<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Artem Kohanevich</title>
    <description>The latest articles on DEV Community by Artem Kohanevich (@kohanevich).</description>
    <link>https://dev.to/kohanevich</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3615451%2Ffc20ad4b-093a-49b2-9988-8e2473378698.png</url>
      <title>DEV Community: Artem Kohanevich</title>
      <link>https://dev.to/kohanevich</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/kohanevich"/>
    <language>en</language>
    <item>
      <title>IP Transit: What Actually Happens Before Your Network Reaches the Internet</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Wed, 08 Jul 2026 13:48:43 +0000</pubDate>
      <link>https://dev.to/kohanevich/ip-transit-what-actually-happens-before-your-network-reaches-the-internet-46dg</link>
      <guid>https://dev.to/kohanevich/ip-transit-what-actually-happens-before-your-network-reaches-the-internet-46dg</guid>
      <description>&lt;p&gt;You can have racks, routers, servers, switches, and clean configs — but none of that makes your network reachable from the public internet by default.&lt;/p&gt;

&lt;p&gt;For that, you need &lt;strong&gt;IP transit&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;IP transit is the service that connects your autonomous system to the rest of the internet. Your upstream provider carries your traffic to other networks and announces your prefixes so return traffic knows how to find you.&lt;/p&gt;

&lt;p&gt;In other words: transit is what turns your network from an isolated island into part of the global routing system.&lt;/p&gt;

&lt;h2&gt;
  
  
  How IP Transit Works
&lt;/h2&gt;

&lt;p&gt;At the technical level, IP transit usually looks like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Your router connects to the transit provider’s router.&lt;/li&gt;
&lt;li&gt;You establish a BGP session.&lt;/li&gt;
&lt;li&gt;The provider sends you routes, often the full internet routing table.&lt;/li&gt;
&lt;li&gt;You announce your own prefixes.&lt;/li&gt;
&lt;li&gt;The provider propagates those announcements to its peers and upstreams.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That last step matters a lot. Sending traffic out is only half the job. If your prefixes are not announced correctly, the rest of the internet will not know how to send traffic back.&lt;/p&gt;

&lt;p&gt;For IPv4, the practical minimum is usually a &lt;strong&gt;/24&lt;/strong&gt;, because smaller prefixes are commonly filtered.&lt;/p&gt;

&lt;h2&gt;
  
  
  Transit vs Peering
&lt;/h2&gt;

&lt;p&gt;Transit and peering are related, but they solve different problems.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;IP transit&lt;/strong&gt; gives you reachability to the whole internet. You pay a provider, usually per Mbps, and they carry your traffic globally.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Peering&lt;/strong&gt; lets you exchange traffic directly with another network, often through an internet exchange. It is great for cost and latency when you have enough traffic with specific networks, but it does not replace transit for most operators.&lt;/p&gt;

&lt;p&gt;The common path is simple:&lt;/p&gt;

&lt;p&gt;Start with transit. Add peering later when traffic volume makes it worth it.&lt;/p&gt;

&lt;h2&gt;
  
  
  What You Need Before Buying Transit
&lt;/h2&gt;

&lt;p&gt;Before a transit provider can bring you online, you typically need:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;An &lt;strong&gt;ASN&lt;/strong&gt; to identify your network in BGP&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;BGP-capable router&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;An upstream/transit agreement&lt;/li&gt;
&lt;li&gt;IPv4 and/or IPv6 address space you are allowed to announce&lt;/li&gt;
&lt;li&gt;Correct routing objects and, ideally, RPKI ROAs&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The first three are usually straightforward.&lt;/p&gt;

&lt;p&gt;IPv4 is where things often slow down.&lt;/p&gt;

&lt;h2&gt;
  
  
  The IPv4 Problem
&lt;/h2&gt;

&lt;p&gt;IPv6 is available. IPv4 is not.&lt;/p&gt;

&lt;p&gt;In the RIPE region, the free IPv4 pool has been exhausted for years. If you need IPv4 today, your main options are:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Wait for allocation&lt;/li&gt;
&lt;li&gt;Buy space on the transfer market&lt;/li&gt;
&lt;li&gt;Lease IPv4 blocks&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Each option has trade-offs.&lt;/p&gt;

&lt;p&gt;Waiting can take a long time. Buying requires upfront capital. Leasing gives operators a faster way to get announceable address space without locking themselves into a large purchase.&lt;/p&gt;

&lt;p&gt;For hosting providers, ISPs, CDNs, and infrastructure teams, this can be the difference between launching now and waiting months.&lt;/p&gt;

&lt;h2&gt;
  
  
  Pricing Is Not Just “$/Mbps”
&lt;/h2&gt;

&lt;p&gt;IP transit pricing is usually quoted per Mbps per month, but the number depends on context:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Commit size&lt;/li&gt;
&lt;li&gt;Location&lt;/li&gt;
&lt;li&gt;Provider tier&lt;/li&gt;
&lt;li&gt;Billing model&lt;/li&gt;
&lt;li&gt;SLA&lt;/li&gt;
&lt;li&gt;DDoS protection&lt;/li&gt;
&lt;li&gt;Route quality&lt;/li&gt;
&lt;li&gt;Redundancy&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A low price in a major hub at 100 Gbps does not mean the same price exists for a small commit in a less connected market.&lt;/p&gt;

&lt;p&gt;Also, cheaper transit is not always better transit. Bad routes, weak support, or poor visibility can cost more than the savings.&lt;/p&gt;

&lt;h2&gt;
  
  
  Practical Takeaway
&lt;/h2&gt;

&lt;p&gt;IP transit is the foundation of public internet reachability.&lt;/p&gt;

&lt;p&gt;To bring a network online, you need more than bandwidth. You need BGP, an ASN, upstream connectivity, route propagation, and address space that the global internet will accept.&lt;/p&gt;

&lt;p&gt;And in many real deployments, IPv4 becomes the bottleneck — not the router, not the contract, and not the cross-connect.&lt;/p&gt;

&lt;p&gt;So plan for IPv4 early. If your network depends on it, your rollout timeline probably does too.&lt;/p&gt;

&lt;p&gt;Full version: &lt;a href="https://ipbnb.com/blog/what-is-ip-transit" rel="noopener noreferrer"&gt;What Is IP Transit?&lt;/a&gt;&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>devops</category>
      <category>network</category>
    </item>
    <item>
      <title>IPv8: A Beautiful Spec With a Threat Model Problem</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Tue, 30 Jun 2026 13:26:20 +0000</pubDate>
      <link>https://dev.to/kohanevich/ipv8-a-beautiful-spec-with-a-threat-model-problem-2gp9</link>
      <guid>https://dev.to/kohanevich/ipv8-a-beautiful-spec-with-a-threat-model-problem-2gp9</guid>
      <description>&lt;p&gt;I work in the IPv4 address market, which means a new addressing proposal hits my inbox the moment it goes public. Most are noise. &lt;code&gt;draft-thain-ipv8&lt;/code&gt;, submitted to the IETF in April 2026, is more interesting than most - not because it'll ship (it won't), but because its architecture is a clean case study in how a well-intentioned spec can accidentally specify a surveillance platform. Let's read it like engineers.&lt;/p&gt;

&lt;h2&gt;
  
  
  The naming collision (skip if you already know)
&lt;/h2&gt;

&lt;p&gt;Three unrelated things share the name "IPv8":&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;py-ipv8&lt;/strong&gt; - a working P2P overlay from TU Delft over UDP, using Curve25519/Ed25519 identities. Nothing to do with TCP/IP replacement. The name is a joke about IPv6 adoption.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;PIP (historical IPv8)&lt;/strong&gt; - Paul Francis, 1992, RFC 1621/1622. Lost the IPng race to SIPP because variable-length addresses were murder in hardware. Historic since 2016.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;draft-thain-ipv8&lt;/strong&gt; - the 2026 individual submission everyone is arguing about. This post is only about that one.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The addressing model
&lt;/h2&gt;

&lt;p&gt;IPv8 defines a 64-bit address laid out as &lt;code&gt;r.r.r.r.n.n.n.n&lt;/code&gt; - eight octets:&lt;/p&gt;

&lt;p&gt;+-------------------+-------------------+&lt;/p&gt;

&lt;p&gt;|   ASN (32 bits)   |  Host (32 bits)   |&lt;/p&gt;

&lt;p&gt;+-------------------+-------------------+&lt;/p&gt;

&lt;p&gt;r.r.r.r           n.n.n.n&lt;/p&gt;

&lt;p&gt;The high 32 bits carry an ASN; the low 32 bits are a host address with IPv4 semantics. The backward-compatibility hook is the part worth pausing on:&lt;/p&gt;

&lt;p&gt;if (asn_prefix == 0.0.0.0) {&lt;/p&gt;

&lt;p&gt;// treat as legacy IPv4, standard rules apply&lt;/p&gt;

&lt;p&gt;}&lt;/p&gt;

&lt;p&gt;So &lt;code&gt;0.0.0.0.a.b.c.d&lt;/code&gt; &lt;em&gt;is&lt;/em&gt; IPv4. Clean idea on paper.&lt;/p&gt;

&lt;p&gt;The consequences are large:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Each ASN holder gets &lt;code&gt;2^32&lt;/code&gt; host addresses (~4.3 billion). Exhaustion stops being a meaningful constraint at any org scale.&lt;/li&gt;
&lt;li&gt;The global routing table - currently 900k+ prefixes with no structural ceiling - gets capped near one entry per ASN (~175k today), because deaggregation below /16 is forbidden. That's the architecturally bounded BGP table people have wanted for years.&lt;/li&gt;
&lt;li&gt;Header cost: +8 bytes vs IPv4 (source and destination each grow 32 → 64 bits). TTL, Protocol, Flags, Checksum are unchanged.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is the genuinely attractive half of the draft. If you've ever stared at the routing table growth curve and winced, the bounding mechanism is hard not to like.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Zone Server
&lt;/h2&gt;

&lt;p&gt;Here's where it stops being an addressing proposal and becomes a platform. IPv8 mandates a per-segment &lt;strong&gt;Zone Server&lt;/strong&gt;, active/active, that consolidates basically everything:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Service&lt;/th&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;DHCP8&lt;/td&gt;
&lt;td&gt;Address assignment&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DNS8&lt;/td&gt;
&lt;td&gt;Resolution&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NTP8&lt;/td&gt;
&lt;td&gt;Time&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OAuth8&lt;/td&gt;
&lt;td&gt;Authentication (OAuth2 + JWT)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;WHOIS8&lt;/td&gt;
&lt;td&gt;Route validation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ACL8&lt;/td&gt;
&lt;td&gt;Access control&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NetLog8&lt;/td&gt;
&lt;td&gt;Telemetry / logging&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;XLATE8&lt;/td&gt;
&lt;td&gt;IPv4 ↔ IPv8 translation&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;A device joins, fires one DHCP8 request, and gets every service endpoint in a single reply. Auth is JWT validated locally, no round trip to an external IdP. From an ops perspective, the "one box, one request" story is genuinely elegant.&lt;/p&gt;

&lt;p&gt;Routing decisions run on a 32-bit &lt;strong&gt;Cost Factor&lt;/strong&gt;, accumulated from seven inputs: RTT, packet loss, congestion window state, session stability, link capacity, economic policy, and great-circle distance as a speed-of-light floor. That last one is sharp - any path claiming to beat the physics floor is flagged as anomalous by definition. I like it as a design instinct.&lt;/p&gt;

