DEV Community

Cover image for The IPv4 Leasing Mistakes That Will Cost You Thousands
Artem Kohanevich
Artem Kohanevich

Posted on

The IPv4 Leasing Mistakes That Will Cost You Thousands

#ipv4 #networking #infrastructure #devops

Every month, I hear the same story from different infrastructure teams: "We thought IPv4 leasing would be straightforward. It wasn't."

The pattern is predictable. A company needs IP addresses quickly. They find a provider, sign a contract, and start routing traffic. Then reality hits—blacklisted IPs, rejected BGP announcements, surprise fees, or emergency capacity issues.

The frustrating part? Almost all of these problems are preventable.

Here are the five mistakes that cause 90% of IPv4 leasing failures—and exactly how to avoid each one.

Mistake #1: The Reputation Blindspot

Approximately 70% of first-time renters never check IP reputation before signing. They're essentially buying used infrastructure without knowing its history.

What they discover too late:

  • IPs are on major blacklists (Spamhaus, SORBS, Barracuda)
  • Addresses flagged for past botnet activity or fraud
  • Negative trust scores from reputation engines
  • Historical association with spam campaigns or proxy abuse

The damage: Email delivery blocks, service rejections, weeks of cleanup work.

Your Pre-Lease Audit Checklist

Before signing anything, verify:

Blacklist status — Scan across 80+ DNS-based blacklists and RBLs. Free tools: MXToolbox, Spamhaus checker, IPVoid.

Abuse history — Pull historical reports from Spamhaus SBL/CSS, UCEPROTECT, Cloudmark. Check AbuseIPDB for crowd-sourced intelligence.

Fraud scores — Use IPQS or FraudGuard to assess spam/fraud risk ratings.

Past usage patterns — Was this block previously used for VPN services, web hosting, mobile networks, or residential proxies? Each has different reputation implications.

Neighboring addresses — IP pollution spreads across subnets. Check adjacent ranges for issues that might contaminate yours by association.

What Your Provider Should Guarantee

Don't accept vague promises. Demand specific protections:

  • Comprehensive reputation report provided automatically (not on request)
  • Written guarantee that addresses are clean
  • 30-60 day quarantine period for newly assigned blocks
  • Continuous reputation monitoring throughout lease term

The best providers run proactive monitoring systems that automatically rotate out problematic addresses before they ever reach clients. This eliminates roughly 90% of reputation risks upfront.

Mistake #2: The LOA Gap

A Letter of Authorization (LOA) is the document that proves you have legal right to announce and route specific IP addresses.

Without it, you're dead in the water.

Your ISP will refuse to announce the subnet. Upstream providers will block BGP sessions. Cloud BYOIP programs (AWS, Azure, GCP) won't accept the addresses. Switching upstream networks becomes impossible.

What Makes a Valid LOA

A legitimate LOA must contain:

  • Legal name of IP holder (exactly as it appears in registry)
  • Authorized ASN that will announce the prefix
  • Precise CIDR notation (e.g., 203.0.113.0/24)
  • Authorization period with clear validity dates

Missing any element? You're sending it back for revision while your infrastructure plans sit on hold.

The Correct Sequence

  1. Request LOA immediately after signing lease (not when you're ready to deploy)
  2. Verify subnet and ASN match your actual configuration
  3. Forward to ISP/cloud provider as soon as received
  4. Wait for route object creation in IRR (Internet Routing Registry)
  5. Only then announce your prefix

Red Flags That Scream "Walk Away"

  • Provider refuses to issue LOA or makes excuses about delays
  • LOA validity period shorter than lease term
  • No clear revocation procedure in contract
  • Provider insists you pay before receiving LOA

The protection rule is simple: Get the LOA before making your first payment, or get a written guarantee it will be delivered within 24-48 hours of payment.

Mistake #3: The RPKI Blindspot

More than 60% of companies leasing IPv4 never set up RPKI (Resource Public Key Infrastructure). They configure routers, announce prefixes, and assume everything's secure.

