I suspect there are a decent number of network engineers who think it's funny to use DoD IPs for their internal network, especially given what their logging system will probably tell them by default.
If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.
The main reason (I've done this at a bank previously) is when you need to ensure you don't overlap with other internal IP (RFC1918 was represented everywhere and routeable internally) and when you're trying to dodge 99% of your engineer's default Docker configs to reduce support request load.
In that case there's never any chance it'll be needed by people using the public internet there, and never any chance it'll be used suddenly by a deployed internal service somewhere else from an outside vendor.
Default Docker configs are atrocious. Most devs/devops don't even know that when it creates a network, it takes a /16 ip range out of 172.[17-31].0.0/16 or 192.168.[0-240].20/20 by default. It is just a matter of time before a restart makes it collide with an existing network range. It does skip networks defined on local interfaces at least, but this only means that devs don't learn about this landmine on their own machines, nuking production instead.
The default should reserve a single ip range and simply fail (with a nice message) if more are needed.
Yeah, sharing SSIDs isnt such a great idea. Check out https://wigle.net ... Obviously multiple people around the world use this one, but it narrows it down for dedicated people
Two things that come to mind are running out of private address space (a /8 isn't that large), or wanting address space that doesn't clash with other private networks (e.g. to ensure a VPN doesn't overlap with home networks). There's probably more reasons.
Company A uses 10/8 Company B uses 10/8, company A buys company B and orders new subsidiary B to renumber into 11/8 "All you have to do is change every first octet to 11"
Merger after merger after merger followed by a massive adoption of public cloud (using Direct Connect/Express Route for hybrid connectivity) has led at least two very large FinServs I worked for adopting CGNAT (100.64/10) for parts of their internal networks.
In both cases RFC1918 was used throughout their global network and while not fully used, had become highly fragmented over time.
Its incompatible with IP v4, has a stupid addressing scheme, it requires new router hardware and software for isps to buy and nobody is using it because of all the aforementioned issues.
What could an increase in the IP address space do to be compatible? I can think of a couple things to be partially compatible but IPv6 already does those.
And by "stupid addressing scheme" do you mean it's too big, or what? You can ignore all that stuff with mac addresses and make all your addresses go like prefix:subnet::1 prefix:subnet::2 prefix:subnet::3 if you want to.
You forgot, they're nowhere as easy to remember as v4. If you're used to remembering phone numbers; important v4 IP's aren't that hard to mentally internalize.
Screw DNS. Screw the recommendation to stay away from IP's. If it's important enough to be on the network, it's important enough to have a static IP.
You're being downvoted, but, last 3 ISP's I used didn't support ipv6. First one didn't support ipv6 at all, second supported it, but was incompatible with my router. And I didn't care about it after that. Hardware incompatibility is a huge roadblock for ipv6.
IPv6 is well over 20 years old. In fact, IPv6 is now older than the IPv4 Internet was when it went mainstream back in the mid 90's. There is really no excuse not to support it...
Because even equipment that claim IPv6 often doesn’t. We have seen both software and hardware which “supported” IPv6 for 5 - 10 year, but we’re the first to use it in production and the manufacturer haven’t tested it since the initial implementation.
Yeah, it works well enough until it doesn't: I love when VoIP calls have one-way audio or when I have to map ports because the traversal method used by this P2P app is not working.
When run at the ISP level it's even more fun: remember when wikipedia blocked the whole Qatar?
IPv6 on an internal network is trivial. It is supported by both Windows and MacOS (and Linux) out of the box.
If your ISP doesn't provide it, get one that does. They should allocate you a /56 by default per connection, if not something larger like a /48 if you have multiple locations.
Subnet the /48 for each connection, subnet each /56 into /64 subnets. reserve one of the /56's for site-to-site if needed.
Ipv6 is like python3. A worthy upgrade, but tried to do too much in a single coup and broke backwards compatibility. If they simply added two top octets, saying that 0.0.... was the old ipv4, everyone would have used it ages ago. Instead they made other improvements which led to complex standard and worse adoption.
> If they simply added two top octets, saying that 0.0.... was the old ipv4, everyone would have used it ages ago.
How would you "simply add two top octets"? The address fields in the IPv4 header are a fixed size of 32 bits. Every time this is discussed, someone comes up with this suggestion to "just make the addresses longer and change nothing else", but there's no way to make the addresses longer without changing something else. And that's before considering compatibility with older hosts or routers; how would an old host talk to a new host, or two new hosts talk one to another with an old router in the path? In the end, what you'd have would be two separate networks, with some hosts being in both networks, which is exactly what we have with IPv4 and IPv6.
Yes, obviously you need a new wire format and bigger addresses; that was always going to change. What did not need to happen was changing/replacing DHCP, routing changes, and a half-hearted attempt to bake in IPsec.
If they're not actually using the whole /8 (highly likely), you can setup a 1:1 NAT. basically from network b, if you want to talk to network a, you find out the address in 11/8 that corresponds to the 10/8 address and vice versa. You can use split horizon dns to make it mostly transparent.
Every networking problem in the world can be solved with more NAT or more encapsulation :)
You don't have to use every address in 10.0.0.0/8 to effectively fill it up. If your corporate policy is to assign a /16 to each floor of a building, and you have a LOT of buildings it's pretty easy to fill up the space even if most of the /16s are sparsely populated. It's much easier to move on to the 11. space when you build that new building that pushes you over than renumbering your entire corporate LAN.
Right, but that's not relevant for 1:1 NAT (well, at least it doesn't have to be). Since the NAT would happen in software, you're no longer constrained by subnets being physically under routers. 11.2.3.0/24 could contain 10.0.1.0/24 and 10.128.128.0/24 without any issues, assuming they don't use in total more than 256 address.
what you call 1:1 NAT is just called NAT by cisco, the stuff most folks think NAT is is actually NAT+PAT (like what you run on your home router with a single public IP)
It basically maps addresses visible on one interface to those on a different interface. So you can route many addresses on 10.x to a single 10.x address that is on a different network.
In our case, we were setting up VPN tunnels to a partner, who for some reason required that the addresses on our side should (appear to be) public IP addresses. So we couldn't use 10/8 or 192.168/16 in (that part of) our network.
They didn't actually need the addresses to be routable from the public internet (that was the whole point of the VPN). I think the requirement was really a way of making sure they were unique. I'm sure they had several partners who used 10/8 internally.
There's also 172.16/12 :) But yeah I agree. If you're running a VPN for a large company it's kinda hard to avoid such conflicts.
In my work we use 10.0.0.0/8 but of course some people use the same at home even though 192.168/16 is way more common. In general I find 172.16/12 the least common in the field.
I personally use a range towards the end of the 172.16/12 reservation for my home network for exactly this reason. Ever since I made the change five years ago I’ve never suffered any conflicts when running a VPN in or out.
I know the old Apple extreme and time machine routers used to default to 10 rather than 192 ever since then I’ve kept my internal routing within that block.
It just looks nicer to me which shows the power of Apple and how easily I am influenced.
I like the 172.12/16 to company network, especially small companies with limited support resources. Getting employees on VPN is much simpler as virtually no home routers use that range.
A trick is to use something in the 10 range but not /8 - 10.185.203/24 will work on a 10/8 network (assuming no actual host overlap) as it’s more specific and will route first.
In my case I got a class C around about 1992 (back then that was the only way to get on the internet), at some point the ISP above my ISP claimed it as theirs without telling me .... I still use it internally why should I change?
In the case of a managed service provider I worked for, using non-announced gov/mil space allowed us to inject routes for monitoring purposes into the MPLS vrfs of our customers so we could poll the routers without using our own public space.
