[HN Gopher] All IP addresses are equal? "Dot-zero" addresses are...
___________________________________________________________________
All IP addresses are equal? "Dot-zero" addresses are less equal
(2013)
Author : JdeBP
Score : 53 points
Date : 2023-06-24 07:33 UTC (1 days ago)
(HTM) web link (labs.ripe.net)
(TXT) w3m dump (labs.ripe.net)
| ilyt wrote:
| /31 is equally funny one, confuses so many people that really
| should know better
| betaby wrote:
| Yep, despite the fact being the standard for 22 years.
| schoen wrote:
| (For people who are unfamiliar with this, see RFC 3021.)
| bell-cot wrote:
| Real-old-timer's "solution" - start moving major DNS servers,
| search engine crawlers, Gmail web pages, bank payment system
| gateways, etc. to those addresses. People fix sh*t fast when the
| suffering is on their end.
| myself248 wrote:
| Similarly I've been advocating that a few major routers should
| simply drop all IPv4 for one minute at noon UTC. Next month,
| make it two minutes. IPv6 adoption would skyrocket.
| lmm wrote:
| Needs to happen during American daytime, the US doesn't care
| until it affects them (which is exactly why it's taken so
| long to move off IPv4, the US has plenty of addresses).
| schoen wrote:
| (2013)
|
| You can see quite a lot of these in
|
| http://ec2-reachability.amazonaws.com/
|
| I think the situation has improved with regard to this specific
| issue since 2013. I did run some of my own RIPE Atlas tests on
| this more recently (targeting some of the AWS addresses mentioned
| above), and it didn't look particularly bad at all.
|
| Somewhat relatedly, we've been proposing to explicitly allow the
| lowest address within a subnet to be used to number a host. (This
| isn't necessarily dot-zero, and dot-zero isn't necessarily this;
| they coincide exactly in the specific case of a /24 network.)
|
| https://datatracker.ietf.org/doc/draft-schoen-intarea-unicas...
|
| We've gotten patches in Linux and FreeBSD for this, while OpenBSD
| and NetBSD each independently adopted this behavior some time
| ago.
| tedunangst wrote:
| Really love when I get a /30 with one IP from hosting
| providers. (Oops, /30 not 22. Subtracted two from the wrong
| number.)
| candiddevmike wrote:
| Not sure what you mean, what's wrong with being issued a
| single IP on a /22?
| ilyt wrote:
| think he just mistyped /32
| schoen wrote:
| So, if the hosting provider's router supports lowest-address,
| you'll be able to host _two_ usable addresses on that subnet,
| at least using Linux, FreeBSD, or OpenBSD (hopefully more
| OSes in the future).
|
| Maybe we should (be able to) get rid of the broadcast address
| in this situation too. Cf. RFC 3021 (adding a special case
| for /31).
|
| (If the hosting provider literally only intends to give you a
| single address, and insists on giving you a subnet, it should
| probably give you a /31 instead of a /30, because of the RFC
| 3021 behavior. Then it's not throwing away addresses for no
| reason.)
| ilyt wrote:
| we assign /32 to our VMs then add a /32 device route to the
| router. Not an ISP tho, just inside datacenter.
| 0x0000000 wrote:
| I run a /23 in my primary "home" VLAN specifically so I could
| allocate 10.x.y.0.
|
| All of my hosts are named after pokemon, and use their pokedex
| number as the last byte in their IP addresses -- except for one
| host, which gets the .0
|
| A /24 on its own holds all of generations 1 and 2!
| schoen wrote:
| > All of my hosts are named after pokemon, and use their
| pokedex number as the last byte in their IP addresses -- except
| for one host, which gets the .0
|
| So, if you're sufficiently enthusiastic about Pokemon, you can
| do the DNS and reverse DNS in your head? :-)
| Sesse__ wrote:
| From experience running a DHCP server: .255 in the middle of a
| /23 is allowed, but not accepted by Windows. .0 in the middle of
| a /23 is allowed, but not accepted by iOS.
| betaby wrote:
| What version of iOS is that?
| Sesse__ wrote:
| No idea, the user didn't specify at the time. (The range is
| part of a PI block within former class C space, if it's
| relevant.)
| copirate wrote:
| I've been summoned by the police because of a "dot-zero" address
| on one of our servers.
|
| Someone had been buying stuff online with a stolen card and the
| shop admins provided a list of the IP addresses used, including
| our server's. All the addresses were dot-zero addresses, so I
| assume it was just some kind of unfortunate obfuscation.
| WarOnPrivacy wrote:
| I once had my residential cable provider assign me an address
| ending in .0 (not /24), which I thought was pretty neat. But I
| predictably ran into some sites and services that refused me
| access and eventually forced a change.
| controversial97 wrote:
| This reminds of edonkey, a filesharing program launched in the
| year 2000. A deficiency in the protocol results in clients on a
| ip with a zero last octet being unable to receive incoming
| connections, which means clients can exchange data with fewer
| peers.