&lt;p&gt;Transition avoids a flag day via &lt;code&gt;8to4&lt;/code&gt; tunnelling encapsulated over HTTPS, so it slips through firewalls without per-box config.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where it breaks (the ordinary objections)
&lt;/h2&gt;

&lt;p&gt;The community pushback is fair and mostly consistent:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;No process.&lt;/strong&gt; IPv6 came out of a multi-year working-group bake-off (CATNIP, TUBA, SIPP). This is a solo I-D with no WG, no sponsor, and a datatracker page that says outright it isn't endorsed. It expires Oct 19, 2026 absent adoption.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Layering violation.&lt;/strong&gt; OAuth2/JWT is Layer 7 logic shoved into Layer 3. Access switches, industrial controllers, and basic routers aren't built to do application-level authz at line rate. I'm softer on this than most - hardware refreshes on 7-10 year cycles regardless, and ISPs ship ~180M CPE units a year - but "the silicon could eventually do it" is not the same as "the ecosystem will require it."&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Version field.&lt;/strong&gt; Every ASIC checks the IP Version field and drops anything that isn't 4 or 6. A Version 8 packet dies at hop one. XLATE8 is the answer - legacy devices behind an IPv8 gateway emit plain IPv4 and never send a Version 8 packet - but the whole transition story rests on XLATE8 being as transparent in production as the spec claims, and nobody has tested that.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Provenance.&lt;/strong&gt; GPTZero reportedly flagged ~76% of the text as likely AI-generated. The author acknowledges AI assistance. The concern isn't the tool; it's whether the design reflects lived operational experience.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Timing.&lt;/strong&gt; Two weeks before the draft argued IPv6 had failed, Google's IPv6 traffic crossed 50% for the first time. The premise aged badly in real time.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  The part the technical critique mostly misses
&lt;/h2&gt;

&lt;p&gt;All of the above is solvable in principle. The thing that isn't solvable by iteration is what the Zone Server &lt;em&gt;becomes&lt;/em&gt; once you treat it as a threat model instead of a feature list.&lt;/p&gt;

&lt;p&gt;Walk the mechanisms as an adversary would:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;DNS8 is not swappable.&lt;/strong&gt; Today, DNS censorship is the weakest control - flip your resolver to &lt;code&gt;1.1.1.1&lt;/code&gt; and you're out. Under IPv8, resolution lives in the mandatory egress box. There is no "use another resolver." Unresolved destination → dropped locally, before the packet ever leaves your segment.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;WHOIS8 is a registry-level kill switch.&lt;/strong&gt; Every destination ASN must be present and valid in WHOIS8 or the packet is dropped, and unvalidated routes are never installed at the BGP8 level at all. So censorship stops requiring DPI or border filtering - pressure the registry, remove the record, and the target is unreachable at the protocol layer everywhere IPv8 runs. No record, no route, no reachability.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OAuth2/JWT ends anonymous connections by design.&lt;/strong&gt; Every managed device authenticates before its first packet. The stated goal is killing malware C2 - legitimate. The side effect is that the anonymity Tor and VPNs rely on stops existing at the IP layer, and whoever holds the identity infrastructure can attribute every connection.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;NetLog8 makes logging mandatory.&lt;/strong&gt; Real-time telemetry at every Zone Server - every auth, connection, and policy hit, timestamped. "Observability for operators" and "comprehensive surveillance record for a state actor" are the same dataset.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;And the spec is silent exactly where it shouldn't be: no governance model for who runs the Zone Server, no oversight on WHOIS8 record removal, no judicial-review path for ACL8 rules or JWT revocation. The entire thing assumes good-faith operators. That assumption does not survive contact with a meaningful chunk of the world's governments.&lt;/p&gt;

&lt;p&gt;We've seen this shape before. Huawei's 2020 "New IP" pitch to the ITU-T proposed per-packet, authenticated, government-controllable filtering at the network layer and was rejected by the IETF, ISOC, and several governments precisely because it baked control into the protocol. IPv8 reaches a structurally identical endpoint through different mechanisms - apparently without the author intending it. Intent doesn't edit the architecture.&lt;/p&gt;

&lt;p&gt;The clean way to put it: today a national firewall is expensive overlay infrastructure fighting a protocol built for openness. IPv8 inverts the relationship. The authenticated, logged, gateway-validated network becomes the base layer, and the open internet becomes the overlay you have to fight to reach.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why an IPv4 trader cares
&lt;/h2&gt;

&lt;p&gt;Short term: nothing. The draft expires without WG adoption, no vendor or RIR backs it, and IPv4 leasing is unaffected.&lt;/p&gt;

&lt;p&gt;Longer term, two things are worth watching:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The addressing logic.&lt;/strong&gt; If a future, better-sponsored proposal inherits the "each ASN holder gets a giant block" model while keeping IPv4 backward compatibility, it attacks both pillars the secondary IPv4 market rests on - scarcity and IPv6 transition cost - simultaneously. That's speculative and distant, but it's the scenario to model.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The control pattern.&lt;/strong&gt; Consolidating resolution, identity, route validation, and logging into one mandatory platform will resurface in proposals that &lt;em&gt;do&lt;/em&gt; have momentum. When it does, the only question that matters is who controls the platform.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Takeaway
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;draft-thain-ipv8&lt;/code&gt; is not going to standardize. But it's a useful artifact: it proves you can bound the BGP table and unify network management at the protocol layer - and it proves that the same consolidation, done without a governance model, hands you a censorship substrate for free. The address format being elegant doesn't change that. The end-to-end principle is the thing keeping those two outcomes separable, and it's worth defending precisely when the alternative looks this tidy.&lt;/p&gt;

&lt;p&gt;Full technical write-up with the rest of the spec breakdown is here: &lt;a href="https://ipbnb.com/blog/ipv8-internet-protocol" rel="noopener noreferrer"&gt;https://ipbnb.com/blog/ipv8-internet-protocol&lt;/a&gt;&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>security</category>
      <category>networking</category>
    </item>
    <item>
      <title>Don't Let Your IPAM Drift: Managing Leased IPv4 the API-First Way</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Wed, 17 Jun 2026 04:04:11 +0000</pubDate>
      <link>https://dev.to/kohanevich/dont-let-your-ipam-drift-managing-leased-ipv4-the-api-first-way-1pmo</link>
      <guid>https://dev.to/kohanevich/dont-let-your-ipam-drift-managing-leased-ipv4-the-api-first-way-1pmo</guid>
      <description>&lt;p&gt;Almost every IPAM mess I've debugged traces back to one root cause: the record and the reality drifted apart. Someone assigned an address and forgot to log it. A block expired and nothing flagged it. The spreadsheet said one thing, the routers said another.&lt;/p&gt;

&lt;p&gt;With owned IPv4 you can usually recover from that. With leased IPv4 you have less room, because a leased block carries three things owned space doesn't: an expiry date, a reputation you inherited, and an owner who isn't you. You either manage those as data, or they end up managing you.&lt;/p&gt;

&lt;p&gt;Here's how I'd wire it up.&lt;/p&gt;

&lt;h2&gt;
  
  
  Start with the data model
&lt;/h2&gt;

&lt;p&gt;Before reaching for any tool, decide what a leased block actually &lt;em&gt;is&lt;/em&gt; in your system. At minimum:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;prefix&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;203.0.113.0/24&lt;/span&gt;
&lt;span class="na"&gt;status&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;active&lt;/span&gt;
&lt;span class="na"&gt;lease&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;owner&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ACME-LIR&lt;/span&gt;
  &lt;span class="na"&gt;start&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2026-06-01&lt;/span&gt;
  &lt;span class="na"&gt;expiry&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2027-06-01&lt;/span&gt;
  &lt;span class="na"&gt;loa_reference&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;LOA-2026-0481&lt;/span&gt;
&lt;span class="na"&gt;routing&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;origin_asn&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;64500&lt;/span&gt;
  &lt;span class="na"&gt;roa_status&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;valid&lt;/span&gt;          &lt;span class="c1"&gt;# valid | invalid | unknown&lt;/span&gt;
  &lt;span class="na"&gt;irr_registered&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
&lt;span class="na"&gt;reputation&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;status&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;clean&lt;/span&gt;              &lt;span class="c1"&gt;# clean | listed | watch&lt;/span&gt;
  &lt;span class="na"&gt;last_checked&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2026-06-15&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The three fields that make leased space different - &lt;code&gt;lease.expiry&lt;/code&gt;, &lt;code&gt;lease.owner&lt;/code&gt;, and &lt;code&gt;reputation.status&lt;/code&gt; - are exactly the ones a generic IPAM setup tends to leave out. Don't leave them out.&lt;/p&gt;

&lt;h2&gt;
  
  
  Model it in NetBox, and let the API do the writing
&lt;/h2&gt;

&lt;p&gt;NetBox is the tool I reach for here: open-source, IPAM plus DCIM, and an API that covers everything the UI does. Define the lease fields once as custom fields (&lt;code&gt;lease_owner&lt;/code&gt;, &lt;code&gt;lease_expiry&lt;/code&gt;, &lt;code&gt;loa_reference&lt;/code&gt;, &lt;code&gt;roa_status&lt;/code&gt;, &lt;code&gt;reputation&lt;/code&gt;), then register a freshly leased block in a single call:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;pynetbox&lt;/span&gt;

&lt;span class="n"&gt;nb&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;pynetbox&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;api&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://netbox.internal&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;token&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;token&amp;gt;&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="n"&gt;nb&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ipam&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;prefixes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;create&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;prefix&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;203.0.113.0/24&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;status&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;active&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;description&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Leased /24 - web tier&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;custom_fields&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;lease_owner&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;ACME-LIR&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;lease_expiry&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;2027-06-01&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;loa_reference&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;LOA-2026-0481&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;roa_status&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;valid&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;reputation&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;clean&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="p"&gt;},&lt;/span&gt;
&lt;span class="p"&gt;})&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now the lease metadata lives next to the prefix, not in a contract PDF nobody opens.&lt;/p&gt;

&lt;h2&gt;
  
  
  Allocate addresses through the API, not by hand
&lt;/h2&gt;

&lt;p&gt;Manual assignment is the single biggest source of drift. Close that gap by allocating from NetBox's next-available-IP endpoint, so the assignment and the record are the same operation:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="n"&gt;prefix&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;nb&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ipam&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;prefixes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;prefix&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;203.0.113.0/24&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="n"&gt;ip&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;prefix&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;available_ips&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;create&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;description&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;web-01&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;dns_name&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;web-01.customer.example&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;})&lt;/span&gt;

&lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ip&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;address&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;   &lt;span class="c1"&gt;# -&amp;gt; 203.0.113.5/24
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;There's no window where inventory and reality disagree, because writing the record &lt;em&gt;is&lt;/em&gt; the allocation. Wire this into your provisioning flow and the "who's on this address?" problem stops existing.&lt;/p&gt;

&lt;h2&gt;
  
  
  Verify routing before you announce, and know who owns the ROA
&lt;/h2&gt;

&lt;p&gt;This is the leased-space gotcha that trips up strong teams: you cannot create your own ROA for leased space. Only the resource holder - the block owner, or the platform you leased from - can create the Route Origin Authorization, update the IRR route objects, and issue the LOA. Your job is to &lt;em&gt;confirm&lt;/em&gt; it's all in place and that your origin validates before you announce a single route.&lt;/p&gt;

