Inefficient Use of Small IP Address Blocks


AT&T reserves three IP addresses in each block of static IP addresses, and this is very inefficient when the blocks are small. I suspect that they do this through simple inertia, as it was once common practice. But the IPv4 address space is under serious pressure. To the extent that some of their users have to upgrade to larger address blocks because of this inefficiency, their costs are increased and the IPv4 address space is used less efficiently.


AT&T offers the option to lease static IP address blocks of various sizes. The smallest is a block of 8 addresses, i.e., a /29 subnet, which is sufficient for many home and small business networks. However, they reserve three addresses in each block: the bottom address and the top two addresses. In a block with only 8 addresses, this results in an efficiency of only 62.5% and contributes to the pressure on the IPv4 address space.

For example, I have a block of 8 static IP addresses from through, inclusive, so is reserved, is taken by the router inside the 3800 Residential Gateway, and is the subnet broadcast address. Let's discuss each in turn.

The base address

In the earliest days of the Internet, some subnetworks used the first (or base) address as the directed broadcast address. That is, a computer anywhere on the Internet could send a broadcast to all the hosts on some remote subnetwork by sending to this address. Eventually the convention became to use the highest address in a subnetwork block as the subnetwork-specific broadcast address, while the first address denoted the subnetwork as a whole in routing table entries as opposed to the first individual host on that network.

Then Classless Internet Domain Routing (CIDR) became widespread, and subnetworks were denoted by the base address plus either a netmask or a CIDR bit count. For example, my network can be referred to as either with a netmask of, or as simply (By the way, I claim credit for this slash subnet notation as part of my work in the mid 1980s bringing up TCP/IP over amateur packet radio.)

The addition of a netmask distinguishes a subnetwork from the host assigned the lowest address on that subnetwork, so there is no longer any need to reserve the first address. But AT&T still does it for some reason, making one less address available to a user's computer for no good reason.

Assuming that AT&T's internal routers implement CIDR, and it is hard to imagine that they don't, this restriction could be lifted easily with just a firmware change to the 3800. It should treat the first address in a static IP address block as an ordinary address, ARPing for it on the customer's network instead of disallowing its use and rejecting all inbound traffic for it.

The broadcast address

While it makes somewhat more sense to reserve a broadcast address, this too is most likely unnecessary and wasteful in most situations. The original purpose of a subnetwork broadcast address (e.g., in my network) was to allow a remote computer to send a packet that would be handled as a unicast by the Internet but turn into a broadcast on the destination subnetwork that would be received by every host on it.

This has long been seen as both not very useful and a potential security hole, particularly a denial-of-service threat, and in fact the U-verse gateway blocks such packets.

Since only local computers can broadcast to the local network, they can just as easily use the IPv4 broadcast address that is reserved by IANA for this purpose. Many applications that might otherwise use the IP broadcast address are increasingly making use of special application-specific multicast addresses, further reducing the need to reserve a subnet broadcast address. For example, Apple's Bonjour, itself an implementation of Zero configuration networking, uses the special multicast address and UPnP uses The U-verse video system is heavily based on IP multicasting, using the private ("walled garden") multicast address block

The broadcast address is one of the parameters configured by the Dynamic Host Configuration Protocol (DHCP) server in the 3800 RG. So once again, the required changes are limited to the software running in the 3800: treating the top address in a static IP block as an ordinary address and specifying the broadcast address as when configuring hosts on the local network with DHCP. (Any manually configured hosts would require a manual change in the broadcast address.)

The router address

We now come to the address used by the RG itself. This makes somewhat more sense than the other two reserved addresses, but even this could be avoided given that the public IPv4 address space is so tight.

Hosts on a network use the subnet mask to distinguish between IP addresses that belong to other computers on the same subnet and those elsewhere on the Internet that must be reached through a router. When my computers are configured with the subnetwork, they will issue an ARP request to find the Ethernet MAC address belonging to any destination address in the range through 95 inclusive. When the destination lies outside this range, they instead issue an ARP request for the default router and then send the packet in an Ethernet frame to that router. They are, in effect, using a global resource as a local label and again this is wasteful given the scarcity of IPv4 addresses. There should be an alternative.

Most cable and DSL services allocate customer IP addresses, including blocks of static addresses, from relatively large subnetworks shared with other users. For example, there is no particular reason I have to be issued the subnetwork as opposed to a block of 8 ordinary addresses somewhere in the middle of the subnetwork. This allows every customer who shares the larger subnetwork to share a single router address, e.g., If a subnet broadcast address were still considered necessary for some reason (e.g., that could also be shared.

But what if customers who share a subnetwork want to talk directly to each other? No problem: use proxy ARP. Ordinarily, routers answer an ARP request only for its own IP address; it expects the host computers on each subnet to answer ARP requests for their own addresses. In proxy ARP, the router answers ARP requests for hosts not actually on the local network so they can be reached as though they were. Every cable and DSL provider I've checked does it this way, so it is a common practice.

Addendum: a clever trick fails

I had an idea for a way to "trick" Uverse into not wasting those three precious public IP addresses in my block of 8. But it didn't work.

As far as I could tell, AT&T's routers do not distingush among the eight addresses in my block. They route the three unusable addresses to my RG along with the usable five, and it's only the RG that refuses to pass them to my LAN. My evidence for this is the RG's log, which is filled with firewall rejections of crackers attempting to break into my machines. For the 5 working IP addresses the RG only rejects and logs attempts to connect to port 445 (Microsoft Windows file sharing), but it rejects and logs every attempt to communicate with the three unusuable addresses. So it seemed like packets to those addresses were being routed to me normally by AT&T's network, and it was only the RG that kept me from getting them.

That gave me an idea - what if I lied to the RG about the size of my subnet? The unusable addresses are all at the block edges - one on the bottom and two on the top - so suppose I told my RG that my subnet began below its true start and ended past its true end? Then it just might reclassify the three unusable addresses as ordinary usable addresses within my fictitious large block.

Obviously I wouldn't be able to use any addresses outside of my assigned block of 8, as AT&T will continue to route them to their rightful owners. That's fine, I'm not trying to get something I'm not paying for; I'm only trying to use what I am paying for. Furthermore, because my RG would think those addresses are local and not route them to AT&T, I would be unable to communicate with whoever actually owns those addresses. But this seemed like a minor price to pay to recover three precious public IPv4 addresses.

So I reconfigured my RG to say that my block began at and ended at I.e., in CIDR notation it was vs the actual, or in netmask notation netmask vs netmask Then the RG should establish the following three unusable addresses: as the base address, as the broadcast address and for itself. All three would be outside my actual block where they would cause no harm. And then all 8 addresses in my actual block should then become usable!

Natually I also had to reconfigure my static hosts, mainly by changing the address of the default router from to

As expected, the RG now answered ARP requests for And it continued to route my existing 5 IP addresses just fine. So then I brought up another machine with the previously unusable address at the base of my actual block. It could ping the router, but it could not ping the outside world. I went to an outside host and tried to ping I expected to see the RG ARP for this address, but...nothing. Same for the other unusable addresses.

Damn. I don't know why this doesn't work. Obviously there is something here I don't understand correctly.

Last modified: Wed Feb 3 18:53:07 PST 2010