Follow up from an IRC conversation.
Context here is that 184.108.40.206/22 barely have any "prod" IPs, and might be able to be remove as a whole from our ACLs. So we don't have to think about what part of that /22 is prod or not prod, as well as not risking typoing a /24 into a /23 or /22 in our ACLs.
220.127.116.11/24 is currently used for two interconnects ( cr1-esams <--> mr1-esams and cr2-knams <--> mr1-esams) and Tilaa OOB.
Renumbering the interconnects is straightforward, Tillaa OOB needs to sync up with them, but first we need to find new IPs, ideally in the 18.104.22.168/24 space.
We can use 22.214.171.124/31 for cr1-esams <--> mr1-esams
If we want the infrastructure IPs to be contiguous (eg. in the same 126.96.36.199/27) we would need to move ns2.wikimedia.org to a different (lower) IP and reclaim "188.8.131.52/28 (224-239) out-of-subnet LVS service IPs"
As this is a heavy/risky operation, I don't think it's worth it.
We can however shrink the reservation "184.108.40.206/28 (224-239) out-of-subnet LVS service IPs" to 220.127.116.11/29
And use 18.104.22.168/29 for infrastructure, eg, carve 22.214.171.124/31 for cr2-knams <--> mr1-esams
Using lower subnets (eg. 126.96.36.199/28) for infrastructure (interco, etc.) adds fragmentation and might bite us later.
We can keep Tilaa OOB on 188.8.131.52/24, that way:
1/ Something is used on that subnet (less risk of theft)
2/ No need to bother them with a renumbering
3/ We can still remove 184.108.40.206/24 from any trusted lists
And revisit it when we need 220.127.116.11/24 or 18.104.22.168/29 for other purposes.