Rediscover fundamental and advanced topics in IPAM, DNS, DHCP and other core networking technologies with this updated one-stop reference
The thoroughly revised second edition of IP Address Management is the definitive reference for working with core IP management technologies, like address allocation, assignment, and network navigation via DNS. Accomplished professionals and authors Timothy Rooney and Michael Dooley offer readers coverage of recent IPAM developments in the world of cloud computing, Internet of Things (IoT), and security, as well as a comprehensive treatment of foundational concepts in IPAM.
The new edition addresses the way that IPAM needs and methods have evolved since the publication of the first edition. The book covers the impact of mainstream use of private and public cloud services, the maturation of IPv6 implementations, new DNS security approaches, and the proliferation of IoT devices. The authors have also reorganized the flow of the book, with much of the technical reference material appearing at the end and making for a smoother and simpler reading experience.
The 2nd edition of IP Address Management also covers topics like such as:
- Discussions about the fundamentals of Internet Protocol Address Management (IPAM), including IP addressing, address allocation and assignment, DHCP, and DNS
- An examination of IPAM practices, including core processes and tasks, deployment strategies, IPAM security best-practices, and DNS security approaches
- A treatment of IPAM in the modern context, including how to adapt to cloud computing, the Internet of Things, IPv6, and new trends in IPAM
- A one-stop reference for IPAM topics, including IP addressing, DHCP, DNS, IPv6, and DNS security
Perfect for IP network engineers and managers, network planners, network architects, and security engineers, the second edition of IP Address Management also belongs on the bookshelves of senior undergraduate and graduate students studying in networking, information technology, and computer security-related courses and programs.
Table of Contents
Preface xix
Acknowledgments xxiii
About the Authors xxv
Part I IPAM Introduction 1
1 Introduction 3
IP Networking Overview 3
IP Routing 6
IP Addresses 7
Protocol Layering 12
OSI and TCP/IP Layers 14
TCP/UDP Ports 15
Intra-Link Communications 15
Are We on the Same Link? 17
Limiting Broadcast Domains 18
Interlink Communications 19
Worldwide IP Communications 20
Dynamic Routing 22
Routers and Subnets 24
Assigning IP addresses 25
The Human Element 26
Why Manage IP Space? 26
Basic IPAM Approaches 27
Early History 27
Today’s IP Networks and IP Management Challenges 28
2 IP Addressing 31
Internet Protocol History 31
The Internet Protocol, Take 1 32
Class-Based Addressing 32
Internet Growing Pains 35
Private Address Space 38
Classless Addressing 40
Special Use IPv4 Addresses 40
The Internet Protocol, Take 2 41
IPv6 Address Types and Structure 42
IPv6 Address Notation 43
Address Structure 45
IPv6 Address Allocations 46
2000::/3 - Global Unicast Address Space 47
fc00::/7 - Unique Local Address Space 47
fe80::/10 - Link Local Address Space 47
ff00::/8 - Multicast Address Space 48
Special Use IPv6 Addresses 48
IPv4-IPv6 Coexistence 49
3 IP Address Assignment 51
Address Planning 51
Regional Internet Registries 51
RIR Address Allocation 53
Address Allocation Efficiency 54
Multi-Homing and IP Address Space 55
Endpoint Address Allocation 58
Server-based Address Allocation Using DHCP 58
DHCP Servers and Address Assignment 61
Device Identification by Class 62
DHCP Options 62
DHCP for IPv6 (DHCPv6) 62
DHCP Comparison IPv4 vs. IPv6 63
DHCPv6 Address Assignment 64
DHCPv6 Prefix Delegation 65
Device Unique Identifiers (DUIDs) 66
Identity Associations (IAs) 66
DHCPv6 Options 67
