IP Address Management Best Practices

[Pages:32]IP Address Management Best Practices

By Timothy Rooney, Product Management Director, BT Diamond IP

Contents

Introduction ............................................................................................................................................... 1

IP address inventory management............................................................................................................... 2

Address planning .................................................................................................................................... 3

Address allocation................................................................................................................................... 3

Centralizing IP inventory ......................................................................................................................... 4

Managing address dynamics.................................................................................................................... 4

IPv6 deployment .................................................................................................................................... 5

IP addressing and security ....................................................................................................................... 5

IP address inventory management best practices ......................................................................................... 6

Dynamic IP address services management ................................................................................................... 7

Policy management ................................................................................................................................ 8

Discriminatory address management ....................................................................................................... 8

DHCP resiliency....................................................................................................................................... 9

Dynamic IP address assignment best practices ............................................................................................. 9

IP name services management .................................................................................................................. 12

DNS resource records ............................................................................................................................ 12

DNS server configuration ...................................................................................................................... 12

Role-based deployment ........................................................................................................................ 13

DNS configuration verification .............................................................................................................. 13

DNS appliances ..................................................................................................................................... 13

IP name services best practices.................................................................................................................. 14

Network security ...................................................................................................................................... 15

IPAM server security ............................................................................................................................. 15

DHCP service security............................................................................................................................ 15

DNS service security.............................................................................................................................. 16

Identify and stop malware ..................................................................................................................... 16

Role-based DNS deployment................................................................................................................. 17

IP address-based security policies.......................................................................................................... 17

IPAM-related network security best practices............................................................................................ 18

IPAM governance ..................................................................................................................................... 18

Holistic management ............................................................................................................................ 19

Administrator access controls................................................................................................................ 19

IPAM Best Practices

BT Diamond IP Whitepaper

High availability services ....................................................................................................................... 19 DHCP/DNS services monitoring ............................................................................................................. 20 Upgrades and patch management ......................................................................................................... 20 Adaptation to your business .................................................................................................................. 20 Integrate IPAM processes into broader enterprise workflows.................................................................. 20 IPAM reporting ..................................................................................................................................... 21 IPAM governance best practices................................................................................................................ 21 Simplifying best practice implementation with Diamond IP ........................................................................ 22 Streamline IP inventory functions .......................................................................................................... 23 Automate accurate address assignment................................................................................................. 23 Streamline DNS configuration while enabling advanced features ............................................................ 24 Secure your IPAM, secure your network ................................................................................................. 25 Bring it all together with IPAM governance............................................................................................ 25 Key Diamond IP differentiators.............................................................................................................. 26 Conclusion................................................................................................................................................ 29 About BT Diamond IP................................................................................................................................ 29

IPAM Best Practices

BT Diamond IP Whitepaper

Introduction

As an IT manager responsible for keeping your IP network up and running, the discipline of IP address management (IPAM) represents a critical ingredient in your recipe for success. The IPAM discipline entails the design, planning, provisioning, monitoring and management of IP addresses to assure infrastructure devices and eligible end users can obtain an IP address to access your network. Sounds simple enough, and most of the time, your IPAM discipline successfully yields the desired result with end users able to effortlessly initialize on your network.

But what appears effortless for end users is made possible only with diligent effort on your part. An IP address must be available for each user. The IP address must be routable to their current location so they can communicate. Thus the IP address must logically roll up in a manner aligned with your networking topology. Certain devices like those with streaming requirements may require special routing treatment and hence be assigned an IP address for which routers can apply such treatment. All in all, your IP space must be allocated according to your topology and application requirements with sufficient capacity for the plethora of end user devices accessing your network.

Once initialized with suitable IP addresses, users need that ability to navigate IP applications by name. The domain name system (DNS) facilitates this navigation with its name-to-IP address resolution function. As IP addresses are assigned, corresponding IP address-to-device name mappings must be updated. Hence DNS updates are closely linked to IP address assignments, and therefore DNS is a core IPAM component.

