Can I Use Shared (RFC 6598) IPv4 Address Space Within My Network?
Andrew sent me the following question: “I'm pushing to start a conversation about IPv6 in my organization, but meanwhile I've no RFC 1918 space left. What's your take on 100.64.0.0/10 - it's seems like this is available for RFC 1918 purposes, even if not intentionally?”
Short answer: Don’t even think about that!
What is shared IPv4 address space?
The shared IPv4 address space (defined in RFC 6598) is non-private IPv4 address space that the service providers can use to deploy carrier-grade NAT (CGN) services.
Why do they need it?
Imagine the following scenario: your SOHO router (CPE) is connected to a residential ISP network. The ISP ran out of IPv4 addresses and deployed CGN to offer at least some IPv4 connectivity to new customers.
Unless the ISP uses MAP-E or DS-Lite (both of them use IPv6 in the physical access network), they still have to assign an IPv4 address to the outside interface of the CPE, but they don’t have any public addresses left. They cannot use RFC1918 address space because the outside IPv4 address assignment might overlap with whatever you’re using internally. The only solution is another block of non-public IPv4 addresses – 100.64.0.0/10.
Why can’t I use 100.64.0.0/10 within my network?
Imagine the scenario from the previous paragraph in reverse: you’re using 100.64.0.0/10 within your enterprise network and a remote site gets assigned an IP subnet from the same address block on the outside interface. Someone is bound to be confused – first a router (or a few of them), then the poor engineer troubleshooting weird connectivity failures.
You could “solve” the problem by using VRFs on the remote site routers – put the Internet interface in a separate VRF (separating internal and public address spaces), use inter-VRF NAT for direct Internet access, and run IPsec tunnel with your corporate network across a transport VRF.
Scratch that! Stop being MacGyver and tell your manager it’s high time to move to IPv6 because you have the same problem as everyone else: you ran out of IPv4 addresses.
New to IPv6?
Start with Enterprise or Service Provider introduction webinars, the work your way through the whole IPv6 webinars roadmap. You can also get them all by buying IPv6 trilogy or the yearly subscription.
Please correct typo, you used twice 10.64.0.0/10.
It might be confusing to other readers.
BTW, excellent post. It's nice to learn something new everytime visiting your blog.
"Shared Address Space is IPv4 address space designated for Service Provider use with the purpose of facilitating CGN deployment. Also, Shared Address Space can be used as additional non-globally routable space on routing equipment that is able to do address translation across router interfaces when the addresses are identical on two different interfaces."
That's hardly MacGyvering a solution together when the recommendation is right there in the RFC.
Yeah, that's really easy to troubleshoot, isn't it? Not to mention the routing issues - have you tried to configure the same subnet on two LAN interfaces on Cisco IOS? When was the last time you were trying to fix something like that at 2AM on a Sunday morning?
Subscribe to a few IETF mailing lists for a few months and you'll understand how "recommendations" like the one you quoted make it into the RFCs.
I was always taught that just because you *can* do something doesn't mean you *should* do it.