Xrhrft

Here's the scenario. I was picturing a university that bought a range of IP addresses. I think they'd still be inside a ISP (right?), but they'd have freedom to configure stuff the way they wanted.

What stops them from attributing their routers and hosts already in use IP addresses?

And what would happen if indeed someone do this?

Most likely if they're a big university they are their own ISP, using BGP to connect their network to the internet via a number of upstream networks.

Nothing stops them from using IP addresses they should not be using, and it would work in their local network. However, it won't work on the internet. Their upstream networks providing them connectivity should have filters in place which would only allow the university to advertise IP addresses assigned to them. If the direct upstreams wouldn't filter them, the upstreams' upstreams will. And if IP addresses which are in use by another network would be used by the university, that other network would become unreachable from the university network.

In addition, there are a number of project (for example RIPE RIS and BGPmon) which monitor routing tables and alert on any "illegal" IP advertisement (BGP Hijacks and routing anomalies).

Nothing will stop them using the addresses on their own machines.

What happens if they try to advertise them to the Internet depends on how sloppy their providers are. If their providers are following best practices then there will be filters in place and the advertisements won't get beyond the hijacker's borders.

OTOH if their providers and their providers providers are sloppy then a bogus announcement can go much further resulting in significant disruption to the legitimate owners of the IP space.

Such happenings will almost certainly get noticed and there will likely be some heated discussions and some extra filtering added.

What stops them from attributing their routers and hosts already in use IP addresses?

Nothing. Over the years, I have seen both organizations of all sizes, both public and private, do this including a world wide recognized "brand" company. In fact, I have seen this more often in business settings than university settings (largely due to the fact that more universities were involved in the Internet earlier and helped define the standards and best practices used today).

And what would happen if indeed someone do this?

Today, likely nothing other than the organization not being able to reach portions of the Internet that they overlap. In the past, this type of thing has caused serious issues, including "breaking the Internet" for some or many users (in one case, a single ISP accidentally propagated a default route to the Internet overloading their own network as much of the Internet traffic tried to route through them).

Past incidents like the ones you propose became learning opportunities and resulted in best practices that include protections from this type of misconfiguration. Most often today, providers implement BCP38/RFC2827 to filter traffic to connected organizations to only the IP address they should be advertising.

Some providers still also implement bogon filtering which when properly maintained helps to prevent traffic from IP space that no valid traffic should be coming from (i.e. private address ranges, unassigned IP space, etc). While the IPv4 bogon list is much smaller today that in the past (i.e. most IPv4 addresses are now assigned), the IPv6 bogon list can be still be quite useful, especially on large providers to limit the scope of IP squatting (i.e. using unassigned IP space).

Suppose I have two machines.
I assign the address 1.2.3.4 to one and 1.2.3.5 to the other.
I don't own these addresses.

As long as I don't try to the Internet, these two machine can talk to each other without any problems.

Now I connect to the Internet. The other answers talk about filters blocking things, but let us ignore that for a moment.

My machine 1.2.3.4 tries to connect to some legitimate address, like 12.34.56.78. Assume that this address exists and is controlled by its proper owner.

So, my machine sends a packet:

From 1.2.3.4, To: 12.34.56.78, Content: Want to be friends? (Translated into human)

The routers look at the To: part and correctly delivers it to 12.34.56.78. This machine suspects nothing and complies an answer

From: 12.34.56.78, To: 1.2.3.4, Content: Sure, let's be friends!

Now comes to problem. This answer will never be delivered to you. Instead it will be delivered to the real 1.2.3.4, who will become very confused.

So, if you use a wrong address, you can talk to the Internet, but the Internet will never answer you.

It would internally black out large swatches of the Internet

Sure. Let's say they do the common thing of using private IP addresses internally to their network, such as 10.x.x.x... You know the drill, network address translation at the edge of their network, just like your home network.

Except they decided 10.x.x.x is too restrictive for them, and they start assigning public IP addresses internally. It will work, at first. But then problems will start popping up.

It's a matter of time before somebody uses 172.217.15.68 for a lab machine. It's one of the IP addresses DNS resolves for www.google.com. Now, sometimes, when someone inside the university tries to do a search on Google, their web browser goes to that lab machine instead. Because the internal routers would have no ability to conceive that there are two 172.217.15.68's, one internal and one external; they would simply route your packets to the internal one.

IP blocks assigned internally cannot be routed externally

But it's worse than that. They assigned a whole netblock, so all of 172.217.x.x/16 will route to that lab. You probably wouldn't clobber every Google IP, but a lot of searches would fail. For smaller outfits like Craigslist where all their addresses are in the same netblock, if the university assigned that netblock internally, the entire site would be blocked cold.

This won't affect anyone outside the university's internal network. External providers will not accept the university's reassignment of Google's IP space. The only traffic routed to the university will be the public IP addresses that the university owns.

Just use IPv6 instead

If you sign up for Comcast, they give you a /64 of your very own. If you ask nicely, I've heard they'll just hand you a /48. But let's say you only get a /64, and then, do exactly the plot of RevOlution and create self-replicating nanites that eat electricity, in the same quantity as discussed on the show. Do you have enough IPv6 addresses for every nanite to have its own?

Yes. And enough spares to do this on 2 million parallel earths.

So if you're really worried about running out of IP addresses, that is the way to go.