IP address management

Rediscover fundamental and advanced topics in IPAM, DNS, DHCP and other core networking technologies with this updated one-stop reference The thoroughly revised second edition of IP Address Management is the definitive reference for working with core IP management technologies, like address allocation, assignment, and network navigation via DNS. Accomplished professionals and authors Timothy Rooney and Michael Dooley offer readers coverage of recent IPAM developments in the world of cloud computing, Internet of Things (IoT), and security, as well as a comprehensive treatment of foundational concepts in IPAM. The new edition addresses the way that IPAM needs and methods have evolved since the publication of the first edition. The book covers the impact of mainstream use of private and public cloud services, the maturation of IPv6 implementations, new DNS security approaches, and the proliferation of IoT devices. The authors have also reorganized the flow of the book, with much of the technical reference material appearing at the end and making for a smoother and simpler reading experience. The 2nd edition of IP Address Management also covers topics like such as: Discussions about the fundamentals of Internet Protocol Address Management (IPAM), including IP addressing, address allocation and assignment, DHCP, and DNS An examination of IPAM practices, including core processes and tasks, deployment strategies, IPAM security best-practices, and DNS security approaches A treatment of IPAM in the modern context, including how to adapt to cloud computing, the Internet of Things, IPv6, and new trends in IPAM A one-stop reference for IPAM topics, including IP addressing, DHCP, DNS, IPv6, and DNS security Perfect for IP network engineers and managers, network planners, network architects, and security engineers, the second edition of IP Address Management also belongs on the bookshelves of senior undergraduate and graduate students studying in networking, information technology, and computer security-related courses and programs.

Preface xix Acknowledgments xxiii About the Authors xxv Part I IPAM Introduction 1 1 Introduction 3 IP Networking Overview 3 IP Routing 6 IP Addresses 7 Protocol Layering 12 OSI and TCP/IP Layers 14 TCP/UDP Ports 15 Intra-Link Communications 15 Are We on the Same Link? 17 Limiting Broadcast Domains 18 Interlink Communications 19 Worldwide IP Communications 20 Dynamic Routing 22 Routers and Subnets 24 Assigning IP addresses 25 The Human Element 26 Why Manage IP Space? 26 Basic IPAM Approaches 27 Early History 27 Today's IP Networks and IP Management Challenges 28 2 IP Addressing 31 Internet Protocol History 31 The Internet Protocol, Take 1 32 Class-Based Addressing 32 Internet Growing Pains 35 Private Address Space 38 Classless Addressing 40 Special Use IPv4 Addresses 40 The Internet Protocol, Take 2 41 IPv6 Address Types and Structure 42 IPv6 Address Notation 43 Address Structure 45 IPv6 Address Allocations 46 2000::/3 - Global Unicast Address Space 47 fc00::/7 - Unique Local Address Space 47 fe80::/10 - Link Local Address Space 47 ff00::/8 - Multicast Address Space 48 Special Use IPv6 Addresses 48 IPv4-IPv6 Coexistence 49 3 IP Address Assignment 51 Address Planning 51 Regional Internet Registries 51 RIR Address Allocation 53 Address Allocation Efficiency 54 Multi-Homing and IP Address Space 55 Endpoint Address Allocation 58 Server-based Address Allocation Using DHCP 58 DHCP Servers and Address Assignment 61 Device Identification by Class 62 DHCP Options 62 DHCP for IPv6 (DHCPv6) 62 DHCP Comparison IPv4 vs. IPv6 63 DHCPv6 Address Assignment 64 DHCPv6 Prefix Delegation 65 Device Unique Identifiers (DUIDs) 66 Identity Associations (IAs) 66 DHCPv6 Options 67 IPv6 Address Autoconfiguration 67 Neighbor Discovery 68 Modified EUI-64 Interface Identifiers 69 Opaque Interface IDs 69 Reserved Interface IDs 72 Duplicate Address Detection (DAD) 72 4 Navigating the Internet with DNS 75 Domain Hierarchy 75 Name Resolution 76 Resource Records 80 Zones and Domains 81 Dissemination of Zone Information 83 