As an IT manager, you need to make sure IP addresses are available and are being assigned, and that DNS is keeping up. Effective IPAM then, can be defined broadly as encompassing three major interrelated functions:

IP address inventory ? Obtaining and defining public and private IP address space, and logically allocating that address space to locations, subnets, address pools, and devices to be available for assignment to users accessing the network.

IP address assignment ? Once the address space has been properly allocated, individual IP addresses may be assigned to user devices. Since most non-infrastructure devices tend to be mobile or otherwise transient, most devices can obtain IP addresses dynamically for use on a temporary basis while they are "on" the network. This address assignment function entails defining IP address pools containing addresses that can be assigned, tracked, and freed up for reuse by others. These pools and corresponding pool parameters are generally deployed for localized distribution from Dynamic Host Configuration Protocol (DHCP) servers which autonomously supply relevant IP addresses and parameters to requesting devices. Managing DHCP server configurations is aided through the monitoring and allocation of address pool capacity to ensure IP addresses are available for those who need them and are authorized to have them.

IP name services management ? As devices obtain IP addresses statically or dynamically, the mapping of device names to corresponding IP addresses must be tracked and published so other users can navigate to each device by name. This function entails configuring Domain Name System (DNS) servers with this address-to-name and name-to-address information. Managing your domain name space and name services also requires proper design of the namespace, configuration of other relevant DNS records, and many behavioral aspects of DNS as well, particularly relating to securing DNS servers and information.

Each of these three core functions is foundational to the proper operation of an IP network, whether that IP network is a private enterprise network, a private or public cloud, the Internet itself, or all of the above. Users

IPAM Best Practices

BT Diamond IP Whitepaper 1

need at least one IP address to access the network, whether via a wired or wireless LAN interface, VoIP device, video device, etc., and they need to access resources on the network and the Internet by name to facilitate usability and scale. As mentioned, these functions occur without user involvement. In fact, one could argue that the job of an effective IP address manager is to be invisible: as users attach to various network points, they are automatically configured to communicate and easily access network resources by name.

Effective IPAM requires proper allocation of address space across the enterprise including extensions into private and public cloud services, so there is adequate address capacity where it's needed when it's needed. Best practices IPAM also entails accurate configuration of DHCP servers for dynamic address users, including differentiation of employees versus "guests", as well as accurate and timely configuration of DNS servers so resources can be accessed easily.

When these behind-the-scenes tasks are flawlessly executed, network users don't need to contact the help desk with complaints about accessing the network. In addition to flawlessly configuring and managing each of these three foundational elements of IPAM, the IP address manager must also cohesively integrate these three areas collectively, and integrate these management functions into the broader IT network management environment.

This white paper provides IT professionals a guide for how to effectively execute IPAM tasks, and recommends best practices for simplifying the IPAM process. These best practices are derived from the BT Diamond IP leadership team's collective experience in the IP management space obtained through numerous implementations of IPAM systems, managing customer IPAM environments, and frequent interactions with end users and industry analysts. Many members of the team have also been active in the Internet Engineering Task Force (IETF) in helping to evolve IP technology. Let's begin by digging deeper into our first core area, IP address inventory management.

IP address inventory management

IP address inventory has several facets in its own right. This IPAM function lays the foundation for the other functions and impacts other critical IP network functions, not the least of which is routing. Most enterprise organizations obtain public IP address space from an Internet Service Provider (ISP), though some that have been using the Internet for some time have a legacy relationship with their Regional Internet Registry (RIR), e.g., ARIN, RIPE, or others. After a block of IP address space has been obtained, it can then be allocated to locations across the network. Similarly, private IP address space (RFC 1918) or IPv6 unique local addresses (ULA) can also be allocated in a similar manner. This allocation process is necessary to "carve up" each monolithic block into constituent sub-blocks until IP address capacity has been allocated to meet the IP addressing demands of user devices.