&lt;p&gt;A quick scripted check against RIPEstat:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-s&lt;/span&gt; &lt;span class="s2"&gt;"https://stat.ripe.net/data/rpki-validation/data.json?resource=AS64500&amp;amp;prefix=203.0.113.0/24"&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  | jq &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="s1"&gt;'.data.status'&lt;/span&gt;
&lt;span class="c"&gt;# -&amp;gt; valid&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If that returns &lt;code&gt;invalid&lt;/code&gt; or &lt;code&gt;unknown&lt;/code&gt;, stop and fix it with the owner before the prefix goes live - otherwise every network running ROV will drop your routes. Fold the result straight back into &lt;code&gt;routing.roa_status&lt;/code&gt; so your inventory reflects what the routing table actually believes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Treat reputation as a scheduled job
&lt;/h2&gt;

&lt;p&gt;You inherit a block's history, so check it before assignment and keep checking on a timer. The DNSBL mechanism is simple enough to script and stay list-agnostic - point &lt;code&gt;$DNSBL_ZONE&lt;/code&gt; at whichever current lists you trust:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;check_dnsbl&lt;span class="o"&gt;()&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  &lt;span class="nb"&gt;local &lt;/span&gt;&lt;span class="nv"&gt;ip&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$1&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt; &lt;span class="nv"&gt;zone&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$2&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;
  &lt;span class="nb"&gt;local &lt;/span&gt;reversed
  &lt;span class="nv"&gt;reversed&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="si"&gt;$(&lt;/span&gt;&lt;span class="nb"&gt;awk&lt;/span&gt; &lt;span class="nt"&gt;-F&lt;/span&gt;&lt;span class="nb"&gt;.&lt;/span&gt; &lt;span class="s1"&gt;'{print $4"."$3"."$2"."$1}'&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;&amp;lt;&amp;lt;&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$ip&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="si"&gt;)&lt;/span&gt;

  &lt;span class="k"&gt;if &lt;/span&gt;dig +short &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="k"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;reversed&lt;/span&gt;&lt;span class="k"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;.&lt;/span&gt;&lt;span class="k"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;zone&lt;/span&gt;&lt;span class="k"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt; | &lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-q&lt;/span&gt; &lt;span class="s1"&gt;'^127\.'&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;then
    &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"LISTED &lt;/span&gt;&lt;span class="nv"&gt;$ip&lt;/span&gt;&lt;span class="s2"&gt; (&lt;/span&gt;&lt;span class="nv"&gt;$zone&lt;/span&gt;&lt;span class="s2"&gt;)"&lt;/span&gt;
  &lt;span class="k"&gt;else
    &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"clean  &lt;/span&gt;&lt;span class="nv"&gt;$ip&lt;/span&gt;&lt;span class="s2"&gt; (&lt;/span&gt;&lt;span class="nv"&gt;$zone&lt;/span&gt;&lt;span class="s2"&gt;)"&lt;/span&gt;
  &lt;span class="k"&gt;fi&lt;/span&gt;
&lt;span class="o"&gt;}&lt;/span&gt;

check_dnsbl 203.0.113.5 &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$DNSBL_ZONE&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Run it across the block on a schedule, write the result and timestamp back into &lt;code&gt;reputation.status&lt;/code&gt; / &lt;code&gt;last_checked&lt;/code&gt;, and alert on any change. Keep mail-sending IPs on separate, warmed space so one customer's mistake doesn't taint a block shared with everyone else.&lt;/p&gt;

&lt;h2&gt;
  
  
  Catch renewals before they catch you
&lt;/h2&gt;

&lt;p&gt;The authorizations that let you announce - the LOA and the ROA - are tied to the lease term. Let a lease lapse and you don't lose paperwork, you lose routing. So query for blocks nearing expiry on a cron and push them somewhere a human will actually look:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;datetime&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;date&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;timedelta&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;pynetbox&lt;/span&gt;

&lt;span class="n"&gt;nb&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;pynetbox&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;api&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://netbox.internal&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;token&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;token&amp;gt;&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="n"&gt;horizon&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;date&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;today&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="nf"&gt;timedelta&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;days&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;60&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;p&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;nb&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ipam&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;prefixes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;filter&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;status&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;active&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="n"&gt;expiry&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;p&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;custom_fields&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;lease_expiry&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;expiry&lt;/span&gt; &lt;span class="ow"&gt;and&lt;/span&gt; &lt;span class="n"&gt;date&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;fromisoformat&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;expiry&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="n"&gt;horizon&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Renewal due: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;p&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;prefix&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt; - &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;p&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;custom_fields&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;lease_owner&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt; - &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;expiry&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Pipe that into Slack or your ticketing system and renewals become a planned task instead of a 2 a.m. incident.&lt;/p&gt;

&lt;h2&gt;
  
  
  Which tool?
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;phpIPAM&lt;/strong&gt; - free, light, supports custom fields, fine for smaller footprints you're happy to self-host.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;NetBox&lt;/strong&gt; - open-source, API-first, the one I'd build automation on (everything above assumes it).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SolarWinds IPAM&lt;/strong&gt; - mid-market, with discovery and conflict detection if you want the tool to reconcile itself against the network.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Infoblox&lt;/strong&gt; - enterprise DDI, integrated DNS/DHCP/IPAM, priced for scale.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Whatever you pick, the test is the same: can it store lease owner, expiry, and reputation, and can you write to it from code? If yes, you can keep records and reality in lockstep. If no, you'll be back to debugging drift.&lt;/p&gt;

&lt;p&gt;That's the whole philosophy - model the lease as data, let the API do the writing, and put reputation and renewals on a timer. The unglamorous automation is exactly what lets you scale leased IPv4 without surprises.&lt;/p&gt;

&lt;p&gt;If you want the longer, less code-heavy treatment - the full lease-to-deployment workflow, a setup checklist for new blocks, and a deeper tool comparison - I wrote it up here: &lt;strong&gt;&lt;a href="https://ipbnb.com/blog/ipam-leased-ipv4-best-practices" rel="noopener noreferrer"&gt;IP Address Management for Leased IPv4: Best Practices for Hosting Providers&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;

</description>
      <category>devops</category>
      <category>infrastructure</category>
      <category>automation</category>
      <category>networking</category>
    </item>
    <item>
      <title>Is Your IPv4 Block Blacklisted? Checking a /24 the DNSBL Way</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Thu, 11 Jun 2026 10:22:14 +0000</pubDate>
      <link>https://dev.to/kohanevich/is-your-ipv4-block-blacklisted-checking-a-24-the-dnsbl-way-3043</link>
      <guid>https://dev.to/kohanevich/is-your-ipv4-block-blacklisted-checking-a-24-the-dnsbl-way-3043</guid>
      <description>&lt;p&gt;If you own or lease IPv4 space, the reputation of your addresses is part of the asset. A block that's quietly listed on a major DNSBL doesn't deliver mail, fails the health checks renters run before they sign, and loses value on resale - and nothing proactively tells you it happened.&lt;/p&gt;

&lt;p&gt;Pasting one IP into a web form is fine for a spot check. If you're responsible for a whole block, here's how to actually query the reputation data and sweep a /24.&lt;/p&gt;

&lt;h2&gt;
  
  
  How a DNSBL lookup works
&lt;/h2&gt;

&lt;p&gt;A DNSBL (DNS-based blocklist, aka RBL) answers reputation queries over DNS. You reverse the octets of the IP, append the zone, and do an &lt;code&gt;A&lt;/code&gt; lookup. A &lt;code&gt;127.0.0.x&lt;/code&gt; answer means listed; &lt;code&gt;NXDOMAIN&lt;/code&gt; means clean.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# 203.0.113.5  -&amp;gt;  5.113.0.203&lt;/span&gt;
dig +short 5.113.0.203.zen.spamhaus.org
&lt;span class="c"&gt;# 127.0.0.x      = listed (the code tells you which list)&lt;/span&gt;
&lt;span class="c"&gt;# empty/NXDOMAIN = not listed&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For Spamhaus ZEN (their combined zone: SBL + CSS + XBL + PBL), the return code tells you &lt;em&gt;which&lt;/em&gt; list you're on:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Return code&lt;/th&gt;
&lt;th&gt;List&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;127.0.0.2&lt;/td&gt;
&lt;td&gt;SBL&lt;/td&gt;
&lt;td&gt;Manually listed spam/abuse source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;127.0.0.3&lt;/td&gt;
&lt;td&gt;SBL CSS&lt;/td&gt;
&lt;td&gt;Auto-detected low-reputation sender&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;127.0.0.4 - .7&lt;/td&gt;
&lt;td&gt;XBL&lt;/td&gt;
&lt;td&gt;Compromised host / open proxy / botnet (the old CBL data lives here now)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;127.0.0.9&lt;/td&gt;
&lt;td&gt;SBL&lt;/td&gt;
&lt;td&gt;DROP/EDROP - hijacked or fully malicious range&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;127.0.0.10 / .11&lt;/td&gt;
&lt;td&gt;PBL&lt;/td&gt;
&lt;td&gt;Range that shouldn't send mail directly (often normal)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;One gotcha that trips people up:&lt;/strong&gt; Spamhaus's free public mirrors block queries coming from public/open resolvers like &lt;code&gt;8.8.8.8&lt;/code&gt; and &lt;code&gt;1.1.1.1&lt;/code&gt;, and return an error code in the &lt;code&gt;127.255.255.x&lt;/code&gt; range instead of real data. Run your checks through your own resolver, or grab a free Data Query Service (DQS) key and query the DQS zone. If you &lt;code&gt;dig&lt;/code&gt; through Google's resolver and get a strange answer, that's why.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sweeping a whole /24
&lt;/h2&gt;

&lt;p&gt;Once the query format makes sense, looping over the host range is trivial:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Sweep 203.0.113.0/24 against Spamhaus ZEN&lt;/span&gt;
&lt;span class="k"&gt;for &lt;/span&gt;i &lt;span class="k"&gt;in&lt;/span&gt; &lt;span class="si"&gt;$(&lt;/span&gt;&lt;span class="nb"&gt;seq &lt;/span&gt;1 254&lt;span class="si"&gt;)&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;do
  &lt;/span&gt;&lt;span class="nv"&gt;ans&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="si"&gt;$(&lt;/span&gt;dig +short &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$i&lt;/span&gt;&lt;span class="s2"&gt;.113.0.203.zen.spamhaus.org"&lt;/span&gt;&lt;span class="si"&gt;)&lt;/span&gt;
  &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="nt"&gt;-n&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$ans&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt; &lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"203.0.113.&lt;/span&gt;&lt;span class="nv"&gt;$i&lt;/span&gt;&lt;span class="s2"&gt; -&amp;gt; &lt;/span&gt;&lt;span class="nv"&gt;$ans&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;
&lt;span class="k"&gt;done&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;(Same resolver caveat applies - for a real sweep, point it at a resolver that isn't a public mirror.)&lt;/p&gt;

&lt;h2&gt;
  
  
  AbuseIPDB for aggregate scoring
&lt;/h2&gt;