It's not.

What You're Actually Risking

Without RPKI, your routes are vulnerable to:

Accidental BGP leaks — Misconfigured routers suddenly announcing your prefixes globally

Malicious hijacking — Bad actors deliberately redirecting your traffic to intercept or manipulate it

Automatic rejection — Growing number of major networks drop BGP prefixes without valid Route Origin Authorizations (ROAs)

This isn't theoretical. Major Tier-1 providers are implementing policies that treat invalid/missing ROAs as rejection signals. No cryptographic verification = no route propagation.

How RPKI Works (Simplified)

RPKI creates a cryptographic binding between:

  • Your ASN (Autonomous System Number)
  • The specific IP prefix you're announcing
  • Maximum prefix length allowed

A Route Origin Authorization (ROA) is the signed object proving this binding.

Example ROA:

  • ASN: AS64512
  • Prefix: 192.0.2.0/24
  • Max Length: 24
  • Trust Anchor: ARIN

When your BGP announcement goes out, other networks validate it against this ROA. Match = accepted. Mismatch = flagged or dropped.

What Your Provider Should Handle

You shouldn't need to become an RPKI expert. Your provider should offer:

  • Hosted RPKI services (they manage certificates)
  • ROA creation within 24 hours of activation
  • Auto-renewal (certificates expire)
  • Quick ROA updates when routing configuration changes

If they can't provide this, their infrastructure hasn't caught up with modern routing security standards.

Verification Tools (All Free)

  • RIPE RPKI Validator — Clear validation status view
  • NLnetLabs Routinator — Open-source validator you can self-host
  • BGPStream — Real-time prefix monitoring

Five minutes with any of these tells you whether your routes are protected or vulnerable.

Critical Configuration Details

When setting up ROAs:

  • Use exact prefix matches (if announcing /24, set maxLength to 24)
  • Update ROA before making any routing changes
  • Coordinate ROA revocation when lease ends

RPKI isn't optional anymore. It's basic routing hygiene.

Mistake #4: Block Sizing Math Gone Wrong

Teams consistently fall into two traps:

Over-leasing — Paying for capacity you'll never use. A /22 (1,024 IPs) when you only need 300 wastes $15,000+ annually.

Under-leasing — Hitting capacity constraints within months, then scrambling for emergency expansion with fragmented non-contiguous ranges.

Both are avoidable with proper sizing calculations.

The Working Formula

Required IPs = (Current demand × 1.3-1.5 growth factor) + 10-20% operational overhead

Breaking it down:

  • Current demand: What you're using right now
  • Growth factor: Expansion over 12-24 month lease term
  • Overhead: Routing requirements, redundancy, testing environments

Real-World Examples

Small ISP (500 subscribers):

  • Current: 500
  • Growth factor: 1.4× = 700
  • Overhead: +15% = 805 total
  • Block size: /22 (1,024 IPs)

VPN Provider (2,000 concurrent users):

  • Current: 2,000 users
  • NAT ratio: 5:1 = 400 public IPs needed
  • Growth factor: 1.2× = 480
  • Block size: /23 (512 IPs)

Ecommerce Platform (50 servers, 3 PoPs):

  • Current: 50 servers
  • Infrastructure overhead: 1.2× = 60
  • Growth buffer: +20% = 72
  • Redundancy multiplier: ×3 PoPs = 216 total
  • Block size: /24 (256 IPs)

Standard CIDR Sizes and Costs

  • /24 (256 IPs): $500-800/month — Small ISP, SaaS
  • /23 (512 IPs): $900-1400/month — Medium ISP, VPN
  • /22 (1,024 IPs): $1,600-2,800/month — Large ISP

Note: /24 is minimum for global BGP announcements.

