Incomplete IANA reserved block coverage (IPv4 and IPv6)

[lduchosal]

Description

Only 3 private address ranges (RFC 1918) are defined. Many IANA reserved blocks are missing for both IPv4 and IPv6.

Affected File

• src/System.Net.IPNetwork/IPNetwork2IANAblock.cs

Missing IPv4 Blocks

• 0.0.0.0/8 — This network
• 127.0.0.0/8 — Loopback
• 169.254.0.0/16 — Link-local
• 192.0.0.0/24 — IETF Protocol Assignments
• 192.0.2.0/24 — Documentation (TEST-NET-1)
• 198.18.0.0/15 — Benchmarking
• 198.51.100.0/24 — Documentation (TEST-NET-2)
• 203.0.113.0/24 — Documentation (TEST-NET-3)
• 224.0.0.0/4 — Multicast
• 240.0.0.0/4 — Reserved
• 255.255.255.255/32 — Broadcast

Missing IPv6 Blocks

• ::/128 — Unspecified
• ::1/128 — Loopback
• ::ffff:0:0/96 — IPv4-mapped
• 64:ff9b::/96 — IPv4/IPv6 translation
• 2001::/32 — TEREDO
• 2001:db8::/32 — Documentation
• fc00::/7 — Unique local
• fe80::/10 — Link-local
• ff00::/8 — Multicast

Impact

Applications relying on IsIANAReserved for security filtering (e.g., SSRF protection) will miss many reserved ranges, potentially allowing access to internal/special networks.

Severity

MEDIUM

[lduchosal]

Deferred to a future version

This is a valid enhancement but requires careful design consideration:

1. Naming convention — Current properties (IANA_ABLK_RESERVED1, etc.) follow RFC 1918 Class A/B/C naming. New blocks (loopback, multicast, link-local, documentation...) don't fit this nomenclature.

2. API semantics — IsIANAReserved() currently means "is RFC 1918 private". Adding loopback, multicast, etc. changes the semantics from "is private" to "is special-use". This is a breaking change for consumers who rely on the current behavior (e.g., IsIANAReserved("127.0.0.1") returns false today).

3. Scope — This would add 11+ IPv4 blocks and 9+ IPv6 blocks, each with public properties, tests, and possibly dedicated methods (IsLoopback(), IsMulticast(), IsLinkLocal(), etc.).

This should be planned as part of a future major version to avoid breaking existing consumers.