&lt;p&gt;Spamhaus tells you listed/not-listed. AbuseIPDB gives you a crowdsourced &lt;em&gt;confidence&lt;/em&gt; score (0-100) per address, and its &lt;code&gt;check-block&lt;/code&gt; endpoint scores a whole subnet in one call:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-G&lt;/span&gt; https://api.abuseipdb.com/api/v2/check-block &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--data-urlencode&lt;/span&gt; &lt;span class="s2"&gt;"network=203.0.113.0/24"&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="nv"&gt;maxAgeInDays&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;90 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s2"&gt;"Key: &lt;/span&gt;&lt;span class="nv"&gt;$ABUSEIPDB_KEY&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s2"&gt;"Accept: application/json"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The response lists every reported address in the block with its &lt;code&gt;abuseConfidenceScore&lt;/code&gt;. AbuseIPDB treats anything under 25 as noise; 75-100 is the range you'd actually block on. The free tier is 1,000 checks/day, and &lt;code&gt;check-block&lt;/code&gt; is capped at /24 - for a larger block, iterate over its /24s or use a paid tier.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to do with a hit
&lt;/h2&gt;

&lt;p&gt;Two rules:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Fix the root cause before you request removal.&lt;/strong&gt; Delisting while the open relay, compromised host, or spam source is still live just gets you relisted - sometimes with self-service removal disabled the next time.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Never pay for delisting.&lt;/strong&gt; It's free everywhere. The return code points you at the path: SBL needs the owner-of-record or ISP to contact Spamhaus; XBL/CSS is self-service via &lt;code&gt;check.spamhaus.org&lt;/code&gt;; AbuseIPDB decays over time or you dispute; Barracuda has a manual removal form. Timelines run from minutes (PBL) to weeks (AbuseIPDB decay).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;While you're in there, confirm the boring hygiene that keeps a block off lists in the first place: clean, consistent &lt;strong&gt;rDNS&lt;/strong&gt;, valid &lt;strong&gt;RPKI/ROA&lt;/strong&gt; so the origin checks out, and an &lt;code&gt;abuse@&lt;/code&gt; address that someone actually reads.&lt;/p&gt;

&lt;h2&gt;
  
  
  The part the sweep doesn't solve
&lt;/h2&gt;

&lt;p&gt;A sweep is a point-in-time snapshot. It tells you the block is clean &lt;em&gt;now&lt;/em&gt;. The moment you lease it out, reputation becomes a function of what your renter does - and a single compromised host or one spam run can list addresses within hours.&lt;/p&gt;

&lt;p&gt;Keeping a leased block clean is therefore continuous, not a one-off: screen who you hand a block to, watch abuse signals in real time, and de-provision fast enough that a listing never takes hold. That's most of the operational reason we built IPbnb the way we did - when a block is leased through the marketplace, that screening and monitoring runs in the background instead of landing on the owner. It won't scrub an existing listing, and no setup makes a block un-flaggable, but it keeps the day-to-day abuse-watching automated while the block earns.&lt;/p&gt;

&lt;p&gt;Either way: before you lease or sell a block, sweep it. It's a few minutes of &lt;code&gt;dig&lt;/code&gt; and one API call.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Full guide - every tool, return code, and delisting path by database:&lt;/strong&gt; &lt;a href="https://ipbnb.com/blog/ip-abuse-check-ipv4-blacklisted" rel="noopener noreferrer"&gt;https://ipbnb.com/blog/ip-abuse-check-ipv4-blacklisted&lt;/a&gt;&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>devops</category>
      <category>security</category>
    </item>
    <item>
      <title>Whitelisting leased IPv4 blocks: 3 gotchas owned-space guides skip</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Fri, 05 Jun 2026 13:47:29 +0000</pubDate>
      <link>https://dev.to/kohanevich/whitelisting-leased-ipv4-blocks-3-gotchas-owned-space-guides-skip-394k</link>
      <guid>https://dev.to/kohanevich/whitelisting-leased-ipv4-blocks-3-gotchas-owned-space-guides-skip-394k</guid>
      <description>&lt;p&gt;IP whitelisting is the oldest trick in the access-control book: deny everything, allow a known set of source IPs, done. The firewall mechanics don't care whether the addresses behind your allowlist are owned or leased.&lt;/p&gt;

&lt;p&gt;The &lt;em&gt;operational&lt;/em&gt; reality does. I run a leasing platform, so I see where leased IP whitelisting quietly breaks - and it's never the firewall syntax. It's three things owned space lets you ignore.&lt;/p&gt;

&lt;h2&gt;
  
  
  1. You inherit a reputation you didn't earn
&lt;/h2&gt;

&lt;p&gt;A leased block usually has a past. If a previous renter spammed, scanned, or landed on Spamhaus / AbuseIPDB, that history can still cling to the addresses when they reach you.&lt;/p&gt;

&lt;p&gt;Why it bites whitelisting specifically: half the time &lt;em&gt;you're&lt;/em&gt; the one trying to get whitelisted - by a customer's firewall, a payment gateway, a partner API, an SMTP relay. Their automated reputation checks see a flagged range and quietly refuse, throttle, or shove you into extra verification. Your allowlist can be perfect and you still don't get onto theirs.&lt;/p&gt;

&lt;p&gt;Fix: start from a clean, vetted block, and re-check your own block's reputation on a schedule - it drifts, including from your own workloads.&lt;/p&gt;

&lt;h2&gt;
  
  
  2. The lease has a clock; your allowlist doesn't know that
&lt;/h2&gt;

&lt;p&gt;Owned IPs are yours indefinitely. A leased block is yours for a term. So any long-lived allowlist entry referencing leased space - yours sitting in a partner's firewall, or theirs sitting in yours - goes stale the moment that lease ends and the block gets reassigned.&lt;/p&gt;

&lt;p&gt;An allowlist entry that outlives the lease behind it isn't dead weight. It's an open door to whoever holds the block next.&lt;/p&gt;

&lt;p&gt;Treat the lease end date as a real event in your firewall lifecycle. Tag every leased-range entry with its expiry and review it then.&lt;/p&gt;

&lt;h2&gt;
  
  
  3. RPKI sits &lt;em&gt;upstream&lt;/em&gt; of your firewall
&lt;/h2&gt;

&lt;p&gt;A firewall allowlist filters traffic that already arrived. It does nothing to make the prefix route to you. If the ROA is missing or wrong, networks doing route origin validation drop your announcement - and now there's no traffic to whitelist in the first place.&lt;/p&gt;

&lt;p&gt;If you're bringing the leased block to a cloud via BYOIP, the ROA has to authorise that provider's ASN or it won't advertise at all. RPKI is a prerequisite, not an alternative.&lt;/p&gt;

&lt;h2&gt;
  
  
  The boring part that actually matters
&lt;/h2&gt;

&lt;p&gt;The cross-cloud best practice is the same everywhere: &lt;strong&gt;reference reusable objects, never hard-code CIDRs into individual rules.&lt;/strong&gt; That's what turns an end-of-lease change from a risky sweep into a one-line edit.&lt;/p&gt;

&lt;p&gt;On AWS, that's a customer-managed prefix list:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# define trusted sources once&lt;/span&gt;
aws ec2 create-managed-prefix-list &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--prefix-list-name&lt;/span&gt; trusted-sources &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--address-family&lt;/span&gt; IPv4 &lt;span class="nt"&gt;--max-entries&lt;/span&gt; 20 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--entries&lt;/span&gt; &lt;span class="nv"&gt;Cidr&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;203.0.113.0/24,Description&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"partner-api"&lt;/span&gt;

&lt;span class="c"&gt;# reference it from the security group - not the raw CIDR&lt;/span&gt;
aws ec2 authorize-security-group-ingress &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--group-id&lt;/span&gt; sg-0abc &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--ip-permissions&lt;/span&gt; &lt;span class="nv"&gt;IpProtocol&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;tcp,FromPort&lt;span class="o"&gt;=&lt;/span&gt;443,ToPort&lt;span class="o"&gt;=&lt;/span&gt;443,&lt;span class="se"&gt;\&lt;/span&gt;
&lt;span class="nv"&gt;PrefixListIds&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'[{PrefixListId=pl-0def,Description="HTTPS from partners"}]'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Change the range later? Edit the prefix list once; every referencing rule follows.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;GCP:&lt;/strong&gt; network / hierarchical firewall policies (Cloud NGFW), targeting workloads with IAM-governed tags instead of raw IPs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Azure:&lt;/strong&gt; NSGs (rules evaluated lowest-priority-number first) plus ASGs to group your own backends by role.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;And the usual reminder: an IP proves &lt;em&gt;where&lt;/em&gt; a packet looks like it came from, not &lt;em&gt;who&lt;/em&gt; sent it. Pair the allowlist with real auth (mTLS, certs, an IdP). Whitelisting narrows the door; it doesn't check ID.&lt;/p&gt;

&lt;h2&gt;
  
  
  On automation - a quick critical take
&lt;/h2&gt;

&lt;p&gt;"Automate your allowlists" is good advice for &lt;em&gt;distribution&lt;/em&gt;: define ranges as code, sync from one reviewed source of truth, stop editing the same rule in 20 places. &lt;/p&gt;

&lt;p&gt;But watch the failure modes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Auto-discovery&lt;/strong&gt; that &lt;em&gt;adds&lt;/em&gt; IPs from a live feed grows your trusted set with nobody reviewing it - that's deny-by-default inverted.&lt;/li&gt;
&lt;li&gt;A pipeline that can push a CIDR everywhere at once is a single blast radius for one bad entry.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Self-healing&lt;/strong&gt; reconciliation will cheerfully re-add an entry you deliberately removed - including a leased range you retired at lease end. Revocation has to beat reconciliation, or it isn't revocation.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Automate distribution; keep a human gate on what &lt;em&gt;enters&lt;/em&gt; the source of truth.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;TL;DR:&lt;/strong&gt; leased IP whitelisting = standard allowlist discipline (default-deny, CIDR ranges, reusable objects, real auth, audits) + three leased-only rules: start clean, keep RPKI/ROA correct upstream, and diary the lease boundary.&lt;/p&gt;

&lt;p&gt;Longer write-up with the full per-provider setup here → &lt;a href="https://ipbnb.com/blog/ip-whitelisting-leased-ipv4" rel="noopener noreferrer"&gt;IP Whitelisting Best Practices for Leased IPv4 Blocks&lt;/a&gt;&lt;/p&gt;

</description>
      <category>networking</category>
      <category>security</category>
      <category>cloud</category>
      <category>devops</category>
    </item>
    <item>
      <title>IPv4 in 2026: Three Practical Positions for RIPE Operators</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Tue, 02 Jun 2026 11:18:42 +0000</pubDate>
      <link>https://dev.to/kohanevich/ipv4-in-2026-three-practical-positions-for-ripe-operators-n88</link>
      <guid>https://dev.to/kohanevich/ipv4-in-2026-three-practical-positions-for-ripe-operators-n88</guid>
      <description>&lt;p&gt;&lt;strong&gt;TL;DR:&lt;/strong&gt; If you run a network in the RIPE region, you're probably either sitting on idle IPv4, short of it, or in a position to lease it to others under your own brand. Here's what each option looks like operationally.&lt;/p&gt;




&lt;p&gt;Picture two operators at the same NOG meeting.&lt;/p&gt;

&lt;p&gt;One runs a regional ISP that moved its core behind IPv6 and CGNAT a few years back. A legacy /18 is still announced - just enough to hold the allocation - but it carries no real traffic and has earned nothing since the redesign. Clean, registered, idle.&lt;/p&gt;