|
| I believe that there is still some use of ed2k protocol by people
| using eMule. Torrents won but it is still around.
|
| As far as I have noticed it has been rare for ISPs to give out ip
| addresses ending in zero since the early 2000s.
| zapdrive wrote:
| Time to move to IPV6.
| mike_hock wrote:
| All IP addresses equal? "Colon-zero" addresses are less equal.
| dpifke wrote:
| For those that don't know: https://www.rfc-
| editor.org/rfc/rfc4291#section-2.6.1
|
| Linux in particular, if IPv6 forwarding is enabled, will
| automatically add an anycast route for the 0'th subnet
| address.
|
| (Unless it's a /127 subnet per https://www.rfc-
| editor.org/rfc/rfc6164.)
| codegeek wrote:
| Haven't we saying this for years now ? Why has IPV6 adoption
| failed ?
| NoZebra120vClip wrote:
| Dan J. Bernstein wrote about the reasons why, and it's quite
| enlightening.
|
| https://cr.yp.to/djbdns/ipv6mess.html
| lmm wrote:
| No it isn't. That page sounds clever to the clueless but to
| anyone who actually understands that packet-switched
| networks won out over circuit-switched ones it's deeply
| stupid, to the point that I wonder if he wrote it as some
| kind of deep cover trolling.
| NoZebra120vClip wrote:
| I suppose that you could argue that packet switching won
| out over circuit switching. I mean, except for the
| gigantic installed base of landline telephones (analog
| and ISDN) and the digital switches that support them on
| copper pairs, still extant and supported, VoIP is
| incrementally replacing those lines as the decades
| progress. (How many decades has it been now?)
|
| But you're comparing apples and oranges. What was the
| size of the established, installed base of network hosts
| using circuit-switched networks when packet switching
| started to compete? Did SRI International and other DARPA
| research institutions run IMPs that utilized circuit-
| switching to route network traffic? No, they started with
| packet switching. So essentially, as the Internet caught
| on, its style of packet switching "won" over landline
| telephones because it was a question of capability and
| supported features.
|
| IPv4 and IPv6 are the same protocol, essentially; you
| swap one out under the hood, and the upper and lower OSI
| layers don't even notice that anything's changed. Packet
| switching and circuit switching are two distinct
| techniques that are opposed to one another: if you wanted
| to swap one for the other, you'd be rebuilding your
| network from the ground up.
|
| So, apples and oranges: IPv6 is, by design, a replacement
| for IPv4, and djb is discussing the seemingly intractable
| issues faced by those who attempt to cleanly migrate.
| thrashh wrote:
| I think one big reason why IPv6 won't be a thing for a long
| time is because to the people involved decided to do away
| with NAT in IPv6.
|
| What a huge mistake.
|
| NAT is obviously a huge crutch but everyone uses it because
| it's a dead-simple firewall and makes for dead-simple
| internal networks. There are NAT-inspired IPv6 analogues but
| they are not the same.
|
| If NAT with IPv6 was a thing, ISPs could have started
| shipping routers to customers (as they already do) with IPv6
| turned on and we would have already been most of the way to
| IPv6.
|
| But no, they felt NAT was too hacky and did away with it on a
| matter of principle.
| teaearlgraycold wrote:
| They added features that weren't needed, and those new
| features break compatibility. IPv6 is the Python 3 of the
| network stack.
| kmeisthax wrote:
| In both cases the migration happened eventually. All my
| devices have and use v6, and I haven't had to touch Python
| 2.6 in years.
|
| Yes, there are still people stuck with v4 networks and
| 2.6-era codebases. These are legacy cases that are
| increasingly buried deep in the long tail of
| interoperability.
| NegativeK wrote:
| Because it costs money to maintain both stacks, it costs
| money to replace the old ass devices/hardware that are IPv4
| only (at some level -- there are plenty of situations where
| the end user can't spend any reasonable amount of money to
| replace the item because the manufacturers won't fix the
| problem), and it costs money to have employees spend time to
| get trained up in IPv6.
|
| I'd like IPv4 to die, but I've also worked at places where it
| would have a significant (non-internet) international impact
| if you suddenly shot it in the back of the head.
| crims0n wrote:
| Obligatory IPv6 is an academic solution to an engineering
| problem.
| zapdrive wrote:
| No it isn't.
| crims0n wrote:
| Not literally no, but the spirit of the sentiment is true.
| Have been in some flavor of networking for the past decade,
| there is a reason it hasn't been universally adopted
| despite being ratified 25 years ago.
| betaby wrote:
| We can say that IPv6 is universally adopted for mobile
| networks.
| mbreese wrote:
| But does it universally go IPv6 to IPv6 or IPv6 to an
| NAT64 gateway? Isn't CGNAT also popular for mobile
| networks?
| betaby wrote:
| Most of the traffic in mobile operator networks I'm aware
| of is IPv6 to IPv6, for very obvious reason - people
| watching youtube, facebook et al, and they are IPv6
| enabled for over 10+ years. Of course one need to provide
| IPv4 reach-ability as well, details are varies from
| network to network, 464XLAT is being a popular one.