Reverse Domains 84 IPv6 Reverse Domains 89 Additional Zones 91 Root Hints 91 Localhost Zones 92 DNS Update 92 5 IPAM Technology Applications 93 DHCP Applications 93 Device Type Specific Configuration 94 Broadband Subscriber Provisioning 95 Related Lease Assignment or Limitation Applications 101 Pre-Boot Execution Environment (PXE) clients 102 PPP/RADIUS Environments 103 Mobile IP 104 Popular DNS Applications 105 Host Name and IP Address Resolution 106 A - IPv4 Address Record 107 AAAA - IPv6 address record 107 PTR - Pointer Record 107 Alias Host Name Resolutions 108 CNAME - Canonical Name Record 108 Network Services Location 108 SRV - Services Location Record 109 Textual Information Lookup 110 TXT - Text Record 110 Many More Applications 110 Part II IPAM Mechanics 111 6 IP Management Core Tasks 113 IPAM Is Foundational 113 Impacts of Inadequate IPAM Practice 114 IPAM Is Core to Network Management 115 FCAPS Summary 116 Configuration Management 117 Address Allocation Considerations 118 Address Allocation Tasks 120 IP Address Assignment 133 Address Deletion Tasks 135 Address Renumbering or Movement Tasks 136 Network Services Configuration 140 Fault Management 143 Monitoring and Fault Detection 143 Troubleshooting and Fault Resolution 144 Accounting Management 147 Inventory Assurance 147 Performance Management 151 Services Monitoring 151 Address Capacity Management 152 Auditing and Reporting 152 Security Management 153 ITIL (R) Process Mappings 153 ITIL Practice Areas 154 Conclusion 162 7 IPv6 Deployment 163 IPv6 Deployment Process Overview 164 IPv6 Address Plan Objectives 165 IPv6 Address Plan Examples 166 Case 1 166 Observations 168 Case 2 169 Observations 169 General IPv6 Address Plan Guidelines 170 ULA Considerations 171 Renumbering Impacts 172 IPv4-IPv6 Coexistence Technologies 173 Dual Stack Approach 173 Dual Stack Deployment 174 DNS Considerations 174 DHCP Considerations 175 Tunneling Approaches 176 Tunneling Scenarios for IPv6 Packets over IPv4 Networks 176 Dual-Stack Lite 177 Lightweight 4over6 181 Mapping of Address and Port with Encapsulation (MAP-E) 181 Additional Tunneling Approaches 183 Translation Approaches 184 IP/ICMP Translation 185 Address Translation 186 Packet Fragmentation Considerations 187 IP Header Translation Algorithm 188 Bump in the Host (BIH) 189 Network Address Translation for IPv6-IPv4 (NAT64) 192 NAT64 and DNS64 193 464XLAT 195 Mapping of Address and Port with Translation (MAP-T) 195 Other Translation Techniques 196 Planning Your IPv6 Deployment Process 197 8 IPAM for the Internet of Things 201 IoT Architectures 201 6LoWPAN 203 Summary 209 9 IPAM in the Cloud 211 IPAM VNFs 212 Cloud IPAM Concepts 212 IP Initialization Process 212 IP Initialization Implementation 213 DHCP Method 214 Private Cloud Static Method 216 Public Cloud Static Method 218 Cloud Automation with APIs 218 Multi-Cloud IPAM 220 Private Cloud Automation 221 Public Cloud Automation 223 IPAM Automation Benefits 223 Unifying IPAM Automation 224 Streamlined Subnet Allocation Workflow 226 Workflow Realization 230 Tips for Defining Workflows 233 Automation Scenarios 234 Intra-IPAM Automation 234 DHCP Server Configuration 235 DNS Server Configuration 236 Subnet Assignment 236 IP Address Assignment Request 236 Extra-IPAM Workflow Examples 237 Regional Internet Registry Reporting 237 Router Configuration Provisioning 238 Customer Provisioning 238 Asset Inventory Integration 238 Trouble Ticket Creation 239 Summary 239 Part III IPAM and Security 241 10 IPAM Services Security 243 Securing DHCP 244 DHCP Service Availability 244 DHCP Server/OS Attacks 244 DHCP Server/OS Attack Mitigation 245 DHCP Service Threats 245 DHCP Threat Mitigation 246 DHCP Authentication and Encryption 247 DNS Infrastructure Risks and Attacks 248 DNS Service Availability 249 DNS Server/OS Attacks 249 DNS Server/OS Attack Mitigation 250 DNS Service Denial 250 Distributed Denial of Service 251 Bogus Domain Queries 251 Pseudorandom Subdomain Attacks 252 Denial of Service Mitigation 253 Reflector Style Attacks 253 Reflector Attack Mitigation 254 Authoritative Poisoning 254 