&lt;p&gt;The other runs a growing access network and is out of address space. New subscribers sit behind CGNAT, and the support queue fills with the usual symptoms: broken inbound connections, IPsec and gaming complaints, mail reputation problems. Their only official supply option is a slot on the RIPE waiting list.&lt;/p&gt;

&lt;p&gt;They're each other's answer. The thing standing between them is infrastructure - LOAs, ROAs, routing, reputation checks, billing, contracts. That's the IPv4 secondary market in one sentence.&lt;/p&gt;

&lt;p&gt;If you operate in the RIPE region, you're probably closer to one of these two than you think - and often you're both. Three positions you can take:&lt;/p&gt;

&lt;h2&gt;
  
  
  1. Monetize idle IPv4
&lt;/h2&gt;

&lt;p&gt;A lot of RIPE members hold legacy space that went quiet after a redesign or an IPv6 migration. At roughly $80/month for a /24 (about $0.31 per address), a dormant /20 brings in around $1,270/month and a /16 around $20,300 - on infrastructure you already own and pay the flat RIPE fee to register.&lt;/p&gt;

&lt;p&gt;With sale prices at multi-year lows, leasing usually beats selling: income now, asset retained, no added registry cost. The common blockers - blacklist history, a messy RIPE/whois record, RPKI not configured - are routine cleanup, not dealbreakers. Typical sequence: audit and reputation check, then correct the records, set up RPKI with valid ROAs, and clear any blacklist entries. After that the subnet is ready to earn.&lt;/p&gt;

&lt;h2&gt;
  
  
  2. Lease the IPv4 you need
&lt;/h2&gt;

&lt;p&gt;RIPE's free pool has been gone since November 2019. The waiting list isn't a real supply channel - a single /24, a 12-24 month wait, hundreds of LIRs queued, and no timing guarantee. For adding subscribers this quarter, it's not a plan.&lt;/p&gt;

&lt;p&gt;CGNAT covers the gap but carries a real operational cost: port exhaustion, broken applications, abuse attribution headaches, geolocation problems, and the support load that follows.&lt;/p&gt;

&lt;p&gt;Leasing is the standard OPEX answer now. On the wire, leased space behaves exactly like owned space: announce the prefix from your ASN with a valid ROA and a matching LOA, and RPKI-validating peers treat it no differently. There's no 24-month transfer hold, and no large up-front payment locked into an asset while prices are still moving.&lt;/p&gt;

&lt;h2&gt;
  
  
  3. Resell IPv4 leasing under your own brand
&lt;/h2&gt;

&lt;p&gt;The one most operators overlook. If you already run a network, you have what an IP leasing business needs: client trust, working billing and support, regional relationships, and often your own address space. What's missing is the platform layer - listing and matching, compliance, reputation and delisting tooling.&lt;/p&gt;

&lt;p&gt;A white-label setup supplies that layer behind your brand. You lease to your own customers, bundle space with connectivity or hosting, and keep the margin instead of referring it out. Data centers and hosting providers fit this cleanly - it's an extension of what they already sell to colocation and hosting tenants. You stop being a buyer or seller in someone else's marketplace and become the marketplace.&lt;/p&gt;

&lt;p&gt;Across all three, the specialist work is the same - registry cleanup, compliance, routing, abuse monitoring - and it can sit with a platform partner rather than on your team. You don't have to become an IPv4 specialist to work this market.&lt;/p&gt;

&lt;p&gt;The infrastructure to connect the two operators in that room finally exists. The only real question is whether you use it actively or keep reacting to the shortage.&lt;/p&gt;




&lt;p&gt;Full write-up, with the complete breakdown of each path: &lt;a href="https://ipbnb.com/blog/ipv4-for-nog-2026" rel="noopener noreferrer"&gt;ipbnb.com/blog/ipv4-for-nog-2026&lt;/a&gt;&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>devops</category>
      <category>webmonetization</category>
    </item>
    <item>
      <title>Migrating to Leased IPv4 Without Downtime - The Bits That Actually Matter published</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Thu, 28 May 2026 10:47:37 +0000</pubDate>
      <link>https://dev.to/kohanevich/migrating-to-leased-ipv4-without-downtime-the-bits-that-actually-matterpublished-569b</link>
      <guid>https://dev.to/kohanevich/migrating-to-leased-ipv4-without-downtime-the-bits-that-actually-matterpublished-569b</guid>
      <description>&lt;p&gt;I run a platform where IP owners lease IPv4 subnets to IP renters across the RIPE region. Which means I've watched a lot of migrations - clean ones and messy ones. The messy ones almost always fail for the same reasons.&lt;/p&gt;

&lt;p&gt;This isn't a comprehensive guide. It's the list of things that trip people up when they know the basics but miss the details.&lt;/p&gt;

&lt;h2&gt;
  
  
  1. Lower TTL before you think you need to
&lt;/h2&gt;

&lt;p&gt;If your DNS records have a TTL of 86400 (24 hours) and you lower it an hour before migration, you'll spend the next 23 hours with traffic split across two addresses. If the old subnet goes offline during that window, part of that traffic simply disappears.&lt;/p&gt;

&lt;p&gt;Rule: lower TTL at least one full TTL cycle before your migration window.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Check your current TTL before doing anything&lt;/span&gt;
dig A yourdomain.com | &lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-A1&lt;/span&gt; &lt;span class="s2"&gt;"ANSWER SECTION"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Target TTL for migration: 300 seconds. For critical records, go as low as 60.&lt;/p&gt;

&lt;p&gt;After migration is stable, raise it back. Low TTL means more DNS queries hitting your nameservers - it's not a permanent setting.&lt;/p&gt;

&lt;h2&gt;
  
  
  2. PTR records don't update themselves
&lt;/h2&gt;

&lt;p&gt;This one catches people off guard. Reverse DNS for leased IPv4 subnets is managed by the IP owner, not the IP renter.&lt;/p&gt;

&lt;p&gt;In the RIPE region, the IP owner (or the LIR managing the resource) needs to create a &lt;code&gt;domain&lt;/code&gt; object in the RIPE database that delegates the reverse zone to your nameservers. That's not something you can do yourself, and it doesn't happen automatically when you lease a subnet.&lt;/p&gt;

&lt;p&gt;Coordinate this with your IP owner during pre-migration planning. Not on cutover day.&lt;/p&gt;

&lt;h2&gt;
  
  
  3. RPKI: UNKNOWN and INVALID are not the same problem
&lt;/h2&gt;

&lt;p&gt;If you're announcing your leased prefix via BGP, you need a ROA (Route Origin Authorization). The ROA is created by the IP owner - not by you.&lt;/p&gt;

&lt;p&gt;Two states worth knowing:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;UNKNOWN&lt;/strong&gt; - no ROA exists for the prefix. Most networks accept this, but conservative peers may filter it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;INVALID&lt;/strong&gt; - a ROA exists but with the wrong ASN or wrong maximum prefix length. Networks actively drop INVALID prefixes.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check your ROA status before migration:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Using the RIPE NCC validator or Routinator&lt;/span&gt;
&lt;span class="c"&gt;# Or check via Cloudflare's RPKI toolkit&lt;/span&gt;
&lt;span class="c"&gt;# https://rpki.cloudflare.com&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If your prefix is INVALID, you have a misconfiguration to fix. If it's UNKNOWN, you need a ROA created - talk to your IP owner.&lt;/p&gt;

&lt;h2&gt;
  
  
  4. The /24 rule - don't skip this
&lt;/h2&gt;

&lt;p&gt;If your leased block is smaller than /24 (a /25, /26, or anything longer) - you cannot announce it independently via BGP to the internet.&lt;/p&gt;

&lt;p&gt;Most upstream providers and IXP route servers filter prefixes longer than /24. The announcement won't be rejected with an error. It will just silently not propagate. Your ROA can be perfect, your IRR objects correct, your BGP session up - and the prefix still goes nowhere.&lt;/p&gt;

&lt;p&gt;If your leased block is smaller than /24, talk to your IP owner about aggregate announcement options before planning a BGP-based migration.&lt;/p&gt;

&lt;h2&gt;
  
  
  5. Run parallel, not sequential
&lt;/h2&gt;

&lt;p&gt;The safest migration is always: bring up the new subnet fully, validate everything, then drain traffic from the old one. Never the other way around.&lt;/p&gt;

&lt;p&gt;Checklist before DNS cutover:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;[ ] Services responding on new IPs&lt;/li&gt;
&lt;li&gt;[ ] BGP prefix visible from multiple vantage points (check RIPE RIS or BGPView)&lt;/li&gt;
&lt;li&gt;[ ] Monitoring active on new subnet&lt;/li&gt;
&lt;li&gt;[ ] PTR delegation live&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;After DNS update, watch traffic on both subnets. Decommission the old one only when traffic has dropped to zero - and then wait another 24-48 hours before pulling it fully.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Verify DNS propagation from multiple resolvers&lt;/span&gt;
dig A yourdomain.com @8.8.8.8
dig A yourdomain.com @1.1.1.1
dig A yourdomain.com @9.9.9.9

&lt;span class="c"&gt;# Verify routing path to new subnet&lt;/span&gt;
mtr &lt;span class="nt"&gt;-rn&lt;/span&gt; yourdomain.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  6. Post-migration reputation monitoring
&lt;/h2&gt;

&lt;p&gt;A clean leased subnet can pick up a blacklist entry fast if something on your infrastructure is misconfigured - an open relay, a proxy, a compromised service.&lt;/p&gt;

&lt;p&gt;Check at 24h, 72h, and one week after migration:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Spamhaus (SBL, XBL, PBL) - critical if you're sending email&lt;/li&gt;
&lt;li&gt;Talos Intelligence&lt;/li&gt;
&lt;li&gt;AbuseIPDB&lt;/li&gt;
&lt;li&gt;MXToolbox for a consolidated view&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you appear on a list, the cause is almost always something on your end - not a history problem with the block itself.&lt;/p&gt;




&lt;p&gt;That's the short version. If you want the full breakdown - DNS TTL timing in detail, BGP announcement setup with RPKI and IRR specifics, step-by-step migration phases, and BYOIP configuration for AWS, GCP, and Azure - I wrote a longer guide on the IPbnb blog:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;a href="https://ipbnb.com/blog/migrate-to-leased-ipv4-zero-downtime" rel="noopener noreferrer"&gt;How to Migrate Your IP Infrastructure to Leased IPv4 Without Downtime&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Happy to answer questions in the comments.&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>devops</category>
      <category>networking</category>
    </item>
    <item>
      <title>IPv4 Geolocation and Leasing: A Practical Guide for Network Operators</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Thu, 21 May 2026 11:22:44 +0000</pubDate>
      <link>https://dev.to/kohanevich/ipv4-geolocation-and-leasing-a-practical-guide-for-network-operators-589f</link>
      <guid>https://dev.to/kohanevich/ipv4-geolocation-and-leasing-a-practical-guide-for-network-operators-589f</guid>
      <description>&lt;p&gt;Geolocation questions come up regularly when operators start leasing IPv4 blocks. Does the subnet show up in the right country? How long until databases reflect the correct location? What's the fix if something is wrong?&lt;/p&gt;

&lt;p&gt;The short answer: for most infrastructure workloads, geolocation is irrelevant. For a specific set of use cases, it requires deliberate setup. This post covers both.&lt;/p&gt;

