I've seen many enterprise customers using RFC 1918 address space internally.
This includes allocating 10/8 addresses for hosts, and 172.16/12 for isolated
segments behind firewalls. Since 192.168/16 may be used by employees in their
homes accessing the corpnet, often this block is avoided for use in address
allocation on VPN servers.
In terms of NAT usage in enterprise, it is very common: in branches, employee
homes, campuses, even in data center load balancers (reverse NAT). It is quite
common to see RFC 1918 space of all types in enterprise routing tables. Given
the huge influx of mobile devices (many of which do not support IPv6 fully),
there will be even more pressure to deploy RFC 1918 addresses and more
efficiently use routable address space.
In general, enterprise addressing plans are developed and changed deliberately
and with considerable planning. Where things become more tricky is in Extranet
design where connections can be made to partners with their own addressing
complexities. To avoid routing issues fire gaping may be required.
On Dec 4, 2011, at 21:24, "Pete Resnick" <presnick(_at_)qualcomm(_dot_)com>
wrote:
On 12/4/11 8:22 AM, Hadriel Kaplan wrote:
So you tell me how safe picking a specific RFC 1918 address space is. There
are ~100,000 enterprises with over 100 employees just in the US, and ~20,000
with over 500 employees in the US. Obviously my company is a tech company
so it's probably not "normal", but still it seems obvious enterprises use
random 10.x.x.x and 172.16/12.
AFAICT, it *isn't* safe to use these addresses if and only if these
enterprises *also* use equipment that can't deal with 1918 addresses on their
external interface. For example, your machine taking a 10.2xx.xxx.xxx address
isn't a problem in and of itself because the NAT in front of you is
translating. The issue only arises if the Carrier Grade NAT in front of you
is on the other side of equipment that *can't* handle that portion of address
space on the outside.
Now, I don't know if that means it *is* safe. I don't know how many
enterprises talk to CGNs and wouldn't be able to deal with a particular block
of 1918 addresses on the outside. That's the question I'd really like an
answer....
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf