd. 

Odd? It's a round number which probably means that more
than one person has picked it when they needed to make
up an IP address.

> next /8's they *were* going to give ARIN were 100/101, they 
> decided to NOT give it out to figure out why there's so many 
> hits on it in this round.

It would be good to find out why people have these kinds of
DNS leaks. Hopefully it will turn out to be configuration 
errors which can be addressed through best practices.
Even when the space becomes allocated, people will continue 
to use these blocks and this can be expected to become even
more common when IPv4 nears exhaustion.

--Michael Dillon