IPv6 Address Autoconfiguration 67
Neighbor Discovery 68
Modified EUI-64 Interface Identifiers 69
Opaque Interface IDs 69
Reserved Interface IDs 72
Duplicate Address Detection (DAD) 72
4 Navigating the Internet with DNS 75
Domain Hierarchy 75
Name Resolution 76
Resource Records 80
Zones and Domains 81
Dissemination of Zone Information 83
Reverse Domains 84
IPv6 Reverse Domains 89
Additional Zones 91
Root Hints 91
Localhost Zones 92
DNS Update 92
5 IPAM Technology Applications 93
DHCP Applications 93
Device Type Specific Configuration 94
Broadband Subscriber Provisioning 95
Related Lease Assignment or Limitation Applications 101
Pre-Boot Execution Environment (PXE) clients 102
PPP/RADIUS Environments 103
Mobile IP 104
Popular DNS Applications 105
Host Name and IP Address Resolution 106
A - IPv4 Address Record 107
AAAA - IPv6 address record 107
PTR - Pointer Record 107
Alias Host Name Resolutions 108
CNAME - Canonical Name Record 108
Network Services Location 108
SRV - Services Location Record 109
Textual Information Lookup 110
TXT - Text Record 110
Many More Applications 110
Part II IPAM Mechanics 111
6 IP Management Core Tasks 113
IPAM Is Foundational 113
Impacts of Inadequate IPAM Practice 114
IPAM Is Core to Network Management 115
FCAPS Summary 116
Configuration Management 117
Address Allocation Considerations 118
Address Allocation Tasks 120
IP Address Assignment 133
Address Deletion Tasks 135
Address Renumbering or Movement Tasks 136
Network Services Configuration 140
Fault Management 143
Monitoring and Fault Detection 143
Troubleshooting and Fault Resolution 144
Accounting Management 147
Inventory Assurance 147
Performance Management 151
Services Monitoring 151
Address Capacity Management 152
Auditing and Reporting 152
Security Management 153
ITIL® Process Mappings 153
ITIL Practice Areas 154
Conclusion 162
7 IPv6 Deployment 163
IPv6 Deployment Process Overview 164
IPv6
Address Plan Objectives 165
IPv6 Address Plan Examples 166
Case 1 166
Observations 168
Case 2 169
Observations 169
General IPv6 Address Plan Guidelines 170
ULA Considerations 171
Renumbering Impacts 172
IPv4-IPv6 Coexistence Technologies 173
Dual Stack Approach 173
Dual Stack Deployment 174
DNS Considerations 174
DHCP Considerations 175
Tunneling Approaches 176
Tunneling Scenarios for IPv6 Packets over IPv4 Networks 176
Dual-Stack Lite 177
Lightweight 4over6 181
Mapping of Address and Port with Encapsulation (MAP-E) 181
Additional Tunneling Approaches 183
Translation Approaches 184
IP/ICMP Translation 185
Address Translation 186
Packet Fragmentation Considerations 187
IP Header Translation Algorithm 188
Bump in the Host (BIH) 189
Network Address Translation for IPv6-IPv4 (NAT64) 192
NAT64 and DNS64 193
464XLAT 195
Mapping of Address and Port with Translation (MAP-T) 195
Other Translation Techniques 196
Planning Your IPv6 Deployment Process 197
8 IPAM for the Internet of Things 201
IoT Architectures 201
6LoWPAN 203
Summary 209
9 IPAM in the Cloud 211
IPAM VNFs 212
Cloud IPAM Concepts 212
IP Initialization Process 212
IP Initialization Implementation 213
DHCP Method 214
Private Cloud Static Method 216
Public Cloud Static Method 218
Cloud Automation with APIs 218
Multi-Cloud IPAM 220
Private Cloud Automation 221
Public Cloud Automation 223
IPAM Automation Benefits 223
Unifying IPAM Automation 224
Streamlined Subnet Allocation Workflow 226
Workflow Realization 230
Tips for Defining Workflows 233
Automation Scenarios 234
Intra-IPAM Automation 234
DHCP Server Configuration 235
DNS Server Configuration 236
Subnet Assignment 236
IP Address Assignment Request 236
Extra-IPAM Workflow Examples 237
Regional Internet Registry Reporting 237
Router Configuration Provisioning 238
Customer Provisioning 238
Asset Inventory Integration 238
