Consolidating Network Addresses
Control Risks & Free Capital by Consolidating Your Network
by Leo Vegoda
RIRs have always supported IP address transfers arising from corporate mergers and acquisitions. The affected networks focused on two things: removing duplication of core services, like DNS, mail and storage, and aligning security policies.
The market adds the opportunity to realize the asset value of unused and poorly used IPv4 addresses. What are the key steps to take when integrating networks?
Reviewing the Situation
You can’t control resources you do not know about. Turning hidden assets into a windfall is nice but a complete view of your network is essential to identify precisely its configuration, utilization and general health. If you can’t control resources through allocation and configuration, you can’t implement your network security policy and manage required improvements.
A good IP Address Manager (IPAM) will not just act as a database for recording where addresses are supposed to be used. It will scan your network for actual use and help you plan for future use. Combining a real time view of your internal network with logging and business planning will reduce the risk of undocumented devices causing problems.
If you’d like to scan your IP inventory using a free tool designed for viewing but not maintaining a network’s IP use, try ReView. It doesn’t perform many of the functions of a robust IPAM but will offer an excellent overview of your network’s utilization.
Many IPAMs integrate with DHCP and DNS. This means your devices get registered, get an IP address, and a name. Automating these administrative tasks lowers operational costs. IPAM and DNS integration is particularly useful when deploying IPv6 as IPv6 addresses are long and client devices frequently change addresses.
Consolidating What You Want to Keep
Consolidating IPv4 addresses into one contiguous block both simplifies security policies and makes it easier to transfer (sell) the remainder through the market.
Your organization’s public services, like web and mail, still need IPv4 for the foreseeable future. It often makes sense to host these externally with specialist providers.
Client devices also need some IPv4 addresses for internet connectivity. But the devices themselves don’t need unique addresses – they can share pools. There are multiple technologies and tools available to translate between IPv4 and IPv6, including NAT64 and 464XLAT.
Fig 1: Deploying IPv6 opens a gateway to the future and makes valuable IPv4 addresses available for sale.
Selecting Addresses
IPv4 is valuable because it is scarce. There is no IPv6 scarcity, and perimeter security translates between IPv4 and IPv6 just like it translates between RFC 1918 and unique IPv4 addresses.
IPv4
Keeping separate blocks for providing services, for addressing gateways, and for internal infrastructure is useful. External hosted services will often rely on data or decisions hosted on your network. These limited access services might need unique IPv4 addresses when the external provider does not support IPv6.
There are just over 17 million private IPv4 addresses. Many large organizations have used them all and also squat on large allocations that are not announced on the internet. It is always likely that private IPv4 addresses will clash with those in use by partners, vendors, or a future buyer. So, it’s best to design networks so that renumbering can be automated. That requires an IPAM for managing addressing and a configuration management system to ensure that infrastructure, like DNS, uses the new addresses and clients know them.
IPv6
There is no shortage of IPv6 address space. The /48 prefix most enterprises will get by default contains 65,635 subnets. And plenty more is available. Less than one percent of the total IPv6 space has been allocated so far.
Private IPv6 addresses, called Unique Local Addresses (ULAs), are available for free. The key difference is that they are unique. When the process for selecting a prefix is followed properly, the likelihood of a clash with another network is about one in a trillion. There are online tools that will implement the prefix generation process suggested in RFC 4193 for you. Using that or a similarly random process is essential for minimizing the risk of a future clash.
Organizations that prefer to buy certainty can get globally unique IPv6 addresses from a Regional Internet Registry. This will generally incur a small annual fee, like the $250 per year charged by ARIN.
One key advantage of getting IPv6 addresses from an RIR over a ULA is the reverse DNS domain can be delegated to your organization. If you use a ULA and want to use reverse DNS internally, your local resolvers will have to be configured to answer those queries.
Market Support
Not all buyers are the same. Some buyers will actively support sellers through consolidating and transferring addresses. This can include renumbering to a new, smaller block. Of course, the responsibility for identifying and remedying reputation issues and consolidating subnets is ultimately with the seller. However, qualified brokers can help with both issues.
When freeing up a large amount of IPv4 space, speak with brokers and ask how they can help your organization both realize the value of a hidden asset and mature technical operations. Using IPv4 wisely in this way can help you save money in the longer term through improving security and deploying IPv6, which will be staying for decades to come.