undefined | Better HN

0 pointsHavoc5y ago0 comments

Why would you do that though when there are perfectly fine internal address ranges available?

0 comments

18 comments · 5 top-level

twic5y ago· 5 in thread

In our case, we were setting up VPN tunnels to a partner, who for some reason required that the addresses on our side should (appear to be) public IP addresses. So we couldn't use 10/8 or 192.168/16 in (that part of) our network.

They didn't actually need the addresses to be routable from the public internet (that was the whole point of the VPN). I think the requirement was really a way of making sure they were unique. I'm sure they had several partners who used 10/8 internally.

GekkePrutser5y ago

There's also 172.16/12 :) But yeah I agree. If you're running a VPN for a large company it's kinda hard to avoid such conflicts.

In my work we use 10.0.0.0/8 but of course some people use the same at home even though 192.168/16 is way more common. In general I find 172.16/12 the least common in the field.

simondotau5y ago

I personally use a range towards the end of the 172.16/12 reservation for my home network for exactly this reason. Ever since I made the change five years ago I’ve never suffered any conflicts when running a VPN in or out.

1 more reply

jamiek885y ago

I know the old Apple extreme and time machine routers used to default to 10 rather than 192 ever since then I’ve kept my internal routing within that block.

It just looks nicer to me which shows the power of Apple and how easily I am influenced.

mrweasel5y ago

I like the 172.12/16 to company network, especially small companies with limited support resources. Getting employees on VPN is much simpler as virtually no home routers use that range.

bombcar5y ago

A trick is to use something in the 10 range but not /8 - 10.185.203/24 will work on a 10/8 network (assuming no actual host overlap) as it’s more specific and will route first.

Still gives you fun issues though.

Godel_unicode5y ago· 4 in thread

I suspect there are a decent number of network engineers who think it's funny to use DoD IPs for their internal network, especially given what their logging system will probably tell them by default.

If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.

XorNot5y ago

The main reason (I've done this at a bank previously) is when you need to ensure you don't overlap with other internal IP (RFC1918 was represented everywhere and routeable internally) and when you're trying to dodge 99% of your engineer's default Docker configs to reduce support request load.

In that case there's never any chance it'll be needed by people using the public internet there, and never any chance it'll be used suddenly by a deployed internal service somewhere else from an outside vendor.

trulyme5y ago

Default Docker configs are atrocious. Most devs/devops don't even know that when it creates a network, it takes a /16 ip range out of 172.[17-31].0.0/16 or 192.168.[0-240].20/20 by default. It is just a matter of time before a restart makes it collide with an existing network range. It does skip networks defined on local interfaces at least, but this only means that devs don't learn about this landmine on their own machines, nuking production instead.

The default should reserve a single ip range and simply fail (with a nice message) if more are needed.

imwillofficial5y ago

I always hated seeing “FBI Surveillance Van”

Made me wanna climb out of my FBI Surveillance Van and have a word with them.

leesalminen5y ago

Ha! “Unmarked white van” is the WiFi name at my local dog daycare. I got a good laugh.

1 more reply

Denvercoder95y ago· 3 in thread

Two things that come to mind are running out of private address space (a /8 isn't that large), or wanting address space that doesn't clash with other private networks (e.g. to ensure a VPN doesn't overlap with home networks). There's probably more reasons.

VLM5y ago

> running out of private address space

Classic merger "solution".

Company A uses 10/8 Company B uses 10/8, company A buys company B and orders new subsidiary B to renumber into 11/8 "All you have to do is change every first octet to 11"

sk1ppy5y ago

Merger after merger after merger followed by a massive adoption of public cloud (using Direct Connect/Express Route for hybrid connectivity) has led at least two very large FinServs I worked for adopting CGNAT (100.64/10) for parts of their internal networks.

In both cases RFC1918 was used throughout their global network and while not fully used, had become highly fragmented over time.

woleium5y ago

or, you know, use NAT to do so :)

2 more replies

Taniwha5y ago· 1 in thread

In my case I got a class C around about 1992 (back then that was the only way to get on the internet), at some point the ISP above my ISP claimed it as theirs without telling me .... I still use it internally why should I change?

icedchai5y ago

Is it "directly assigned" to you in whois? I got mine around 1993.

mrkstu5y ago

In the case of a managed service provider I worked for, using non-announced gov/mil space allowed us to inject routes for monitoring purposes into the MPLS vrfs of our customers so we could poll the routers without using our own public space.

j / k navigate · click thread line to collapse

0 comments

18 comments · 5 top-level

twic5y ago· 5 in thread

GekkePrutser5y ago

There's also 172.16/12 :) But yeah I agree. If you're running a VPN for a large company it's kinda hard to avoid such conflicts.

In my work we use 10.0.0.0/8 but of course some people use the same at home even though 192.168/16 is way more common. In general I find 172.16/12 the least common in the field.

simondotau5y ago

1 more reply

jamiek885y ago

I know the old Apple extreme and time machine routers used to default to 10 rather than 192 ever since then I’ve kept my internal routing within that block.

It just looks nicer to me which shows the power of Apple and how easily I am influenced.

mrweasel5y ago

I like the 172.12/16 to company network, especially small companies with limited support resources. Getting employees on VPN is much simpler as virtually no home routers use that range.

bombcar5y ago

A trick is to use something in the 10 range but not /8 - 10.185.203/24 will work on a 10/8 network (assuming no actual host overlap) as it’s more specific and will route first.

Still gives you fun issues though.

Godel_unicode5y ago· 4 in thread

I suspect there are a decent number of network engineers who think it's funny to use DoD IPs for their internal network, especially given what their logging system will probably tell them by default.

If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.

XorNot5y ago

trulyme5y ago

The default should reserve a single ip range and simply fail (with a nice message) if more are needed.

imwillofficial5y ago

I always hated seeing “FBI Surveillance Van”

Made me wanna climb out of my FBI Surveillance Van and have a word with them.

leesalminen5y ago

Ha! “Unmarked white van” is the WiFi name at my local dog daycare. I got a good laugh.

1 more reply

Denvercoder95y ago· 3 in thread

VLM5y ago

> running out of private address space

Classic merger "solution".

Company A uses 10/8 Company B uses 10/8, company A buys company B and orders new subsidiary B to renumber into 11/8 "All you have to do is change every first octet to 11"

sk1ppy5y ago

In both cases RFC1918 was used throughout their global network and while not fully used, had become highly fragmented over time.

woleium5y ago

or, you know, use NAT to do so :)

2 more replies

Taniwha5y ago· 1 in thread

icedchai5y ago

Is it "directly assigned" to you in whois? I got mine around 1993.

mrkstu5y ago

j / k navigate · click thread line to collapse