Trouble Ticket Creation 239
Summary 239
Part III IPAM and Security 241
10 IPAM Services Security 243
Securing DHCP 244
DHCP Service Availability 244
DHCP Server/OS Attacks 244
DHCP Server/OS Attack Mitigation 245
DHCP Service Threats 245
DHCP Threat Mitigation 246
DHCP Authentication and Encryption 247
DNS Infrastructure Risks and Attacks 248
DNS Service Availability 249
DNS Server/OS Attacks 249
DNS Server/OS Attack Mitigation 250
DNS Service Denial 250
Distributed Denial of Service 251
Bogus Domain Queries 251
Pseudorandom Subdomain Attacks 252
Denial of Service Mitigation 253
Reflector Style Attacks 253
Reflector Attack Mitigation 254
Authoritative Poisoning 254
Authoritative Poisoning Mitigation 255
Resolver Redirection Attacks 256
Resolver Attack Defenses 256
Securing DNS Transactions 257
Cache Poisoning Style Attacks 257
Cache Poisoning Mitigation 259
DNSSEC Overview 259
The DNSSEC Resolution Process 260
Negative Trust Anchors 262
DNSSEC Deployment 263
Last Mile Protection 264
DNS Cookies 264
DNS Encryption 264
DNS Over TLS (DoT) 264
DNS Over HTTPS (DoH) 265
Encryption Beyond the Last Mile 267
11 IPAM and Network Security 269
Securing Network Access 269
Discriminatory Address Assignment with DHCP 269
DHCP Lease Query 274
Alternative Access Control Approaches 275
Layer 2 Switch Alerting 275
802.1X 276
Securing the Network Using IPAM 277
IP-Based Security Policies (ACLs, etc.) 277
Malware Detection Using DNS 277
Malware Proliferation Techniques 278
Phishing 279
Spear Phishing 279
Software Downloads 279
File Sharing 279
Email Attachments 280
Watering Hole Attack 280
Replication 280
Brute Force 280
Malware Examples 280
Malware Mitigation 281
DNS Firewall 282
DNS Firewall Policy Precedence 284
Logging Configuration 285
Other Attacks that Leverage DNS 285
Network Reconnaissance 285
Network Reconnaissance Defenses 286
DNS Rebinding Attack 287
Data Exfiltration 287
Data Exfiltration Mitigation 287
DNS as Data Transport (Tunneling) 288
Advanced Persistent Threats 289
Advanced Persistent Threats Mitigation 290
12 IPAM and Your Internet Presence 291
IP Address Space Integrity 291
Publicizing
Your Public Namespace 292
Domain Registries and Registrars 292
DNS Hosting Providers 294
Signing Your Public Namespace 295
DNSSEC Zone Signing 295
Key Rollover 296
Prepublish Rollover 297
Dual Signature Rollover 298
Algorithm Rollover 299
Key Security 301
Enhancing Internet Application Encryption Integrity 302
DNS-Based Authentication of Named Entities (DANE) 303
Securing Email with DNS 305
Email and DNS 305
DNS Block Listing 306
Sender Policy Framework (SPF) 307
Domain Keys Identified Mail (DKIM) 307
Domain-Based Message Authentication, Reporting, and Conformance (DMARC) 308
Part IV IPAM in Practice 311
13 IPAM Use Case 313
Introduction 313
IPv4 Address Allocation 316
First-Level Allocation 317
Second-Layer Allocation 318
Address Allocation Layer 3 320
Core Address Space 323
External Extensions of Address Space 323
Allocation Trade-Offs and Tracking 324
IPAM Worldwide’s Public IPv4 Address Space 325
IPAM Worldwide’s IPv6 Allocations 326
External Extensions Address Space 329
IP Address Tracking 332
DNS and IP Address Management 334
14 IPAM Deployment Strategies 337
General Deployment Principles for DHCP/DNS 337
Disaster Recovery/Business Continuity 338
DHCP Deployment 339
DHCP Server Platforms 339
DHCP Servers 339
Virtualized DHCP Deployment 339
DHCP Appliances 339
DHCP Deployment Approaches 340
Centralized DHCP Server Deployment 340
Distributed DHCP Server Deployment 342
DHCP Services Deployment Design Considerations 344
DHCP Deployment on Edge Devices 347
DNS Deployment 348
DNS Trust Sectors 349
External DNS Trust Sector 350
Extranet DNS Trust Sector 355
Recursive DNS Trust Sector 357
Internal DNS Trust Sector 361