The Smarter Scaling Strategy

Instead of over-provisioning upfront, use phased approach:

  • Phase 1 (Months 1-6): Start with /24
  • Phase 2 (Months 7-12): Expand to /23 if needed
  • Phase 3 (Year 2+): Move to /22 based on actual utilization

This typically reduces total spend by 25-30% while maintaining flexibility.

Common Sizing Mistakes

Teams miscalculate because they:

  • Base sizing only on current active users
  • Forget routing, NAT, and infrastructure overhead
  • Ignore workload specifics (VPN concurrency, CGNAT strategies, burst patterns)
  • Skip the contingency buffer

Use actual demand + 20-30% buffer, apply expected growth, round to nearest standard CIDR. Validate with subnet calculator.

Mistake #5: The Contract Skimming Problem

Roughly 80% of companies never fully read their IPv4 leasing contracts. They check price, verify block size, sign, and move on.

Then months later they discover what they actually agreed to. By then, damage is done.

What Actually Matters

Lease duration and renewal:

  • Initial term (typically 6-36 months)
  • Renewal structure (opt-in vs. auto-renewal)
  • Notice period for cancellation (90 days is excessive)
  • Price adjustment clauses (5-10% annual increases compound)

Termination rights:

  • Lessor should give 90+ days notice for revocation
  • Lessee should have 30-60 days termination right
  • Early termination fees shouldn't exceed 1-2 months' rent

Hidden fees that inflate costs:

  • Setup: Should be free (typical: $0-500)
  • LOA: Should be free (typical: $0-200)
  • RPKI management: Should be included (typical: $0-100/mo)
  • Early termination: Max 1-2 months (typical: 1-6 months)

A seemingly affordable $800/month lease can become $1,200/month with all extras.

Technical support commitments:

  • IP replacement if blacklisted (not your fault)
  • LOA/ROA delivery within 24-48 hours
  • Response time commitment (4 hours excellent, 24 hours acceptable)
  • Uptime guarantee (minimum 99.9%)

Vague language like "best effort support" means you're on your own during outages.

Restriction clauses:

  • Sub-leasing prohibitions (reasonable)
  • Geographic announcement limitations (may not fit your needs)
  • Use-case restrictions on traffic types
  • Broad "abuse" definitions (could enable unfair termination)

The Protection Checklist

Before signing:

  • Read entire contract (not just pricing page)
  • Verify auto-renewal terms and notice periods
  • Check for hidden fees beyond monthly rate
  • Confirm technical support commitments are specific
  • Review restriction clauses for operational conflicts
  • Get legal review for enterprise/multi-year leases

Getting It Right From the Start

These five mistakes—reputation blindness, missing LOA, skipped RPKI, wrong block size, unread contracts—cause most expensive IPv4 leasing failures.

They're not edge cases. They're predictable traps that ambush unprepared teams.

The economics: A $500/month lease can become a $15,000 problem if you sign blind. Four hours of focused prep prevents hundreds of hours firefighting.

Your Pre-Lease Checklist

Before signing any IPv4 lease:

✓ Run comprehensive reputation checks on all IPs
✓ Verify LOA delivery guarantee (or get it before payment)
✓ Confirm provider offers hosted RPKI with ROA auto-renewal
✓ Calculate proper block size using demand + growth + overhead
✓ Read full contract including all fee schedules and restrictions
✓ Verify technical support commitments are specific and measurable

The Right Provider Makes All the Difference

What used to take weeks of manual work can fit into a single work session when your provider handles:

  • Pre-vetted blocks with reputation guarantees
  • Automated LOA issuance
  • Built-in RPKI management
  • Clear, human-readable contracts
  • Proper sizing consultation

Evaluating IPv4 leasing providers? ipbnb.com was built specifically to eliminate these common failure points—pre-vetted blocks, automated LOA/RPKI, transparent contracts, and proper sizing guidance.

What mistakes have you encountered in IPv4 leasing? How did you solve them? Share your experience in the comments.

bgp ##cloudcomputing

Top comments (0)