Follow up from an IRC conversation.
Context here is that 126.96.36.199/22 barely have any "prod" IPs, and might be able to be remove as a whole from our ACLs. So we don't have to think about what part of that /22 is prod or not prod, as well as not risking typoing a /24 into a /23 or /22 in our ACLs.
188.8.131.52/24 is currently used for two interconnects ( cr1-esams <--> mr1-esams and cr2-knams <--> mr1-esams) and Tilaa OOB.
Renumbering the interconnects is straightforward, Tillaa OOB needs to sync up with them, but first we need to find new IPs, ideally in the 184.108.40.206/24 space.
We can use 220.127.116.11/31 for cr1-esams <--> mr1-esams
If we want the infrastructure IPs to be contiguous (eg. in the same 18.104.22.168/27) we would need to move ns2.wikimedia.org to a different (lower) IP and reclaim "22.214.171.124/28 (224-239) out-of-subnet LVS service IPs"
As this is a heavy/risky operation, I don't think it's worth it.
We can however shrink the reservation "126.96.36.199/28 (224-239) out-of-subnet LVS service IPs" to 188.8.131.52/29
And use 184.108.40.206/29 for infrastructure, eg, carve 220.127.116.11/31 for cr2-knams <--> mr1-esams
Using lower subnets (eg. 18.104.22.168/28) for infrastructure (interco, etc.) adds fragmentation and might bite us later.
We can keep Tilaa OOB on 22.214.171.124/24, that way:
1/ Something is used on that subnet (less risk of theft)
2/ No need to bother them with a renumbering
3/ We can still remove 126.96.36.199/24 from any trusted lists
And revisit it when we need 188.8.131.52/24 or 184.108.40.206/29 for other purposes.