IP Address Management I P Address Management Second Edition Michael Dooley & Timothy Rooney Copyright © 2021 by The Institute of Electrical and Electronics Engineers, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright. com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permission. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐3993 or fax (317) 572‐4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging‐in‐Publication Data Names: Rooney, Tim, author. | Dooley, Michael Earl, 1962- author. Title: IP address management / Michael Dooley & Timothy Rooney. Description: Second edition. | Hoboken, New Jersey : Wiley, 2021. | Series: IEEE press series on networks and service management | Timothy Rooney appears as the first named author in the first edition. | Includes bibliographical references and index. Identifiers: LCCN 2020030601 (print) | LCCN 2020030602 (ebook) | ISBN 9781119692270 (cloth) | ISBN 9781119692287 (adobe pdf) | ISBN 9781119692300 (epub) Subjects: LCSH: Internet addresses. | Internet domain names. Classification: LCC TK5105.8835 .R66 2021 (print) | LCC TK5105.8835 (ebook) | DDC 004.67/8–dc23 LC record available at https://lccn.loc.gov/2020030601 LC ebook record available at https://lccn.loc.gov/2020030602 Cover design by Wiley Cover image: © Bill Donnelley/WT Design Set in 9.5/12.5pt STIXTwoText by SPi Global, Chennai, India 10 9 8 7 6 5 4 3 2 1 v Contents Preface xix Acknowledgments xxiii About the Authors xxv Part I IPAM Introduction 1 1 Introduction 3 ­IP­Networking­Overview­ 3 IP­Routing­ 6 IP­Addresses­ 7 Protocol­Layering­ 12 OSI­and TCP/IP­Layers­ 14 TCP/UDP­Ports­ 15 Intra-Link­Communications­ 15 Are­We on the Same­Link?­ 17 Limiting­Broadcast­Domains­ 18 Interlink­Communications­ 19 Worldwide­IP­Communications­ 20 Dynamic­Routing­ 22 Routers­and Subnets­ 24 Assigning­IP­addresses­ 25 The­Human­Element­ 26 ­Why­Manage­IP­Space?­ 26 ­Basic­IPAM­Approaches­ 27 Early­History­ 27 Today’s­IP­Networks­and IP­Management­Challenges­ 28 vi Contents 2 IP Addressing 31 ­Internet­Protocol­History­ 31 ­The­Internet­Protocol,­Take­1­ 32 Class-Based­Addressing­ 32 Internet­Growing­Pains­ 35 Private­Address­Space­ 38 Classless­Addressing­ 40 Special­Use­IPv4­Addresses­ 40 ­The­Internet­Protocol,­Take­2­ 41 IPv6­Address­Types­and Structure­ 42 IPv6­Address­Notation­ 43 Address­Structure­ 45 IPv6­Address­Allocations­ 46 2000::/3 – Global­Unicast­Address­Space­ 47 fc00::/7 – Unique­Local­Address­Space­ 47 fe80::/10 – Link­Local­Address­Space­ 47 ff00::/8 – Multicast­Address­Space­ 48 Special­Use­IPv6­Addresses­ 48 ­IPv4–IPv6­Coexistence­ 49 3 IP Address Assignment 51 ­Address­Planning­ 51 Regional­Internet­Registries­ 51 RIR­Address­Allocation­ 53 ­Address­Allocation­Efficiency­ 54 Multi-Homing­and IP­Address­Space­ 55 ­Endpoint­Address­Allocation­ 58 ­Server-based­Address­Allocation­Using­DHCP­ 58 DHCP­Servers­and Address­Assignment­ 61 Device­Identification­by­Class­ 62 DHCP­Options­ 62 ­DHCP­for IPv6­(DHCPv6)­ 62 DHCP­Comparison­IPv4­vs.­IPv6­ 63 DHCPv6­Address­Assignment­ 64 DHCPv6­Prefix­Delegation­ 65 Device­Unique­Identifiers­(DUIDs)­ 66 Identity­Associations­(IAs)­ 66 DHCPv6­Options­ 67 ­IPv6­Address­Autoconfiguration­ 67 Contents vii Neighbor­Discovery­ 68 Modified­EUI-64­Interface­Identifiers­ 69 Opaque­Interface­IDs­ 69 Reserved­Interface­IDs­ 72 Duplicate­Address­Detection­(DAD)­ 72 4 Navigating the Internet with DNS 75 ­Domain­Hierarchy­ 75 ­Name­Resolution­ 76 Resource­Records­ 80 ­Zones­and Domains­ 81 Dissemination­of Zone­Information­ 83 ­Reverse­Domains­ 84 IPv6­Reverse­Domains­ 89 ­Additional­Zones­ 91 Root­Hints­ 91 Localhost­Zones­ 92 DNS­Update­ 92 5 IPAM Technology Applications 93 ­DHCP­Applications­ 93 Device­Type­Specific­Configuration­ 94 Broadband­Subscriber­Provisioning­ 95 Related­Lease­Assignment­or­Limitation­Applications­ 101 Pre-Boot­Execution­Environment­(PXE)­clients­ 