&lt;h2&gt;
  
  
  Two Separate Systems Worth Distinguishing
&lt;/h2&gt;

&lt;p&gt;"Geolocation" in the IPv4 context actually refers to two different things, and confusing them leads to wasted troubleshooting time.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;RIR-registered location&lt;/strong&gt; - what's recorded in the RIPE database via the &lt;code&gt;geofeed:&lt;/code&gt; and &lt;code&gt;geoloc:&lt;/code&gt; attributes on your inetnum object.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Commercial database location&lt;/strong&gt; - what services like MaxMind, IPinfo, or Google display when they query your block. These databases pull from multiple signals:&lt;br&gt;
RIR records, BGP routing data, latency measurements, user corrections. They operate independently and update on their own schedules.&lt;/p&gt;

&lt;p&gt;When operators ask whether their subnet will appear as a specific country, they're almost always asking about the second category. The answer depends on which database, when it last crawled your block, and what signals it weighted.&lt;/p&gt;

&lt;h2&gt;
  
  
  RIPE Attributes: What Actually Works
&lt;/h2&gt;

&lt;p&gt;Three attributes are relevant here, and they're not equally useful.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;code&gt;geofeed:&lt;/code&gt;&lt;/strong&gt; - links to a structured CSV file (RFC 8805 format) hosted at a public HTTPS URL. Providers supporting RFC 9632 discovery ingest it automatically.&lt;/p&gt;

&lt;p&gt;This is the mechanism with real adoption among commercial database providers and the recommended starting point.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;code&gt;geoloc:&lt;/code&gt;&lt;/strong&gt; - records latitude/longitude coordinates directly in the RIPE database. Limited adoption among third-party providers. Worth setting, but don't rely on it to influence MaxMind or similar databases.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;code&gt;country:&lt;/code&gt;&lt;/strong&gt; - an administrative registration field. RIPE's own documentation notes it was never formally specified what this field represents. Not a geolocation signal. Don't treat it as one.&lt;/p&gt;

&lt;p&gt;RIPE doesn't verify any of this data. Publishing a correctly configured geofeed gives providers a structured, crawlable source - but each provider acts on it according to their own update cycle.&lt;/p&gt;

&lt;h2&gt;
  
  
  Use Cases Where Geolocation Is Operationally Critical
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;VPN and proxy services&lt;/strong&gt; - if you're selling a country-specific endpoint, the IP block needs to register as that country in the databases your users' apps query.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Programmatic advertising&lt;/strong&gt; - ad exchanges categorize traffic geographically. European inventory carries different pricing from traffic that appears to originate outside the EU. Miscategorized geolocation means mispriced inventory.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;CDN configuration&lt;/strong&gt; - routing decisions are based on IP location. A subnet appearing in the wrong region routes users to suboptimal edge nodes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;GDPR and data localization compliance&lt;/strong&gt; - infrastructure processing EU data sometimes needs to be clearly identifiable as EU-based. An IP block appearing outside the EU creates compliance friction regardless of where the servers physically sit.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Web scraping and data collection&lt;/strong&gt; - many platforms serve differentiated content, pricing, and availability by detected country. Your IP's geolocation determines the geographic view your infrastructure gets.&lt;/p&gt;

&lt;h2&gt;
  
  
  Use Cases Where It Doesn't Matter
&lt;/h2&gt;

&lt;p&gt;General hosting, application servers, ISP infrastructure, internal networking, standard web traffic delivery - geolocation has no operational effect on any of it.&lt;/p&gt;

&lt;p&gt;BGP routing operates on routing tables. Email deliverability depends on reputation signals - spam history, blacklist status, authentication records - not on geolocation.&lt;br&gt;
A subnet geolocated in Amsterdam and one geolocated in Paris are treated identically by receiving mail servers.&lt;/p&gt;

&lt;h2&gt;
  
  
  Propagation Timelines
&lt;/h2&gt;

&lt;p&gt;After lease activation, there's a normal window before all databases reflect the correct location.&lt;/p&gt;

&lt;p&gt;MaxMind - the most widely used commercial database - updates the majority of its GeoIP databases every weekday. Correction requests via the GeoIP Exchange program (where geofeed submission is now the standard method) don't come with a committed review timeline.&lt;/p&gt;

&lt;p&gt;Downstream services - CDN networks, ad exchange databases, streaming platform geolocation layers - typically take two to six weeks to fully propagate a change.&lt;/p&gt;

&lt;p&gt;This is expected behavior, not a problem to solve.&lt;/p&gt;

&lt;p&gt;If your deployment is geolocation-sensitive, build in a one-to-two week buffer after activation before relying on correct location data in production. For ad tech or CDN-critical workloads, two to four weeks is the safer margin.&lt;/p&gt;

&lt;h2&gt;
  
  
  Geolocation vs. Reputation: Not the Same Thing
&lt;/h2&gt;

&lt;p&gt;These get conflated more than any other pair of concepts in IPv4 operations.&lt;/p&gt;

&lt;p&gt;Geolocation - where your block appears to be located.&lt;br&gt;
Reputation - the behavioral history associated with that block: spam records, blacklist entries, abuse flags.&lt;/p&gt;

&lt;p&gt;Completely separate systems. A block can have accurate geolocation and a problematic reputation record, or an outdated geolocation entry and a perfectly clean history. Correcting one has no effect on the other.&lt;/p&gt;

&lt;p&gt;If you're evaluating a subnet before leasing, run a reputation check. Not a geolocation lookup.&lt;/p&gt;

&lt;p&gt;For a more detailed breakdown of how this applies to IPv4 leasing specifically, including how IPbnb handles geolocation validation at the listing stage, the full guide is on our blog: &lt;a href="https://ipbnb.com/blog/ipv4-geolocation-leasing" rel="noopener noreferrer"&gt;IPv4 Geolocation and Leasing - IPbnb&lt;/a&gt;&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>devops</category>
      <category>network</category>
    </item>
    <item>
      <title>What VPN Providers Get Wrong About IPv4 (And How to Fix It)</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Sat, 16 May 2026 06:19:52 +0000</pubDate>
      <link>https://dev.to/kohanevich/what-vpn-providers-get-wrong-about-ipv4-and-how-to-fix-it-56nb</link>
      <guid>https://dev.to/kohanevich/what-vpn-providers-get-wrong-about-ipv4-and-how-to-fix-it-56nb</guid>
      <description>&lt;p&gt;I talk to a lot of VPN operators. And the conversation usually goes the same way - they're dealing with user complaints about blocked content, geo-errors that make no sense, or payment processors flagging transactions. They've checked their servers, their routing, their configs. Everything looks fine.&lt;/p&gt;

&lt;p&gt;The problem is almost always the IPs.&lt;/p&gt;

&lt;p&gt;Here's what I've seen trip people up most often.&lt;/p&gt;

&lt;h2&gt;
  
  
  Your IP's history travels with it
&lt;/h2&gt;

&lt;p&gt;When you acquire an address block - whether you buy it or lease it - you inherit whatever happened on those IPs before you. Spam campaigns. Botnets. Port scanning. Credential stuffing. That history lives in threat intelligence databases, and platforms query those databases constantly.&lt;/p&gt;

&lt;p&gt;For most services, a tainted IP is an inconvenience. For a VPN provider, it's a product failure. Every user routing through that address gets blocked, flagged, or restricted - and they have no idea why. They just know your service doesn't work.&lt;/p&gt;

&lt;p&gt;Before you deploy any block, run it through multiple reputation databases. Not one. Several. Because they don't agree with each other, and the platform blocking your users might be querying a different one than you checked.&lt;/p&gt;

&lt;h2&gt;
  
  
  Geolocation data is wrong more often than you'd think
&lt;/h2&gt;

&lt;p&gt;If your service promises users a German IP, that IP needs to actually geolocate to Germany in the databases streaming platforms and financial services query. Sounds obvious. In practice, it's a mess.&lt;/p&gt;

&lt;p&gt;A block registered to a German organization might show up as Netherlands in MaxMind and France in IP2Location. Neither database is authoritative. They're all maintained independently, updated on their own schedules, and frequently out of sync.&lt;/p&gt;

&lt;p&gt;The fix is straightforward but tedious: verify geolocation across multiple databases before deployment, submit correction requests where needed, and monitor for drift over time. Records change, especially when ownership or routing paths change.&lt;/p&gt;

&lt;p&gt;The cleanest approach is to announce IP blocks from infrastructure physically located in the target region. When the server, the block registration, and the announcement origin all point to the same country, geolocation databases are much less likely to get it wrong.&lt;/p&gt;

&lt;h2&gt;
  
  
  Compliance is more complicated than "no-logs policy"
&lt;/h2&gt;

&lt;p&gt;A no-logs policy is a product decision. Compliance is a legal one. They're not the same thing, and they can conflict.&lt;/p&gt;

&lt;p&gt;Many jurisdictions require ISPs and network operators to retain connection metadata for defined periods. If your infrastructure runs through a country with mandatory retention laws, that obligation applies to you regardless of what your privacy policy says.&lt;/p&gt;

&lt;p&gt;Then there's RIPE NCC policy if you're operating in the European region. Accurate WHOIS data isn't optional. Neither is responding to abuse reports. Failing to act on abuse complaints escalates fast - to your upstream provider, to RIPE NCC, and sometimes beyond.&lt;/p&gt;

&lt;p&gt;The part operators underestimate most: abuse response is an operational requirement, not a legal nicety. Unaddressed abuse reports don't just create liability - they damage the reputation of the IP blocks you're using, which creates a direct problem for your service quality.&lt;/p&gt;

&lt;h2&gt;
  
  
  Leasing beats owning for most VPN use cases
&lt;/h2&gt;

&lt;p&gt;Owning IPv4 gives you control. Leasing gives you flexibility. For VPN infrastructure specifically, flexibility usually wins.&lt;/p&gt;

&lt;p&gt;Your IP pool needs change constantly - new markets, traffic spikes, blocks that need to be rotated out because of reputation issues. Buying address space locks you into a size and location that made sense at a specific point in time. Leasing lets you expand into a new region in days, scale back when demand drops, and swap out blocks that aren't working without taking a capital loss.&lt;/p&gt;

&lt;p&gt;Most mature VPN operators end up with a hybrid: some owned blocks for their core infrastructure, leased space for regional expansion and flexibility.&lt;/p&gt;

&lt;p&gt;The key thing to get right with leased blocks is due diligence before deployment - reputation check, routing history, geolocation verification. The time you put in upfront is significantly less than the time you'll spend dealing with user complaints after.&lt;/p&gt;




&lt;p&gt;We wrote a longer breakdown of all of this on the IPbnb blog - covering IP reputation monitoring, geolocation management, compliance requirements, and how to build regional pools through leasing: &lt;a href="https://ipbnb.com/blog/ipv4-for-vpn-providers" rel="noopener noreferrer"&gt;IPv4 for VPN Providers: Clean IPs, Geolocation &amp;amp; Compliance Guide&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;If you're working on VPN infrastructure or have run into any of these issues, happy to discuss in the comments.&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>vpn</category>
      <category>devops</category>
    </item>
    <item>
      <title>IPv4 Block Size Cheat Sheet: /24 to /16 with Lease Pricing</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Fri, 15 May 2026 09:20:20 +0000</pubDate>
      <link>https://dev.to/kohanevich/ipv4-block-size-cheat-sheet-24-to-16-with-lease-pricing-428</link>
      <guid>https://dev.to/kohanevich/ipv4-block-size-cheat-sheet-24-to-16-with-lease-pricing-428</guid>
      <description>&lt;p&gt;Picking the wrong IPv4 block size is a quiet, expensive mistake. You either over-lease and overpay, or under-lease and find yourself back in the market in six months. This is a quick reference to get the decision right the first time.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Math, Fast
&lt;/h2&gt;

