For example, I have a block of 8 static IP addresses from 18.104.22.168 through 22.214.171.124, inclusive, so 126.96.36.199 is reserved, 188.8.131.52 is taken by the router inside the 3800 Residential Gateway, and 184.108.40.206 is the subnet broadcast address. Let's discuss each in turn.
Then Classless Internet Domain Routing (CIDR) became widespread, and subnetworks were denoted by the base address plus either a netmask or a CIDR bit count. For example, my network can be referred to as either 220.127.116.11 with a netmask of 255.255.255.248, or as simply 18.104.22.168/29. (By the way, I claim credit for this slash subnet notation as part of my work in the mid 1980s bringing up TCP/IP over amateur packet radio.)
The addition of a netmask distinguishes a subnetwork from the host assigned the lowest address on that subnetwork, so there is no longer any need to reserve the first address. But AT&T still does it for some reason, making one less address available to a user's computer for no good reason.
Assuming that AT&T's internal routers implement CIDR, and it is hard to imagine that they don't, this restriction could be lifted easily with just a firmware change to the 3800. It should treat the first address in a static IP address block as an ordinary address, ARPing for it on the customer's network instead of disallowing its use and rejecting all inbound traffic for it.
This has long been seen as both not very useful and a potential security hole, particularly a denial-of-service threat, and in fact the U-verse gateway blocks such packets.
Since only local computers can broadcast to the local network, they can just as easily use the IPv4 broadcast address 255.255.255.255 that is reserved by IANA for this purpose. Many applications that might otherwise use the IP broadcast address are increasingly making use of special application-specific multicast addresses, further reducing the need to reserve a subnet broadcast address. For example, Apple's Bonjour, itself an implementation of Zero configuration networking, uses the special multicast address 22.214.171.124 and UPnP uses 126.96.36.199. The U-verse video system is heavily based on IP multicasting, using the private ("walled garden") multicast address block 188.8.131.52/14.
The broadcast address is one of the parameters configured by the Dynamic Host Configuration Protocol (DHCP) server in the 3800 RG. So once again, the required changes are limited to the software running in the 3800: treating the top address in a static IP block as an ordinary address and specifying the broadcast address as 255.255.255.255 when configuring hosts on the local network with DHCP. (Any manually configured hosts would require a manual change in the broadcast address.)
Hosts on a network use the subnet mask to distinguish between IP addresses that belong to other computers on the same subnet and those elsewhere on the Internet that must be reached through a router. When my computers are configured with the 184.108.40.206/29 subnetwork, they will issue an ARP request to find the Ethernet MAC address belonging to any destination address in the range 220.127.116.11 through 95 inclusive. When the destination lies outside this range, they instead issue an ARP request for the default router and then send the packet in an Ethernet frame to that router. They are, in effect, using a global resource as a local label and again this is wasteful given the scarcity of IPv4 addresses. There should be an alternative.
Most cable and DSL services allocate customer IP addresses, including blocks of static addresses, from relatively large subnetworks shared with other users. For example, there is no particular reason I have to be issued the subnetwork 18.104.22.168/29 as opposed to a block of 8 ordinary addresses somewhere in the middle of the 22.214.171.124/24 subnetwork. This allows every customer who shares the larger subnetwork to share a single router address, e.g., 126.96.36.199. If a subnet broadcast address were still considered necessary for some reason (e.g. 188.8.131.52), that could also be shared.
But what if customers who share a subnetwork want to talk directly to each other? No problem: use proxy ARP. Ordinarily, routers answer an ARP request only for its own IP address; it expects the host computers on each subnet to answer ARP requests for their own addresses. In proxy ARP, the router answers ARP requests for hosts not actually on the local network so they can be reached as though they were. Every cable and DSL provider I've checked does it this way, so it is a common practice.
As far as I could tell, AT&T's routers do not distingush among the eight addresses in my block. They route the three unusable addresses to my RG along with the usable five, and it's only the RG that refuses to pass them to my LAN. My evidence for this is the RG's log, which is filled with firewall rejections of crackers attempting to break into my machines. For the 5 working IP addresses the RG only rejects and logs attempts to connect to port 445 (Microsoft Windows file sharing), but it rejects and logs every attempt to communicate with the three unusuable addresses. So it seemed like packets to those addresses were being routed to me normally by AT&T's network, and it was only the RG that kept me from getting them.
That gave me an idea - what if I lied to the RG about the size of my subnet? The unusable addresses are all at the block edges - one on the bottom and two on the top - so suppose I told my RG that my subnet began below its true start and ended past its true end? Then it just might reclassify the three unusable addresses as ordinary usable addresses within my fictitious large block.
Obviously I wouldn't be able to use any addresses outside of my assigned block of 8, as AT&T will continue to route them to their rightful owners. That's fine, I'm not trying to get something I'm not paying for; I'm only trying to use what I am paying for. Furthermore, because my RG would think those addresses are local and not route them to AT&T, I would be unable to communicate with whoever actually owns those addresses. But this seemed like a minor price to pay to recover three precious public IPv4 addresses.
So I reconfigured my RG to say that my block began at 184.108.40.206 and ended at 220.127.116.11. I.e., in CIDR notation it was 18.104.22.168/27 vs the actual 22.214.171.124/29, or in netmask notation 126.96.36.199 netmask 255.255.255.192 vs 188.8.131.52 netmask 255.255.255.248. Then the RG should establish the following three unusable addresses: 184.108.40.206 as the base address, 220.127.116.11 as the broadcast address and 18.104.22.168 for itself. All three would be outside my actual block where they would cause no harm. And then all 8 addresses in my actual block should then become usable!
Natually I also had to reconfigure my static hosts, mainly by changing the address of the default router from 22.214.171.124 to 126.96.36.199.
As expected, the RG now answered ARP requests for 188.8.131.52. And it continued to route my existing 5 IP addresses just fine. So then I brought up another machine with the previously unusable address 184.108.40.206 at the base of my actual block. It could ping the router, but it could not ping the outside world. I went to an outside host and tried to ping 220.127.116.11. I expected to see the RG ARP for this address, but...nothing. Same for the other unusable addresses.
Damn. I don't know why this doesn't work. Obviously there is something here I don't understand correctly.