102 PPP/RADIUS­Environments­ 103 Mobile­IP­ 104 ­Popular­DNS­Applications­ 105 Host­Name­and IP­Address­Resolution­ 106 A – IPv4­Address­Record­ 107 AAAA – IPv6­address­record­ 107 PTR – Pointer­Record­ 107 Alias­Host­Name­Resolutions­ 108 CNAME – Canonical­Name­Record­ 108 Network­Services­Location­ 108 SRV – Services­Location­Record­ 109 Textual­Information­Lookup­ 110 TXT – Text­Record­ 110 Many­More­Applications­ 110 viii Contents Part II IPAM Mechanics 111 6 IP Management Core Tasks 113 ­IPAM­Is­Foundational­ 113 Impacts­of Inadequate­IPAM­Practice­ 114 IPAM­Is­Core­to Network­Management­ 115 ­FCAPS­Summary­ 116 Configuration­Management­ 117 Address­Allocation­Considerations­ 118 Address­Allocation­Tasks­ 120 IP­Address­Assignment­ 133 Address­Deletion­Tasks­ 135 Address­Renumbering­or­Movement­Tasks­ 136 Network­Services­Configuration­ 140 Fault­Management­ 143 Monitoring­and Fault­Detection­ 143 Troubleshooting­and Fault­Resolution­ 144 Accounting­Management­ 147 Inventory­Assurance­ 147 Performance­Management­ 151 Services­Monitoring­ 151 Address­Capacity­Management­ 152 Auditing­and Reporting­ 152 Security­Management­ 153 ITIL®­Process­Mappings­ 153 ITIL­Practice­Areas­ 154 Conclusion­ 162 7 IPv6 Deployment 163 ­IPv6­Deployment­Process­Overview­ 164 ­IPv6­Address­Plan­Objectives­ 165 IPv6­Address­Plan­Examples­ 166 Case­1­ 166 Observations­ 168 Case­2­ 169 Observations­ 169 General­IPv6­Address­Plan­Guidelines­ 170 ULA­Considerations­ 171 Renumbering­Impacts­ 172 ­IPv4–IPv6­Coexistence­Technologies­ 173 Contents ix ­Dual­Stack­Approach­ 173 Dual­Stack­Deployment­ 174 DNS­Considerations­ 174 DHCP­Considerations­ 175 ­Tunneling­Approaches­ 176 Tunneling­Scenarios­for IPv6­Packets­over­IPv4­Networks­ 176 Dual-Stack­Lite­ 177 Lightweight­4over6­ 181 Mapping­of Address­and Port­with Encapsulation­(MAP-E)­ 181 Additional­Tunneling­Approaches­ 183 ­Translation­Approaches­ 184 IP/ICMP­Translation­ 185 Address­Translation­ 186 Packet­Fragmentation­Considerations­ 187 IP­Header­Translation­Algorithm­ 188 ­Bump­in the Host­(BIH)­ 189 Network­Address­Translation­for IPv6–IPv4­(NAT64)­ 192 NAT64­and DNS64­ 193 464XLAT­ 195 Mapping­of Address­and Port­with Translation­(MAP-T)­ 195 Other­Translation­Techniques­ 196 ­Planning­Your­IPv6­Deployment­Process­ 197 8 IPAM for the Internet of Things 201 ­IoT­Architectures­ 201 ­6LoWPAN­ 203 ­Summary­ 209 9 IPAM in the Cloud 211 ­IPAM­VNFs­ 212 Cloud­IPAM­Concepts­ 212 IP­Initialization­Process­ 212 IP­Initialization­Implementation­ 213 DHCP­Method­ 214 Private­Cloud­Static­Method­ 216 Public­Cloud­Static­Method­ 218 ­Cloud­Automation­with APIs­ 218 Multi-Cloud­IPAM­ 220 Private­Cloud­Automation­ 221 Public­Cloud­Automation­ 223 x Contents IPAM­Automation­Benefits­ 223 Unifying­IPAM­Automation­ 224 Streamlined­Subnet­Allocation­Workflow­ 226 ­Workflow­Realization­ 230 Tips­for Defining­Workflows­ 233 ­Automation­Scenarios­ 234 Intra-IPAM­Automation­ 234 DHCP­Server­Configuration­ 235 DNS­Server­Configuration­ 236 Subnet­Assignment­ 236 IP­Address­Assignment­Request­ 236 Extra-IPAM­Workflow­Examples­ 237 Regional­Internet­Registry­Reporting­ 237 Router­Configuration­Provisioning­ 238 Customer­Provisioning­ 238 Asset­Inventory­Integration­ 238 Trouble­Ticket­Creation­ 239 ­Summary­ 239 Part III IPAM and Security 241 10 IPAM Services Security 243 ­Securing­DHCP­ 244 DHCP­Service­Availability­ 244 DHCP­Server/OS­Attacks­ 244 DHCP­Server/OS­Attack­Mitigation­ 245 DHCP­Service­Threats­ 245 DHCP­Threat­Mitigation­ 246 DHCP­Authentication­and Encryption­ 247 ­DNS­Infrastructure­Risks­and Attacks­ 248 DNS­Service­Availability­ 249 DNS­Server/OS­Attacks­ 249 DNS­Server/OS­Attack­Mitigation­ 250 ­DNS­Service­Denial­ 250 Distributed­Denial­of Service­ 251 Bogus­Domain­Queries­ 251 Pseudorandom­Subdomain­Attacks­ 252 Denial­of Service­Mitigation­ 253 ­Reflector­Style­Attacks­ 253