Follow up from an IRC conversation.
Context here is that 220.127.116.11/22 barely have any "prod" IPs, and might be able to be remove as a whole from our ACLs. So we don't have to think about what part of that /22 is prod or not prod, as well as not risking typoing a /24 into a /23 or /22 in our ACLs.
18.104.22.168/24 is currently used for two interconnects ( cr1-esams <--> mr1-esams and cr2-knams <--> mr1-esams) and Tilaa OOB.
Renumbering the interconnects is straightforward, Tillaa OOB needs to sync up with them, but first we need to find new IPs, ideally in the 22.214.171.124/24 space.
We can use 126.96.36.199/31 for cr1-esams <--> mr1-esams
If we want the infrastructure IPs to be contiguous (eg. in the same 188.8.131.52/27) we would need to move ns2.wikimedia.org to a different (lower) IP and reclaim "184.108.40.206/28 (224-239) out-of-subnet LVS service IPs"
As this is a heavy/risky operation, I don't think it's worth it.
We can however shrink the reservation "220.127.116.11/28 (224-239) out-of-subnet LVS service IPs" to 18.104.22.168/29
And use 22.214.171.124/29 for infrastructure, eg, carve 126.96.36.199/31 for cr2-knams <--> mr1-esams
Using lower subnets (eg. 188.8.131.52/28) for infrastructure (interco, etc.) adds fragmentation and might bite us later.
We can keep Tilaa OOB on 184.108.40.206/24, that way:
1/ Something is used on that subnet (less risk of theft)
2/ No need to bother them with a renumbering
3/ We can still remove 220.127.116.11/24 from any trusted lists
And revisit it when we need 18.104.22.168/24 or 22.214.171.124/29 for other purposes.