Authoritative Poisoning Mitigation 255 Resolver Redirection Attacks 256 Resolver Attack Defenses 256 Securing DNS Transactions 257 Cache Poisoning Style Attacks 257 Cache Poisoning Mitigation 259 DNSSEC Overview 259 The DNSSEC Resolution Process 260 Negative Trust Anchors 262 DNSSEC Deployment 263 Last Mile Protection 264 DNS Cookies 264 DNS Encryption 264 DNS Over TLS (DoT) 264 DNS Over HTTPS (DoH) 265 Encryption Beyond the Last Mile 267 11 IPAM and Network Security 269 Securing Network Access 269 Discriminatory Address Assignment with DHCP 269 DHCP Lease Query 274 Alternative Access Control Approaches 275 Layer 2 Switch Alerting 275 802.1X 276 Securing the Network Using IPAM 277 IP-Based Security Policies (ACLs, etc.) 277 Malware Detection Using DNS 277 Malware Proliferation Techniques 278 Phishing 279 Spear Phishing 279 Software Downloads 279 File Sharing 279 Email Attachments 280 Watering Hole Attack 280 Replication 280 Brute Force 280 Malware Examples 280 Malware Mitigation 281 DNS Firewall 282 DNS Firewall Policy Precedence 284 Logging Configuration 285 Other Attacks that Leverage DNS 285 Network Reconnaissance 285 Network Reconnaissance Defenses 286 DNS Rebinding Attack 287 Data Exfiltration 287 Data Exfiltration Mitigation 287 DNS as Data Transport (Tunneling) 288 Advanced Persistent Threats 289 Advanced Persistent Threats Mitigation 290 12 IPAM and Your Internet Presence 291 IP Address Space Integrity 291 Publicizing Your Public Namespace 292 Domain Registries and Registrars 292 DNS Hosting Providers 294 Signing Your Public Namespace 295 DNSSEC Zone Signing 295 Key Rollover 296 Prepublish Rollover 297 Dual Signature Rollover 298 Algorithm Rollover 299 Key Security 301 Enhancing Internet Application Encryption Integrity 302 DNS-Based Authentication of Named Entities (DANE) 303 Securing Email with DNS 305 Email and DNS 305 DNS Block Listing 306 Sender Policy Framework (SPF) 307 Domain Keys Identified Mail (DKIM) 307 Domain-Based Message Authentication, Reporting, and Conformance (DMARC) 308 Part IV IPAM in Practice 311 13 IPAM Use Case 313 Introduction 313 IPv4 Address Allocation 316 First-Level Allocation 317 Second-Layer Allocation 318 Address Allocation Layer 3 320 Core Address Space 323 External Extensions of Address Space 323 Allocation Trade-Offs and Tracking 324 IPAM Worldwide's Public IPv4 Address Space 325 IPAM Worldwide's IPv6 Allocations 326 External Extensions Address Space 329 IP Address Tracking 332 DNS and IP Address Management 334 14 IPAM Deployment Strategies 337 General Deployment Principles for DHCP/DNS 337 Disaster Recovery/Business Continuity 338 DHCP Deployment 339 DHCP Server Platforms 339 DHCP Servers 339 Virtualized DHCP Deployment 339 DHCP Appliances 339 DHCP Deployment Approaches 340 Centralized DHCP Server Deployment 340 Distributed DHCP Server Deployment 342 DHCP Services Deployment Design Considerations 344 DHCP Deployment on Edge Devices 347 DNS Deployment 348 DNS Trust Sectors 349 External DNS Trust Sector 350 Extranet DNS Trust Sector 355 Recursive DNS Trust Sector 357 Internal DNS Trust Sector 361 Deploying DNS Servers with Anycast Addresses 362 Anycast Addressing Benefits 362 Anycast Caveats 364 Configuring Anycast Addressing 365 IPAM Deployment Summary 366 High Availability 366 Multiple Vendors 366 Sizing and Scalability 367 Load Balancers 367 Lab Deployment 367 15 The Business Case for IPAM 369 IPAM Business Benefits 369 Automation 370 Outage Reduction 370 Rapid Trouble Resolution 370 Accurate IPAM Inventory and Reporting 371 Expanded IP Services 371 Distributed Administration 371 Enhanced Security 371 Business Case Overview 372 Business Case Cost Basis 373 Address Block Management 374 Subnet Management 381 IP Address Assignment - Moves, Adds, and Changes 383 Inventory Assurance 386 Address Capacity Management 387 Auditing and Reporting 392 Server Upgrade Management 392 Outage and Security Recovery Costs 393 IPAM System Administration Costs 396 Cost Basis Summary 399 Savings with IPAM Deployment 399 Business Case Expenses 403 Netting it Out: Business Case Results 403 Conclusion 405 16 