Routing

last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  ISP Putting Multiple Customers on the Same Subnet (?!)

    Posted 10-13-2011 08:55

    Sorry in advance if this isn't the proper forum...J-Net is filled with smart people and "Routing" seemed like the best fit.

     

    My DSL ISP has sold me 4 static public IPs and told me to use a /26 for subnet mask.  I've verified this info with the ISP...it's correct.  I've never seen this before, and I'm confused why they would do this?

     

    Sure enough I can ping lot of addresses other than mine in the /26 range and they all ARP to the same MAC as my default gateway.  I'm sure we customers all use the same default gateway and it's proxy-ARPing.

     

     

    My Questions:

    1 - Is it common practice for an ISP to put multiple customers on the same subnet?  Or is this just something I haven't seen before?

    2 - If this isn't the best practice, why would an ISP do it?  What are the advantages and disadvantages for BOTH the ISP and the customer?  Here's all I can think of.

     

    Advantages for ISP

    - ISP can now sell non-power-of-two-sized blocks to better utilize public IP addresses (ie. could take a /26 and sell someone 3 IPs, someone 13 IPs, someone 1 IP, someone 39 IPs, etc and only use 1 IP themselves for the default gateway for all of these customers.  Ironically, when I needed more IPs, they said I HAD to purchase a second DSL connection, and I HAD to buy a block of 2, 4, 8, etc. so we got another block of four....same subnet, same gateway.

    - Easier administration somehow?

     

    Disadvantages for Customer

    - This increases the ARP table size for the customer.  Instead of only ARPing for 4 IPs, I'm now ARPing for 64.

    - I FEEL like this would pose some sort of security risk, but I guess I don't really know how.  Yes I can ping/http some of those other customer's addresses as long as they allow ping/ssh, but I'd be able to do that from anywhere.  That shouldn't really have anything to do with us being on the same subnet.

    - Non-intuitive?  Since we're all on the same L3 network, my device thinks that we're all reachable via L2 network it ARPs, the default gateway obviously proxy-ARPs on behalf of all of us, and my device attempts to send L3 packets directly to a host that belongs to another customer. (of course the proxy arp actually causes my device to L2 it to the gateway anyway, but this just doesn't seem to me to be a clean/right/intuitive/secure design)

     

    Thoughts?  Is this normal?  Am I just OCD?



  • 2.  RE: ISP Putting Multiple Customers on the Same Subnet (?!)
    Best Answer

    Posted 10-13-2011 17:51

    The practice of large shared subnets for public space is very common with DSL and many cable providers.  Verizon commonly uses /24 spaces on both their DSL and FIOS networks.  They do this to avoid "losing" all those subnet, broadcast and gateway ip addresses as they carve up their available space. A notable exception is Comcast that provisions separate subnets per site.

     

    There is no real security issue for your site since your own servers will be behind the firewall gateway that you manage anyway.  Those other public ip addresses don't have any more access to your resource for being in the same subnet.