UK.gov NOT squatting on £1bn unused IPv4 addresses

The Register today ran an interesting article highlighting emerging evidence that the UK government may be sitting on an unused block of over 16 million (IPv4) IP addresses in the 51.0.0.0/8 address block.The block was noticed by...

Share

The Register today ran an interesting article highlighting emerging evidence that the UK government may be sitting on an unused block of over 16 million (IPv4) IP addresses in the 51.0.0.0/8 address block.

The block was noticed by blogger and programmer John Graham-Cumming and has so far spawned an e-petition calling on the government to raise up to £1bn by releasing the block, and a parliamentary question tabled by Cambridge MP Julian Huppert, according to Julian's twitter feed

The world has all but run out of old IPv4 addresses so releasing this block would make sense - if not to raise money (whether they could be sold on the market is questionable, as I debated this afternoon, but that's a whole other story) then because it's simply good netiquette to release resources you no longer need when others do.

Apart from one snag: the address range is being used.

As this technical document (pdf) from the Cabinet Office explains, subnets of the 51.0.0.0/8 are allocated to government service providers [pg 69] when they connect to the Public Services Network Virtual Private Network (PSN VPN), ht @lippard.

The PSN VPN is a bridging network; what some network engineers call a de-militarised zone (DMZ).  

By connecting to PSN VPN, government service providers (either government departments or approved external providers) can provide or access a range of extranet services provided by other government service providers.

Services that for security reasons can't be hosted on the wild internet; the PSN is presumably structured to make it relatively easy for government to limit who can see what, at an IP level; a robust extra layer in the security onion.

The suggestion that the 51.0.0.0/8 block is "unused" came about because there are no public routes (no autonomous system number - ASN - mapping) to any part of the block.  

The block is effectively dark as far as the public internet is concerned.

So why doesn't Her Majesty's Government just use a private (RFC1918) IP address range for this VPN as most other organisations do?

The answer here is both incredibly complex and incredibly simple.

If the government chose to use any of the three existing RFC1918 private IPv4 address blocks it would place an additional requirement on government service providers; namely that each organisation connecting to the PSN VPN didn't use the same IP address range internally. (Technically they could, but would require some pretty horrendous routing rules in place.)

Bearing in mind - and I have no direct knowledge of the PSN VPN - this government bridging network is potentially huge, and also that it's highly likely some government service providers are large ISPs themselves, it would be nigh-on impossible to make it work cost effectively using an RFC1918 private IPv4 address block.

For example, many mobile ISPs provide each subscriber with a 10.x.x.x IP address to allow mobile internet access (via Network Address Translation, NAT).  

I'm aware Vodafone supply some mobile data services to UK police forces, so it's reasonable to assume Vodafone may also access the PSN VPN.

With 20 million UK subscribers, Vodafone might already have a job on its hands allocating one of 16.7 million IP addresses in the 10.0.0.0/8 private block, without worrying about routing data between police mobile data terminals and PSN services.  

Yes it could be done, but it would get very complicated.  And with complexity comes cost. And potential security cock-ups.

It's not beyond the realms of possibility that it will cost the UK government more than it raises selling this "unused" public IP address block (if indeed it can sell it) to make existing suppliers compatible with a new schema - and that's without considering potential security headaches managing a more fragmented network.

So no, I doubt the Department for Work and Pensions will be releasing this IP address block any time soon.  

At least not till IPv6 adoption is widespread, by which time the inherent value in the block will have fallen through the floor.

One option that does remain* - because nothing on this block is publicly routed - is for the UK government to formalise the whole 51.0.0.0/8 block as a private block for use in government and other similar gateways, allowing other governments worldwide - governments not fortunate enough to own their own Class A IP address - a similar luxury.

In fact there's nothing stopping other governments from doing this now, except their systems would be thrown into disarray should the UK government ever reallocate this block.

* Other governments might face challenges if they wanted to buy services from a company also supplying the UK government

Find your next job with computerworld UK jobs