IPAM Evolution/Trends 407 Security Advancements 407 Intent-Based Networking 409 Artificial Intelligence Applied to IPAM 410 IP Address Capacity Management 412 DNS Query and Response Analytics 412 DNS Malware Detection 413 Network Address Intrusions 413 IPAM Administration Activity Analysis 414 AI Summary 414 Edge Computing 414 Identifier/Locator Networking 415 Information Centric Networking 416 Part V IPAM Reference 419 17 IP Addressing Reference 421 IP Version 4 421 The IPv4 Header 421 IP Version 6 423 The IPv6 Header 423 IPv6 Multicast Addressing 424 Flags 425 Special Case Multicast Addresses 429 Solicited Node Multicast Address 429 Node Information Query Address 429 IPv6 Addresses with Embedded IPv4 Addresses 430 Reserved Subnet Anycast Addresses 430 18 DHCP Reference 433 DHCPv6 Protocol 433 DHCPv6 Packet Format 433 DHCPv6 Message Types 433 DHCPv6 Failover Overview 437 DHCPv6 Options 439 DHCP for IPv4 454 DHCP Packet Format 454 DHCPv4 Message Types 456 DHCP Options 474 19 DNS Reference 475 DNS Message Format 475 Encoding of Domain Names 475 Name Compression 476 Internationalized Domain Names 478 DNS Message Format 479 Message Header 480 Question Section 482 Answer Section 485 Authority Section 487 Additional Section 487 DNS Update Messages 487 DNS Extensions (EDNS0) 489 The DNS Resolution Process Revisited 494 DNS Resolution Privacy Extension 501 DNS Resolver Configuration 502 DNS Applications and Resource Records 504 Resource Record Format 504 Host Name and IP Address Resolution 506 A - IPv4 Address Record 506 AAAA - IPv6 Address Record 506 PTR - Pointer Record 507 Alias Host and Domain Name Resolutions 507 CNAME - Canonical Name Record 507 DNAME - Domain Alias Record 508 Network Services Location 508 SRV - Services Location Record 508 AFSDB - DCE or AFS Server Record (Experimental) 509 WKS - Well Known Service Record (Historic) 510 Host and Textual Information Lookup 510 TXT - Text Record 510 HINFO - Host Information Record 510 DNS Protocol Operational Record Types 512 SOA - Start of Authority Record 512 NS - Name Server Record 513 Dynamic DNS Update Uniqueness Validation 514 DHCID - Dynamic Host Configuration Identifier Record 514 Telephone Number Resolution 515 NAPTR - Naming Authority Pointer Record 517 Email and Anti-spam Management 518 Email and DNS 519 MX - Mail Exchanger Record 519 Allow or Block Listing 523 Sender Policy Framework (SPF) 523 SPF - Sender Policy Framework Formatting for a TXT Record 524 Mechanisms 524 Modifiers 526 Macros 527 Macro Examples 528 Sender ID (Historical) 528 Domain Keys Identified Mail (DKIM) 529 DKIM Signature Email Header Field 530 DKIM TXT Record 531 DMARC TXT Record 532 Historic Email Resource Record Types 533 MR - Mail Rename Record 533 MB - Mailbox Record 533 MG - Mail Group Member Record 534 MINFO - Mailbox/Mailing List Information 534 Security Applications 534 Securing Name Resolution - DNSSEC Resource Record Types 534 DNSKEY - DNS Key Record 534 DS - Delegation Signer Record 536 NSEC - Next Secure Record 536 NSEC3 - NSEC3 Record 537 NSEC3PARAM - NSEC3 Parameters Record 538 RRSIG - Resource Record Set Signature Record 539 Other Security-oriented DNS Resource Record Types 540 TA - Trust Authority Record 540 CERT - Certificate Record 540 IPSECKEY - Public Key for IPSec Record 541 KEY - Key Record 542 KX - Key Exchanger Record 543 SIG - Signature Record 543 SSHFP - Secure Shell Fingerprint Record 544 Geographical Location Lookup 544 GPOS - Geographical Position Record 544 LOC - Location Resource Record 545 Non-IP Host-Address Lookups 545 ISDN - Integrated Services Digital Network Record (Experimental) 545 NSAP - Network Service Access Point Record 545 NSAP-PTR - Network Service Access Point Reverse Record 546 PX - Pointer for X.400 546 X25 - X.25 PSDN Address Record (Experimental) 546 RT - Route Through 547 The Null Record Type 547 NULL 547 Experimental Name-Address Lookup Records 547 IPv6 Address Chaining - The A6 Record (Experimental) 547 APL - Address Prefix List Record (Experimental) 548 DNS Resource Record Summary 549 20 RFC Reference 555 Glossary 583 Bibliography 585 Index 601