Researchers puzzle: Who faked IPv4 addresses and for what?

The research branch of the European address allocation body RIPE has found that a large chunk of reserved IPv4 addresses is being used surreptitiously.

Lesezeit: 5 Min.
In Pocket speichern
vorlesen Druckansicht Kommentare lesen

(Bild: asharkyu/Shutterstock.com)

Von
  • Dusan Zivadinovic

(Hier finden Sie die deutsche Version des Beitrags)

Qasim Lone, an employee of RIPE Labs, shows in an analysis that has so far gone largely unnoticed by the public that an IPv4 address range that has actually been reserved for decades is secretly being used by one or more companies for their own purposes.

This sounds explosive because it lacks solidarity: IPv4 addresses have been a scarce commodity for many years and there have long been considerations to release reserved ranges for public use. But if they are already secretly in use in private networks, they cannot easily be reallocated to public IPv4 addresses because the routing to and from such IPv4 addresses would not be clear.

Specifically, it concerns the range from 240.0.0.0 to 255.255.255.255, or 240/4 for short (formerly called Class E). This block, which comprises around 268 million addresses (268,435,456 addresses to be exact), was reserved by the Internet Engineering Task Force "for future use" in 1986, so that it may neither be used nor routed. In his article, Lone lists two initiatives that have campaigned for this block to be used after all. Both mention concrete proposals for rededication, but were not definitively specified.

There are also experts who oppose this. The demand for IPv4 addresses is so high that even hundreds of millions of new addresses are likely to be used up quickly. It would therefore be better for institutions and companies suffering from IPv4 shortages to concentrate on the introduction of IPv6 technology, especially since it does not have a whole bunch of typical IPv4 shortcomings in the first place.

Critics also object that it is not enough to announce from the pulpit that 240/4 may be used. In addition, all operating systems and routers worldwide would have to be adapted as far as possible, because they normally exclude the area up to now. Some estimate the effort required for this to be so high that it is not worth it. On the other hand, members of the Unicast-Extensions project (The IPv4 Cleanup Project), which is run on GitHub, state that they have long since created working patches for various operating systems, including Linux, FreeBSD and macOS.

Thus, the decision on the utilisation of this address block is up in the air. However, because it is known among experts that not all Internet participants always adhere to the guidelines of the IETF, and because some excluded address ranges have already been used unofficially in the past, the RIPE Lab investigated whether this is also the case with 240/4. The result was that the block is indeed in use in private networks, but without the necessary coordination with the global Internet community.

Such usage can be detected in various ways outside the networks where they are tacitly used. For example, they can appear in traceroute measurements as an unexpected part of a path between two public addresses, in DNS communication that enters the public internet or, for example, in complete or partial connections between public and private networks due to insufficient filters of some routers. However, RIPE has additional measurement methods within many networks with its Atlas probes.

In his article, Qasim Lone explains in detail how he used the probes and from which networks the unofficial use originates according to his measurements. Some things point to Adobe, Amazon and Verizon Business.

Definitive proof is still lacking. But it is quite possible that "extremely large cloud providers" have already used up the regular address supply (Address Allocation for Private Internets, RFC 1918, around 18 million private IPv4 addresses). It is therefore assumed that the largest cloud providers have leased more servers and VMs to customers than they can address internally via regular private IPv4 addresses, so that they secretly make do with the 240/4 address space.

This fits well with the picture that Amazon acquired many unicast IPv4 address blocks years ago and is steadily buying more on the open market. By 2020, AWS had collected just over 100 million IPv4 addresses (100,750,168).

See also:

Qasim Lone, 240/4 As Seen by RIPE Atlas

Mehr von c't Magazin Mehr von c't Magazin

(dz)