&lt;p&gt;Every IPv4 block size follows the same formula: &lt;code&gt;2^(32 - prefix length)&lt;/code&gt; total addresses, minus 2 reserved (network + broadcast) = usable hosts.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;CIDR&lt;/th&gt;
&lt;th&gt;Total IPs&lt;/th&gt;
&lt;th&gt;Usable IPs&lt;/th&gt;
&lt;th&gt;/24 equivalents&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;/24&lt;/td&gt;
&lt;td&gt;256&lt;/td&gt;
&lt;td&gt;254&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/23&lt;/td&gt;
&lt;td&gt;512&lt;/td&gt;
&lt;td&gt;510&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/22&lt;/td&gt;
&lt;td&gt;1,024&lt;/td&gt;
&lt;td&gt;1,022&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/21&lt;/td&gt;
&lt;td&gt;2,048&lt;/td&gt;
&lt;td&gt;2,046&lt;/td&gt;
&lt;td&gt;8&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/20&lt;/td&gt;
&lt;td&gt;4,096&lt;/td&gt;
&lt;td&gt;4,094&lt;/td&gt;
&lt;td&gt;16&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/19&lt;/td&gt;
&lt;td&gt;8,192&lt;/td&gt;
&lt;td&gt;8,190&lt;/td&gt;
&lt;td&gt;32&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/18&lt;/td&gt;
&lt;td&gt;16,384&lt;/td&gt;
&lt;td&gt;16,382&lt;/td&gt;
&lt;td&gt;64&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/17&lt;/td&gt;
&lt;td&gt;32,768&lt;/td&gt;
&lt;td&gt;32,766&lt;/td&gt;
&lt;td&gt;128&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/16&lt;/td&gt;
&lt;td&gt;65,536&lt;/td&gt;
&lt;td&gt;65,534&lt;/td&gt;
&lt;td&gt;256&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Hard floor to know:&lt;/strong&gt; /24 is the minimum BGP-routable prefix in the RIPE NCC service region. Sub-/24 blocks are filtered by the vast majority of BGP peers and won't propagate across the public internet. If you only need 30 external IPs, you still lease a full /24.&lt;/p&gt;

&lt;h2&gt;
  
  
  Cost per IP by Block Size (RIPE Region)
&lt;/h2&gt;

&lt;p&gt;Larger blocks = lower per-IP monthly rate, but the savings curve flattens fast:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Block&lt;/th&gt;
&lt;th&gt;Total IPs&lt;/th&gt;
&lt;th&gt;Est. monthly&lt;/th&gt;
&lt;th&gt;Per IP/month&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;/24&lt;/td&gt;
&lt;td&gt;256&lt;/td&gt;
&lt;td&gt;from ~€180&lt;/td&gt;
&lt;td&gt;~€0.70&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/23&lt;/td&gt;
&lt;td&gt;512&lt;/td&gt;
&lt;td&gt;from ~€330&lt;/td&gt;
&lt;td&gt;~€0.65&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/22&lt;/td&gt;
&lt;td&gt;1,024&lt;/td&gt;
&lt;td&gt;from ~€620&lt;/td&gt;
&lt;td&gt;~€0.61&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/21&lt;/td&gt;
&lt;td&gt;2,048&lt;/td&gt;
&lt;td&gt;from ~€1,150&lt;/td&gt;
&lt;td&gt;~€0.56&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;/20&lt;/td&gt;
&lt;td&gt;4,096&lt;/td&gt;
&lt;td&gt;from ~€2,050&lt;/td&gt;
&lt;td&gt;~€0.50&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;blockquote&gt;
&lt;p&gt;Prices are illustrative. Actual rates vary by block reputation, availability, and lease term.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The per-IP delta between a /24 and a /22 is small. Lease term length often has a bigger impact on total cost - a 12-month /24 can undercut a month-to-month /22.&lt;/p&gt;

&lt;h2&gt;
  
  
  Which Block Size for Which Use Case
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Shared/web hosting:&lt;/strong&gt; Start with /24, segment customers per /24 for cleaner blacklist management and abuse isolation.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Dedicated servers (50-100 nodes, multiple IPs each):&lt;/strong&gt; /22 or /21 - account for IPMI interfaces, management ranges, and customer allocations from the start.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Proxy/VPN rotation pools:&lt;/strong&gt; Address diversity drives value here. /21 to /20 for production scale; /23 to /22 for pilots. Always check IP reputation history before leasing - it matters more here than anywhere else.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Enterprise multi-site:&lt;/strong&gt; Minimum one /24 per physical site. Use /22 or /21 aggregates for clean BGP summarization across locations.&lt;/p&gt;

&lt;h2&gt;
  
  
  Three Things That Trip People Up
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;1. /22 ≠ guaranteed routing flexibility&lt;/strong&gt;&lt;br&gt;
A /22 can be announced as a single aggregate prefix. Deaggregating into /24s for traffic engineering is possible, but whether your upstream allows it is a different question. Verify before you commit.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. Reputation travels with the block&lt;/strong&gt;&lt;br&gt;
Always check the block's abuse history on Spamhaus, Barracuda BRBL, or via MXToolbox before signing a lease. A cheap /22 with a dirty history will cost you more in operational pain than it saves in rent.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. RIPE's 24-month transfer lock applies to purchases, not leases&lt;/strong&gt;&lt;br&gt;
If you buy rather than lease, transferred addresses can't be re-transferred for 24 months under RIPE policy. Leasing sidesteps this entirely.&lt;/p&gt;




&lt;p&gt;For the full breakdown - including an interactive IPv4 CIDR calculator, a use-case decision framework, and detailed guidance on lease pricing - check out the complete guide on the IPbnb blog:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;a href="https://ipbnb.com/blog/ipv4-subnet-calculator-block-size-guide" rel="noopener noreferrer"&gt;IPv4 Subnet Calculator: How to Choose the Right Block Size for Your Project →&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

</description>
      <category>networking</category>
      <category>ipv4</category>
      <category>devops</category>
      <category>infrastructure</category>
    </item>
    <item>
      <title>How to Protect Your IP Prefixes from BGP Hijacking</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Mon, 27 Apr 2026 08:04:57 +0000</pubDate>
      <link>https://dev.to/kohanevich/how-to-protect-your-ip-prefixes-from-bgp-hijacking-3cj</link>
      <guid>https://dev.to/kohanevich/how-to-protect-your-ip-prefixes-from-bgp-hijacking-3cj</guid>
      <description>&lt;p&gt;BGP has no built-in mechanism to verify that the ASN announcing a prefix is actually authorized to do so. Any autonomous system can claim any address space. If the announcement propagates and downstream routers accept it, traffic follows.&lt;/p&gt;

&lt;p&gt;This isn't academic. In 2008, Pakistan Telecom announced a more-specific /24 of YouTube's /22. It propagated globally through PCCW. YouTube traffic routed to a blackhole for two hours. In 2018, attackers hijacked Amazon's Route 53 DNS service — redirected queries for myetherwallet.com to a phishing site, drained ~$150,000 in Ethereum from users who logged in. Neither attack required compromising a single system. Both exploited the same BGP design assumption from 1989: that peers tell the truth.&lt;/p&gt;

&lt;p&gt;RPKI fixes this. Here's how it works and what you need to do.&lt;/p&gt;

&lt;h2&gt;
  
  
  How RPKI works
&lt;/h2&gt;

&lt;p&gt;Resource Public Key Infrastructure lets IP holders cryptographically prove that a specific ASN is authorized to originate a specific prefix. The core object is a Route Origin Authorization — a signed certificate containing three fields:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The protected prefix&lt;/li&gt;
&lt;li&gt;The ASN permitted to announce it&lt;/li&gt;
&lt;li&gt;The maximum prefix length allowed&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The certificate chains back to your RIR (RIPE NCC for European and Middle Eastern operators) as the trust anchor. Routers check incoming BGP announcements against published ROAs and assign one of three validation states:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;State&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Valid&lt;/td&gt;
&lt;td&gt;Prefix and ASN match a ROA; length within max&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Invalid&lt;/td&gt;
&lt;td&gt;ROA exists but ASN doesn't match, or prefix exceeds max-length&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Not Found&lt;/td&gt;
&lt;td&gt;No ROA covers this prefix&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Networks running Route Origin Validation (ROV) drop Invalid routes. As of May 2024, all but one transit-free tier-1 provider does this — reducing a hijacked route's propagation by one-half to two-thirds. Adoption across tier-2 and regional networks is still uneven, but the major transit providers enforcing ROV carry the majority of global internet traffic. An attack that would have propagated everywhere in 2010 now stalls at most of the networks that matter.&lt;/p&gt;

&lt;h2&gt;
  
  
  Creating a ROA in RIPE NCC
&lt;/h2&gt;

&lt;p&gt;You need LIR access to my.ripe.net and the prefix must appear under your resource certificate before you start.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The process:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Log in to my.ripe.net → navigate to the RPKI section&lt;/li&gt;
&lt;li&gt;Confirm your prefix appears in your resource certificate&lt;/li&gt;
&lt;li&gt;Select the prefix, enter the announcing ASN, set max-length&lt;/li&gt;
&lt;li&gt;Publish and verify with an external validator&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;ROAs reach relying parties within 15-30 minutes for RIPE NCC under normal conditions. Always verify with an external tool — don't rely on the portal's own confirmation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Max-length: where most mistakes happen
&lt;/h2&gt;

&lt;p&gt;Max-length is the most consequential parameter and the most commonly misconfigured.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Mistake 1: Too tight&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You hold a /22. You set max-length to /22. You announce it as four /24s. Every /24 sub-announcement returns Invalid — including from your own ASN. You've caused your own outage.&lt;/p&gt;

&lt;p&gt;Fix: if you plan to announce /24s from a /22, set max-length to /24.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Mistake 2: Too loose&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You set max-length to /32 to avoid the above. You've now authorized any more-specific announcement down to a single host address — which is exactly what more-specific hijacking exploits. RPKI's prefix-length protection is disabled.&lt;/p&gt;

&lt;p&gt;Fix: set max-length to match the most-specific prefix you actually intend to announce, nothing beyond that.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Other common mistakes:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Creating a ROA for a prefix that will be announced from multiple ASNs using a single ROA. One ROA covers exactly one prefix-ASN combination. You need a separate ROA per authorized ASN.&lt;/li&gt;
&lt;li&gt;Forgetting to update ROAs when changing upstream providers, migrating ASNs, or onboarding to a cloud BYOIP program. The ROA needs updating before the new announcement goes live — not after.&lt;/li&gt;
&lt;li&gt;Not verifying propagation after creation. A ROA in the portal that hasn't reached relying parties provides no protection.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  RPKI with leased IPv4
&lt;/h2&gt;

