[chpp]

I'm always surprised how few network guys are on HN.

Every device in infrastructure should have a management address. This int is routed differently than the data interface. In a datacenter, management will be a separate physical int but telecom can't go running 2 cables into a house so it's a logical management int in that case. Comcast remotes into my modem all the time for management purposes (service magically goes out) and I doubt they login via my DHCP address from them. It's just good practice to manage a device from a management int and in a consumer environment this should be hidden from the user. Everyone in infrastructure knows, the less the user knows the better.

Tinfoil hat time - funny cowinkydink they chose a DoD subnet. Why wouldn't they use 10.0.0.0/8 like the rest of the world? Could be them being different, could be something more. Convenient for the DoD to own the management subnet, just saying.

[ay]

Less chances to overlap with the RFC1918 address in a home network ? (a silent assumption here is that the CPEs are user-configurable in any way).

Or just that they had historically some 10/8 space already used elsewhere in the network ?

Note that they're not the only ones camping on DoD address space, I know a couple more folks who had to do it out of necessity at some point, under the assumption (flawed, sure) that DoD probably will never advertise them.

The best way to solve it is to go IPv6-only in management, and for those folks who are lucky enough to have had public IPv4 space for management purposes, that is one of the big drivers.

[chpp]

Out of the box these home routers all come with the same subnet (every linksys out of box runs 192.168.1.0/24 in the US ). Private addressing behind the box is meaningless in the telecom cloud. It's all NAT.

Could be 10/8 used elsewhere for some other network but us infrastructure guys are lazy. NAT that shit. I've never known an ISP to be a monument to best practices.

I've yet to come across any 30/8 subnets in my career. RFC1918 gives one a shit-ton of address space to work with. Bleeding into the 30/8 for necessity seems like something is wrong somewhere.

The fact ipv6 isnt more widely adopted reiterates my point above, engineers are lazy and NAT works. I've only known one company to use public ipv4 space for managment and they were a mess. I'd love to say using 30/8 is out of necessity or out of laziness but it's just oddly convenient.

[ay]

"Out of the box these home routers all come with the same subnet" - if the customer has any way to change the router LAN subnet, this does not matter. Someone will put it to 10.x.x.x. My cable modem came from ISP with a default login from the LAN side which allows me to change pretty much anything I wish - if in BT setup they do not allow login, then that argument of mine would not make sense.

"NAT that" - sure, if you say so. Unless someone years ago already made that choice for you and you already have that management network.

"yet to come across any 30/8" - http://blog.erratasec.com/2013/12/dod-address-space-its-not-... - read the blogpost and comments.

Or http://networksavant.blogspot.fr/2013/05/70008.html

Or http://xerocrypt.wordpress.com/2013/12/07/the-adversaries-co...

http://www.ispreview.co.uk/index.php/2013/12/confusion-alleg...

Of course you also can use looking glasses (http://lg.he.net/, http://www.cogentco.com/en/network/looking-glass in case anyone to check me) to verify that 30/8 is not in the BGP tables, thus is not routed.

And even if it starts getting routed, e.g. someone makes a hijack, the space surely does not have to be 30/8 to be hijacked, as evidenced by e.g. http://research.dyn.com/2013/11/mitm-internet-hijacking/

And let me put a tinfoil hat on and ask: if I were to spy on the home routers and wanted to keep the whole affair in secret, would not assignment of less "hot" chunk of addressing space (like, for example, RFC1918), and then getting the access to the system that can use that range within this network keep me much lower under the radar ?

[pyre]

I worked for a company that was using some addresses in the 99/8 range (I don't remember what the narrower range was) internally. This occasionally caused issues when some ISPs started doling out those addresses.