Figure 1: Hierarchical Network Allocation

IPAM Best Practices

BT Diamond IP Whitepaper 2

Address planning

When planning to allocate IP address space, whether private or public, administrators must forecast the IP address capacity requirements in each end user accessible subnet on the network. This is typically based on the number of end users located at each site, the number of visitors or mobile users expected at the site, and the number of IP addresses required on average for each end user.

Another aspect of address planning is rollout of multiple IP applications requiring address segmentation for routing treatment purposes, such as VoIP. For example, routers may need to be configured to provide priority processing on VoIP packets (packets with source address from the VoIP address block segment) versus besteffort data packets (packets with the source address from the normal or data block segment).

A third aspect of address planning relates to your use of the cloud and your anticipated cloud IP addressing needs. For example, if you're extending your private network to a public cloud provider for overflow capacity, i.e., cloud bursting, you'll need to allocate sufficient IP address space to accommodate your maximum burst of virtual machines (VMs) or virtualized network functions (VNFs).

While the easy solution is to grossly oversize each subnet for each application, in reality this may not be feasible given IP address space limitations, at least for IPv4. Within such address space sizing constraints, administrators must meet the challenge of accurately and optimally allocating address space to each site. For IPv6 address space, constraints are seemingly unlimited and planning should strive for consistently sized allocations at each layer as we'll discuss next.

Address allocation

An additional consideration is that the allocated address block be appropriate to the routing infrastructure supporting each site. Block allocations at each site must "roll up" in terms of maximizing address hierarchy in order to facilitate route aggregation for routing protocols such as OSPF (Open Shortest Path First). Route aggregation reduces routing protocol traffic and keeps routing tables manageable. In addition, it helps to reduce the probability of rendering certain networks unreachable. This can occur when an address block from one region is assigned to another region but the block is included in a higher layer route advertisement, rendering the assigned block unreachable outside the advertising region. The address space planning process then needs to carefully consider the macro level requirements for address space as well as the rollup of individual address space requirements. For example, a global corporation may wish to subdivide its space among a core backbone of sites covering three continents (Figure 1), one of which may not be a continent but a public cloud provider which serves as an extension of enterprise network.

It may make sense to subdivide the "root" address block into three in a manner that meets the current and foreseeable capacity needs of each continent. To size each block properly, planners must define the individual site requirements, perhaps roll these up to regional levels for a mid tier within the routing topology, and then roll up to the tri-continental core routers. Modeling address space in such a hierarchical, inheritance-based manner, then allocating space optimally at each hierarchy layer, is key to maximizing address utilization in a routing-efficient manner.

If IP network allocation is done improperly, duplicate IP addresses can be unintentionally assigned, networks can be rendered unreachable, or IP address space itself can be rendered unusable if address allocation is not only performed hierarchically, but in an optimal manner to preserve address space for use elsewhere. Due to the nature of binary arithmetic in subnetting IP networks, errors or suboptimal allocations can occur, resulting in ineffective address capacity utilization. When more address space is needed, such inefficiencies would likely

IPAM Best Practices

BT Diamond IP Whitepaper 3

need to be corrected via a painful renumbering process before additional address space would be granted by an Internet Registry or ISP.

Your allocation strategy lays the foundation for IP address planning and must be performed effectively to minimize downstream errors and issues and to simplify ongoing network management. A well-designed IP address plan can ease invocation of IP address based policies such as implementing security controls, routing treatments and application policies. This function is so crucial, we wrote an entire white paper focused solely on this topic which we published on our website and on the Internet Society website. We invite to read this paper for more details around IP address planning and allocation, particularly for IPv6 (though analogous principles apply to IPv4).

Centralizing IP inventory

Address planning and allocation is best performed using a centralized IP inventory repository. A centralized system provides a single, holistic view of your entire address space deployed over a number of sites onpremises and in the cloud, each potentially with address pools and DNS information deployed on multiple DHCP and DNS servers throughout your network. Centralized management with distributed deployment also facilitates support of multiple vendor DHCP and DNS environments. For example, many organizations run Microsoft DNS and DHCP for internal clients, while running BIND DNS servers for external queries. A single, consistent user interface and view of these multivendor configurations reduces errors, saves time, and eliminates the requirement of replacing existing DHCP and DNS servers.

