Netflix CIDR Blocks – Why Use 100.64.0.0/10 for Private Network IP Space

ip addressipv4vpc

Netflix gave a public tech-talk explaining their network, and one specific design puzzled me. See Page 25 at this talk (Netflix's Migration into VPC), they seemed to choose to use 100.64.0.0/10 as their private network space, rather than 10.0.0.0/8 (or a subspace from it).

What's the purpose? I don't see any obvious benefit, but I may miss some key points there. Can someone give some thoughts on this?

Best Answer

they seemed to choose to use 100.64.0.0/10 as their private network space, rather than 10.0.0.0/8 (or a subspace from it).

What's the purpose? I don't see any obvious benefit, but I may miss some key points there. Can someone give some thoughts on this?

The slide is very clear on why they are using this space. They are following the current best practice for performing CGN (carrier grade NAT or carrier grade network address translation) as defined by RFC 6598. The slide also notes this.

Why this address space and not another RFC 1918 space? Because this is the shared address space the IANA has reserved as a range expressly to be used for CGN. It is the one they should be using for CGN.

Let me turn your question on its head. Given an address space specifically dedicated to CGN and defined as a best current practice, if you are using CGN, why would you use anything besides 100.64.0.0/10, such as RFC 1918 space?

This is the relevant section from RFC 6598 that provides the need for this address space for providers rather than just using RFC 1918 space:

   A Service Provider can number the interfaces in question from
   [RFC1918] space if at least one of the following conditions is true:

   o  The Service Provider knows that the CPE/NAT works correctly when
      the same [RFC1918] address block is used on both its inside and
      outside interfaces.

   o  The Service Provider knows that the [RFC1918] address block that
      it uses to number interfaces between the CGN and CPE is not used
      on the subscriber side of the CPE.

   Unless at least one of the conditions above is true, the Service
   Provider cannot safely use [RFC1918] address space and must resort to
   Shared Address Space.  This is typically the case in an unmanaged
   service, where subscribers provide their own CPE and number their own
   internal network.

However once this shared space has been assigned for the purpose and this became a best practice, there is no reason that anyone performing CGN should not use this space for its intended purpose.

Related Topic