Deploying DNS Servers with Anycast Addresses 362
Anycast Addressing Benefits 362
Anycast Caveats 364
Configuring Anycast Addressing 365
IPAM Deployment Summary 366
High Availability 366
Multiple Vendors 366
Sizing and Scalability 367
Load Balancers 367
Lab Deployment 367
15 The Business Case for IPAM 369
IPAM Business Benefits 369
Automation 370
Outage Reduction 370
Rapid Trouble Resolution 370
Accurate IPAM Inventory and Reporting 371
Expanded IP Services 371
Distributed Administration 371
Enhanced Security 371
Business Case Overview 372
Business Case Cost Basis 373
Address Block Management 374
Subnet Management 381
IP Address Assignment - Moves, Adds, and Changes 383
Inventory Assurance 386
Address Capacity Management 387
Auditing and Reporting 392
Server Upgrade Management 392
Outage and Security Recovery Costs 393
IPAM System Administration Costs 396
Cost Basis Summary 399
Savings with IPAM Deployment 399
Business Case Expenses 403
Netting it Out: Business Case Results 403
Conclusion 405
16 IPAM Evolution/Trends 407
Security Advancements 407
Intent-Based Networking 409
Artificial Intelligence Applied to IPAM 410
IP Address Capacity Management 412
DNS Query and Response Analytics 412
DNS Malware Detection 413
Network Address Intrusions 413
IPAM Administration Activity Analysis 414
AI Summary 414
Edge Computing 414
Identifier/Locator Networking 415
Information
Centric Networking 416
Part V IPAM Reference 419
17 IP Addressing Reference 421
IP Version 4 421
The IPv4 Header 421
IP Version 6 423
The IPv6 Header 423
IPv6 Multicast Addressing 424
Flags 425
Special Case Multicast Addresses 429
Solicited Node Multicast Address 429
Node Information Query Address 429
IPv6 Addresses with Embedded IPv4 Addresses 430
Reserved Subnet Anycast Addresses 430
18 DHCP Reference 433
DHCPv6 Protocol 433
DHCPv6 Packet Format 433
DHCPv6 Message Types 433
DHCPv6 Failover Overview 437
DHCPv6 Options 439
DHCP for IPv4 454
DHCP Packet Format 454
DHCPv4 Message Types 456
DHCP Options 474
19 DNS Reference 475
DNS Message Format 475
Encoding of Domain Names 475
Name Compression 476
Internationalized
Domain Names 478
DNS Message Format 479
Message Header 480
Question Section 482
Answer Section 485
Authority Section 487
Additional Section 487
DNS Update Messages 487
DNS Extensions (EDNS0) 489
The DNS Resolution Process Revisited 494
DNS Resolution Privacy Extension 501
DNS Resolver Configuration 502
DNS Applications and Resource Records 504
Resource Record Format 504
Host Name and IP Address Resolution 506
A - IPv4 Address Record 506
AAAA - IPv6 Address Record 506
PTR - Pointer Record 507
Alias Host and Domain Name Resolutions 507
CNAME - Canonical Name Record 507
DNAME - Domain Alias Record 508
Network Services Location 508
SRV - Services Location Record 508
AFSDB - DCE or AFS Server Record (Experimental) 509
WKS - Well Known Service Record (Historic) 510
Host and Textual Information Lookup 510
TXT - Text Record 510
HINFO - Host Information Record 510
DNS Protocol Operational Record Types 512
SOA - Start of Authority Record 512
NS - Name Server Record 513
Dynamic DNS Update Uniqueness Validation 514
DHCID - Dynamic Host Configuration Identifier Record 514
Telephone Number Resolution 515
NAPTR - Naming Authority Pointer Record 517
Email and Anti-spam Management 518
Email and DNS 519
MX - Mail Exchanger Record 519
Allow or Block Listing 523
Sender Policy Framework (SPF) 523
SPF - Sender Policy Framework Formatting for a TXT Record 524
Mechanisms 524
Modifiers 526
Macros 527
Macro Examples 528
Sender ID (Historical) 528
Domain Keys Identified Mail (DKIM) 529
DKIM Signature Email Header Field 530
DKIM TXT Record 531
DMARC TXT Record 532
Historic Email Resource Record Types 533
MR - Mail Rename Record 533
MB - