Follow up from an IRC conversation.
Context here is that 22.214.171.124/22 barely have any "prod" IPs, and might be able to be remove as a whole from our ACLs. So we don't have to think about what part of that /22 is prod or not prod, as well as not risking typoing a /24 into a /23 or /22 in our ACLs.
126.96.36.199/24 is currently used for two interconnects ( cr1-esams <--> mr1-esams and cr2-knams <--> mr1-esams) and Tilaa OOB.
Renumbering the interconnects is straightforward, Tillaa OOB needs to sync up with them, but first we need to find new IPs, ideally in the 188.8.131.52/24 space.
We can use 184.108.40.206/31 for cr1-esams <--> mr1-esams
If we want the infrastructure IPs to be contiguous (eg. in the same 220.127.116.11/27) we would need to move ns2.wikimedia.org to a different (lower) IP and reclaim "18.104.22.168/28 (224-239) out-of-subnet LVS service IPs"
As this is a heavy/risky operation, I don't think it's worth it.
We can however shrink the reservation "22.214.171.124/28 (224-239) out-of-subnet LVS service IPs" to 126.96.36.199/29
And use 188.8.131.52/29 for infrastructure, eg, carve 184.108.40.206/31 for cr2-knams <--> mr1-esams
Using lower subnets (eg. 220.127.116.11/28) for infrastructure (interco, etc.) adds fragmentation and might bite us later.
We can keep Tilaa OOB on 18.104.22.168/24, that way:
1/ Something is used on that subnet (less risk of theft)
2/ No need to bother them with a renumbering
3/ We can still remove 22.214.171.124/24 from any trusted lists
And revisit it when we need 126.96.36.199/24 or 188.8.131.52/29 for other purposes.