| jedberg wrote:
| This is what happens when you make the fresh college hire, who
| has only ever seen a /24, write your network interfaces. They
| just assume .0 and .255 are always special.
|
| I say this because I was one of those people when I graduated. At
| our school every network was /24, so 0 and 255 were always
| reserved. It was a while before I learned about CIDR and how
| those addresses may not be reserved.
| candiddevmike wrote:
| I think people might be confused by your post. With an IPv4 /24
| subnet, .0 and .255 are special (they are the network and
| broadcast addresses for a /24, respectively). When you use a
| different subnet mask, the network (first IP) and broadcast
| (last IP) addresses will shift.
| Faaak wrote:
| And even though, you can still have a /24 with used .0, .255
| (for example if injected via BGP on machines that have other
| IPs)
| candiddevmike wrote:
| Like other things in tech, you can do this, but you really
| shouldn't. There are a lot of assumptions baked into those
| addresses per the RFCs, which are kind of like our
| industry's electrical code. Using a broadcast address is
| "not up to code".
| Faaak wrote:
| Please tell, then. But no, I don't see what is wrong with
| that. An outsider doesn't know the CIDR of the IP he's
| talking too, so it wouldn't change. It only matters for
| the last router in the loop, and if it's taken into
| account (because it's actually your infra), then it's
| okay
| NoZebra120vClip wrote:
| Long, long ago, SunOS, and possibly other Unixes,
| considered x.x.x.0 as a broadcast address as well. (Or I
| should say more properly, an all-zeroes host address.)
|
| It took a long, long time to shake that assumption out of
| all code, long after the OS had stopped using .0 that
| way. So this is yet another domino.
| c0nsumer wrote:
| I get this all the time at work... We have somewhat large
| subnets for clients (I think /22 and /23, and something much
| larger for our VPN pools) so I'll not-infrequently get "client
| has wrong IP address" things because they have a .0 or .1 or
| .255.
| phh wrote:
| In school, I handled the network for students, we had a /22. I
| was still afraid to use .0 and .255.
| mike_d wrote:
| .0 and .255 are special.
|
| Even outside of the context of a /24 I still reserve these
| addresses because they don't receive equal treatment on the
| internet. There are still dumb firewalls that treat them as
| broadcast amplification attacks, OS bugs that treat them as
| invalid, and a handful of other issues.
|
| This issue tends to be a bell curve of experience. People brand
| new to networking, and the people who have spent dozens of
| years seeing the worst of what the internet has to offer both
| treat them as sacred cows, with the majority just shrugging and
| mumbling about CIDR.
| hotpotamus wrote:
| I'd say .1 is a bit special too (even more for FHRPs), and
| there are weirdos who use .254 for their gateways. I've even
| seen a lunatic or two put it somewhere in the middle of the
| subnet.
| theamk wrote:
| Blindly assuming .1 is your router is a bad idea. I've seen
| cases when it all started with a single uber-host at .1
| which does routing, DNS, DHCP, mail, and internal web
| server; and later on the routing part was moved to a
| separate device with its own IP.
|
| Also, well-known IPs, and 192.168.0.1 in particular, should
| just be avoided. You don't want IP conflict in your network
| just because someone plugged in unconfigure device!
| ilyt wrote:
| Wait till you see how people react to /31 and /31 ending with
| .0
|
| > and the people who have spent dozens of years seeing the
| worst of what the internet has to offer both treat them as
| sacred cows
|
| ...a lot of them just didn't update their knowledge over
| time.
| mlyle wrote:
| His point is that there's a pretty common journey:
|
| - Newbies see .0 and .255 as special
|
| - We learn about CIDR, and there's nothing special about a
| .0 in the middle of a large block.
|
| - Then we get zapped by weird connectivity problems or
| tools that don't let us enter the address because it fails
| "validation," etc.
|
| Then we think... does our DHCP range really need to cross
| the boundary when we have a /23? Maybe we should just have
| two DHCP ranges with a little hole in the middle. It's less
| than 1% of addresses...
| schoen wrote:
| The Busybox DHCP server had a special case where it
| wouldn't ever give out a .0 address, and I submitted a
| patch to remove that. I didn't even think about the
| possibility that someone might intentionally want that
| (to work around misbehavior of other devices). I don't
| _think_ the person who added it was thinking that way,
| but I might be wrong.
|
| The behavior of arbitrarily rejecting .0 has gotten a lot
| rarer in the wild lately. (I can confirm that because
| I've done a whole bunch of connectivity tests to .0
| addresses, including using RIPE Atlas.)
| Faaak wrote:
| Worked at a large website holster and we didn't treat these
| addresses differently. Didn't hear anything from customers
| while I worked here. Maybe it depends of the country (and
| their majority vendors)
___________________________________________________________________
(page generated 2023-06-25 23:00 UTC)