&lt;p&gt;ROAs can only be created by the resource certificate holder — the IP owner, not the user. In a leasing arrangement this means:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;If you're announcing leased space from your own ASN: the lessor must create a ROA covering your ASN before you start announcing. Confirm this is in the leasing agreement and that it happens before go-live.&lt;/li&gt;
&lt;li&gt;If the lessor is announcing on your behalf: the ROA covers their ASN. Confirm this explicitly — don't assume.&lt;/li&gt;
&lt;li&gt;BYOIP on AWS, GCP, or Azure: cloud providers validate RPKI status during onboarding. A prefix that returns Invalid during validation stalls or blocks the onboarding process, and you can't retry quickly. RPKI status needs to be clean before you start the cloud provider's validation flow.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A leasing provider who can't clearly explain their ROA creation process for lessee ASNs is adding operational risk to your setup. It should be a standard part of onboarding, not an afterthought.&lt;/p&gt;

&lt;h2&gt;
  
  
  RPKI vs IRR — and why you need both
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;IRR&lt;/th&gt;
&lt;th&gt;RPKI&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Cryptographic verification&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Who can register&lt;/td&gt;
&lt;td&gt;Anyone&lt;/td&gt;
&lt;td&gt;Resource holder only&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Data quality&lt;/td&gt;
&lt;td&gt;Variable — stale/fraudulent entries common&lt;/td&gt;
&lt;td&gt;Tied to RIR allocation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Filtering basis&lt;/td&gt;
&lt;td&gt;Route objects&lt;/td&gt;
&lt;td&gt;ROA validation states&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Deployment&lt;/td&gt;
&lt;td&gt;Widespread&lt;/td&gt;
&lt;td&gt;Growing — near-complete at tier-1&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;IRR is the older system. Upstreams use route objects to build prefix filters. The weakness: no cryptographic enforcement. Anyone can register a route object for a prefix they don't own, and the databases have historically had significant stale and fraudulent data.&lt;/p&gt;

&lt;p&gt;RPKI is cryptographically secured — a ROA can only be created by the actual resource holder.&lt;/p&gt;

&lt;p&gt;They're complementary. Create RPKI ROAs as primary protection. Maintain IRR route objects in parallel for compatibility with networks that filter on IRR but haven't fully deployed ROV. If you're inheriting a prefix through a lease or transfer, check both — a valid ROA alongside an outdated IRR entry pointing to a previous ASN produces routing problems that take time to diagnose.&lt;/p&gt;

&lt;h2&gt;
  
  
  Minimum viable monitoring setup
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;RIPE Stat (stat.ripe.net)&lt;/strong&gt; — BGP routing data, prefix announcements, AS path history, RPKI status. The routing history view catches announcements that appeared and disappeared, which is how most hijacking incidents present.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cloudflare RPKI Validator (rpki.cloudflare.com)&lt;/strong&gt; — quick ROA state check after creation or modification. Also useful for due diligence on a prefix before leasing it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;BGP.tools (bgp.tools)&lt;/strong&gt; — fast prefix visibility and ASN data. Useful for checking what ASNs are currently announcing a given prefix.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Alerting&lt;/strong&gt; — passive tooling isn't enough for production. You want real-time alerts when a prefix starts being announced from an unexpected ASN, not discovery after a service disruption.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Quick reference
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Task&lt;/th&gt;
&lt;th&gt;Where&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Create ROA&lt;/td&gt;
&lt;td&gt;my.ripe.net → RPKI&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Check ROA state&lt;/td&gt;
&lt;td&gt;rpki.cloudflare.com&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;BGP prefix visibility&lt;/td&gt;
&lt;td&gt;stat.ripe.net, bgp.tools&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;BYOIP setup guide&lt;/td&gt;
&lt;td&gt;ipbnb.com/blog&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ROA creation walkthrough&lt;/td&gt;
&lt;td&gt;ipbnb.com/help-center&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Full guide with screenshots, BYOIP-specific requirements, and the leased IPv4 deep-dive: &lt;strong&gt;[&lt;a href="https://ipbnb.com/blog/rpki-bgp-hijacking-prevention" rel="noopener noreferrer"&gt;https://ipbnb.com/blog/rpki-bgp-hijacking-prevention&lt;/a&gt;]&lt;/strong&gt;&lt;/p&gt;

</description>
      <category>networking</category>
      <category>security</category>
      <category>devops</category>
    </item>
    <item>
      <title>IPv4 Block Sizing for Operators Who Don't Want to Go Back to Market Mid-Project</title>
      <dc:creator>Artem Kohanevich</dc:creator>
      <pubDate>Mon, 27 Apr 2026 05:12:25 +0000</pubDate>
      <link>https://dev.to/kohanevich/ipv4-block-sizing-for-operators-who-dont-want-to-go-back-to-market-mid-project-9k</link>
      <guid>https://dev.to/kohanevich/ipv4-block-sizing-for-operators-who-dont-want-to-go-back-to-market-mid-project-9k</guid>
      <description>&lt;p&gt;Most IPv4 leasing mistakes aren't about finding a clean block or negotiating terms. They're about signing for the wrong size and paying for it two months in - either back on the market under time pressure, or sitting on a block at 30% utilization watching abuse reports accumulate on addresses nobody is using.&lt;/p&gt;

&lt;p&gt;This is a practical sizing guide for network operators.&lt;/p&gt;

&lt;h2&gt;
  
  
  The one thing most operators get wrong
&lt;/h2&gt;

&lt;p&gt;You're not sizing for today. You're sizing for the end of the lease term.&lt;/p&gt;

&lt;p&gt;If you're signing a 12-month contract, size for month 10. A block that fits at signing and strains by month six isn't a utilization win - it's a planning failure. Going back to market mid-contract means urgency pricing on a second block, a second onboarding process, and potentially running at degraded capacity in the gap.&lt;/p&gt;

&lt;p&gt;That combination costs more than sizing up from the start almost every time.&lt;/p&gt;

&lt;h2&gt;
  
  
  The four variables
&lt;/h2&gt;

&lt;p&gt;Before matching a use case to a CIDR, get these four things clear.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;em&gt;Projected utilization rate&lt;/em&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Not all IPs in a leased block will be active simultaneously. For some use cases, that's by design. Email operators deliberately keep active sending IP counts lower than total pool size - 50 active senders out of a /24 is normal practice, not waste. Hosting providers run 60-80% utilization intentionally.&lt;/p&gt;

&lt;p&gt;The threshold that matters: if your expected steady-state utilization exceeds 85%, size up one increment. No headroom means no room to absorb traffic spikes without reputation or service impact.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;em&gt;Growth horizon vs. lease term&lt;/em&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Size for the end of the contract, not the beginning. If that math produces a block that feels too large right now, a shorter initial term with a planned upgrade often makes more operational sense than locking into a long-term commitment on space you'll immediately strain.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;em&gt;Reputation management capacity&lt;/em&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Larger blocks are harder to monitor. A /19 managed by a three-person infra team is 8,192 addresses that could be generating abuse activity without anyone noticing. Size to what your team can actively oversee. Block reputation directly affects renewal terms and future flexibility - neglect has compounding costs.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;em&gt;Budget discipline against both failure modes&lt;/em&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Idle IPs aren't neutral. A block at 30% utilization is generating probe traffic and abuse exposure across 70% of its address space with no operational value to offset it. The goal isn't maximum capacity - it's right-sized.&lt;/p&gt;

&lt;h2&gt;
  
  
  Use case notes worth reading
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Cloud / BYOIP&lt;/strong&gt;&lt;br&gt;
AWS, GCP, and Azure all enforce a /24 minimum for BYOIP. This is a hard constraint - a /25 or smaller gets rejected regardless of how clean the block is. No workaround exists.&lt;/p&gt;

&lt;p&gt;Beyond the minimum: cloud BYOIP also has specific reputation requirements. AWS explicitly reserves the right to reject prefixes with poor history. Block reputation needs to be verifiable before you start the cloud provider's validation process - which can take one to two weeks for AWS and longer for GCP - and cannot be retried quickly if a block is rejected. &lt;/p&gt;

&lt;p&gt;Starting with a dirty block means starting over.&lt;/p&gt;

&lt;p&gt;If cloud growth is on your roadmap, size for 12 months from the start. A second BYOIP onboarding mid-project is slower and more painful than it sounds.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Email sending&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Inbox providers evaluate reputation at the /24 level. The structural principle: one /24 per sending stream. Transactional mail (receipts, alerts, password resets) on one block, marketing on another. When a campaign triggers a complaint spike, it shouldn't touch transactional deliverability. Mixing them makes reputation management significantly harder and recovery slower.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;VPN / proxy&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;VPN exit nodes structurally attract higher complaint rates - port scanning probes, user policy violations, automated false positives. This isn't an operator negligence problem; it's an architectural one. Your active IP pool needs buffer specifically to absorb reputation incidents without impacting users on clean addresses. A /24 with no buffer gets painful fast after a few incidents shrink the usable pool.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Hosting&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;At roughly one IP per account, a /23 covers 400-500 accounts at comfortable utilization. Hosting is one of the highest-abuse-risk environments for leased IPv4 - customers send email, run web applications, and occasionally violate AUPs in ways that affect neighboring IPs on the same /24. Per-/24 reputation monitoring isn't optional here. A problem with one tenant's behavior can affect everyone else on the same range.&lt;/p&gt;

&lt;p&gt;If you have 150+ current customers, start with a /23. If you expect to reach that within six months, start with a /23 anyway.&lt;/p&gt;

&lt;h2&gt;
  
  
  A note on block quality vs. block size
&lt;/h2&gt;

&lt;p&gt;These are separate decisions and they get conflated constantly. The cheapest /22 on the market may be cheap for a reason - abuse history, blacklist entries, routing irregularities. Don't trade quality for size to save on the monthly rate. The downstream cost of managing a dirty block - deliverability failures, abuse complaint handling, reputation recovery time - consistently exceeds the savings.&lt;/p&gt;

&lt;h2&gt;
  
  
  One operational gotcha
&lt;/h2&gt;

&lt;p&gt;If your architecture depends on announcing a /23 as two separate /24s - for geographic diversity, traffic separation, or tenant isolation - verify upstream support before signing. Many networks filter prefixes more specific than /24. It's a valid configuration, but it requires upstream coordination that not all providers offer. Confirm it explicitly rather than assuming.&lt;/p&gt;

&lt;h2&gt;
  
  
  Quick sizing sanity check
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Before committing to a block size, run through this:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Am I sizing for the end of the lease term, not today?&lt;br&gt;
Does my utilization model stay below 85% at steady state?&lt;br&gt;
If I hit 90%+ in month eight, what does going back to market actually cost?&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Can my team actively monitor this many addresses?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Do I need IP diversity across customers or services - and would multiple /24s serve that better than one large block?&lt;/p&gt;

&lt;p&gt;If any of those questions produce uncomfortable answers, adjust before signing rather than after.&lt;/p&gt;

&lt;p&gt;Full use case breakdown, pricing estimates, and the internal justification framing (for when you need to explain this to a finance lead or CTO who doesn't speak CIDR): &lt;a href="https://ipbnb.com/blog/ipv4-block-size-guide" rel="noopener noreferrer"&gt;https://ipbnb.com/blog/ipv4-block-size-guide&lt;/a&gt;&lt;/p&gt;

</description>
      <category>networking</category>
      <category>devops</category>
      <category>infrastructure</category>
    </item>
  </channel>
</rss>
