I suspect there are a decent number of network engineers who think it's funny to use DoD IPs for their internal network, especially given what their logging system will probably tell them by default.
If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.
The main reason (I've done this at a bank previously) is when you need to ensure you don't overlap with other internal IP (RFC1918 was represented everywhere and routeable internally) and when you're trying to dodge 99% of your engineer's default Docker configs to reduce support request load.
In that case there's never any chance it'll be needed by people using the public internet there, and never any chance it'll be used suddenly by a deployed internal service somewhere else from an outside vendor.
Default Docker configs are atrocious. Most devs/devops don't even know that when it creates a network, it takes a /16 ip range out of 172.[17-31].0.0/16 or 192.168.[0-240].20/20 by default. It is just a matter of time before a restart makes it collide with an existing network range. It does skip networks defined on local interfaces at least, but this only means that devs don't learn about this landmine on their own machines, nuking production instead.
The default should reserve a single ip range and simply fail (with a nice message) if more are needed.
Yeah, sharing SSIDs isnt such a great idea. Check out https://wigle.net ... Obviously multiple people around the world use this one, but it narrows it down for dedicated people
Two things that come to mind are running out of private address space (a /8 isn't that large), or wanting address space that doesn't clash with other private networks (e.g. to ensure a VPN doesn't overlap with home networks). There's probably more reasons.
Company A uses 10/8 Company B uses 10/8, company A buys company B and orders new subsidiary B to renumber into 11/8 "All you have to do is change every first octet to 11"
Merger after merger after merger followed by a massive adoption of public cloud (using Direct Connect/Express Route for hybrid connectivity) has led at least two very large FinServs I worked for adopting CGNAT (100.64/10) for parts of their internal networks.
In both cases RFC1918 was used throughout their global network and while not fully used, had become highly fragmented over time.
If they're not actually using the whole /8 (highly likely), you can setup a 1:1 NAT. basically from network b, if you want to talk to network a, you find out the address in 11/8 that corresponds to the 10/8 address and vice versa. You can use split horizon dns to make it mostly transparent.
Every networking problem in the world can be solved with more NAT or more encapsulation :)
You don't have to use every address in 10.0.0.0/8 to effectively fill it up. If your corporate policy is to assign a /16 to each floor of a building, and you have a LOT of buildings it's pretty easy to fill up the space even if most of the /16s are sparsely populated. It's much easier to move on to the 11. space when you build that new building that pushes you over than renumbering your entire corporate LAN.
what you call 1:1 NAT is just called NAT by cisco, the stuff most folks think NAT is is actually NAT+PAT (like what you run on your home router with a single public IP)
It basically maps addresses visible on one interface to those on a different interface. So you can route many addresses on 10.x to a single 10.x address that is on a different network.
In our case, we were setting up VPN tunnels to a partner, who for some reason required that the addresses on our side should (appear to be) public IP addresses. So we couldn't use 10/8 or 192.168/16 in (that part of) our network.
They didn't actually need the addresses to be routable from the public internet (that was the whole point of the VPN). I think the requirement was really a way of making sure they were unique. I'm sure they had several partners who used 10/8 internally.
There's also 172.16/12 :) But yeah I agree. If you're running a VPN for a large company it's kinda hard to avoid such conflicts.
In my work we use 10.0.0.0/8 but of course some people use the same at home even though 192.168/16 is way more common. In general I find 172.16/12 the least common in the field.
I personally use a range towards the end of the 172.16/12 reservation for my home network for exactly this reason. Ever since I made the change five years ago I’ve never suffered any conflicts when running a VPN in or out.
I know the old Apple extreme and time machine routers used to default to 10 rather than 192 ever since then I’ve kept my internal routing within that block.
It just looks nicer to me which shows the power of Apple and how easily I am influenced.
I like the 172.12/16 to company network, especially small companies with limited support resources. Getting employees on VPN is much simpler as virtually no home routers use that range.
A trick is to use something in the 10 range but not /8 - 10.185.203/24 will work on a 10/8 network (assuming no actual host overlap) as it’s more specific and will route first.
In my case I got a class C around about 1992 (back then that was the only way to get on the internet), at some point the ISP above my ISP claimed it as theirs without telling me .... I still use it internally why should I change?
In the case of a managed service provider I worked for, using non-announced gov/mil space allowed us to inject routes for monitoring purposes into the MPLS vrfs of our customers so we could poll the routers without using our own public space.
If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.