[walrus01]

Lots of less clueful network operators worldwide have used the DoD /8 IP blocks internally, under the impression that they'll never show up in the global v4 routing table, essentially for the same purposes that people would use the 10/8 RFC1918 blocks.

[jeroenhd]

Some of those less-cluefull operators include Juniper and Azure[1], Cisco[2][3], and probably many other companies. When Cloudflare put its 1.1.1.1 DNS server into use, it started receiving huge amounts of packets destined to unroutable addresses because the 1.0.0.0/8 space was (mostly?) unused.

If you configure your routers correctly, none of these IP addresses should resolve, anyway. If something in your network is intentionally dialing the department of defence, you probably have some kind of problem at hand. In theory this might become a huge problem, but in practice it probably won't.

[1]: https://www.juniper.net/documentation/en_US/vmx/information-...

[2]: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017/pdf...

[3]: https://security.stackexchange.com/questions/157682/why-does...

[LinuxBender]

I know of a couple companies that used 1.0.0.0/8 as their internal VPN/WAN network. Myself and others explained why this could be problematic but we were ignored. It's actually mostly fine as long as you 1) never need to reach that network and 2) block traffic in that network from leaving your edge network and 3) triple-check that you have blocked that network from ever being announced from your routers. Downside being you have to double or triple NAT to reach anything in that network. Hamachi uses or used 25/8 ministry of defense as their VPN network.

[ev1]

T-Mobile used or uses UK MoD space also for NAT.

[walrus01]

Juniper and Cisco are equipment vendors, not ISPs. If the DOD /8s are used in some documentation examples, that's a whole other thing.

If network operators are taking the theoretical network blocks provided in training examples and attempting to copy and paste them into real world use, that is a whole other problem with training and education. And lack of oversight by senior people who should know better at their company.

1/8 is also a whole other thing because it's a legitimately announced block controlled by, as I recall, APNIC. If it's in some peoples' 20 year old bogon folded that's their problem, not apnic's.

[ethbr0]

What IPs does the DoD actually host defense-related services on?

E.g. https://www.defense.gov/Resources/Military-Departments/A-Z-L...

[walrus01]

NIPR and SIPR don't talk to the global routing tables for v4 and v6. Generally if a DOD person needs to access commercial internet resources for things, it'll be through a separate commercial network purpose LAN, or through something like an rdp session to a Citrix thin client to do that.

[chipsa]

I think you'd be surprised. Most NIPR computers just use a regular proxy server for internet access. But example: 214 /8 is a DoD owned block, and "weather.af.mil" is on that block, and both externally and internally reachable.

[walrus01]

Not that NIPR computers don't have access to the internet - but because this isn't 1987, those individual workstations would never have public facing DoD v4 IPs. They'll always be behind some combination of NAT and firewall or as you mentioned, proxy. Certainly there could be some DoD public IP on the external interfaces of said firewalls. If I had to guess very often the public facing side of those boxes might be a commercially acquired local ISP using that ISP's IP space, and not actual DoD IP space...

[chipsa]

I'm logged into my Google account, and it shows a certain IP address as where I'm logged in from. Checking ipconfig shows the same IP address as being the computer I'm on. The proxy will of course show it as being the actual source, but Google is smart enough to show the IP address that the proxy says it's proxying for. AFAICT, there's no NAT, but there is a firewall blocking traffic that doesn't run through the proxy.

[blabitty]

A lot is in the 150-160 range