You should implement periodic backups and/or replicate to a secondary repository to ensure high availability of this critical IP address information. Another common approach to IP inventory utilizes a decentralized architecture. Such approaches which promote distributed replicated repositories are either not fully replicated (i.e., if each repository member stores only data it needs) or if they are, do provide multiple replicas but can generate tremendous replication traffic on the network in terms of updating all members with all changes. This replication process, with the associated impact on inter-server update performance, can hamper scalability and renders this fully-distributed approach appropriate only for small and single-vendor environments.

Managing address dynamics

After the initial sizing and deployment, even when done perfectly, changes inevitably occur. Virtual private clouds and subnets are allocated and deallocated elastically. New corporate sites are opened and others are consolidated. Perhaps more mobile users require IP addresses on a subnet than initially expected. Several servers are moved to a different subnet without prior notification. New services such as VoIP are rolled out.

Note that each of these events impact your IP address space, regardless if they were initiated by business requirements impacting site openings and closures, or by IT in deploying additional IP services such as VoIP and adding cloud VMs for performance or other reasons, or by end user behavior in terms of addressing requirements at particular sites. Staying on top of these and other changes, which reflect the organic nature of IP networks, is absolutely necessary for effective IP address space management.

It's important to monitor IP address utilization to track IP capacity and alert IP planners to pending IP address depletion on portions of your network, clouds, or address pools. Proactive monitoring and alerting can help avert an IP addressing crisis. Detecting IP address occupancy beyond address pools also provides feedback related to the integrity of your IP address inventory. Polling your enterprise networks using SNMP, ICMP, DNS, or similar scanning tools should help you identify a snapshot of IP addresses in use. Polling your cloud

IPAM Best Practices

BT Diamond IP Whitepaper 4

services platforms via the corresponding cloud application programming interface (API) likewise provides IP occupancy data.

By checking the network using the appropriate polling technique then comparing network actuals with your database records, you can identify discrepancies, which may be in the form of "surprise" address assignments, e.g., those assigned locally or of addresses no longer in use, where a device is no longer occupying an address otherwise attributed to it. In the former case, investigation of the potentially rogue device is in order to protect against a security breach and in the latter, the IP address can be reclaimed and added back into a free state for reassignment.

IPv6 deployment

As public IPv4 address space is now effectively depleted, you should plan for deploying IPv6 if you haven't already, at least on your Internet-facing infrastructure. You'll need to make sure your ISP provides IPv6 support and you should plan to address each Internet-reachable host with both an IPv4 address and an IPv6 address. This dual-stack approach offers the simplest means of implementing IPv6 while offering you valuable experience with the latest Internet Protocol.

Implementing IPv6 will also maximize your Internet presence, affording access to your Internet hosts by either protocol. Eventually you may decide to simplify your IPAM tasks for managing both IPv4 and IPv6 address spaces and decommission your IPv4 network externally and internally. This is the ultimate goal but will likely take some time to transition to this IPv6-only state.

In the meantime, if you're currently in the IPv4-only state and would like more information on where to begin, we invite you to access the following resources (free except for our book).

Guidelines for IPv6 address allocation paper on the aforementioned Internet Society page.

IP Address Planning, free IPv6 white paper on BT's website.

Free videos including several on IPv6 on YouTube.

IPv6 Deployment and Management book, published by Wiley/IEEE Press

IP addressing and security

Your IP address plan plays a key role in facilitating implementation of IP address based security policies. Access control lists (ACLs) can be defined in one line or several depending on how well your IP address plan corresponds to your "security zones." For example, if you've allocated a single block to a given site, which you've sub-allocated into subnets for users within the site, you could feasibly cordon off that site using the site's block address in a network-wide ACL should you need to impose a quarantine. This is perhaps an extreme example, but you should consider security in your IP address planning tasks.

IPAM Best Practices

BT Diamond IP Whitepaper 5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download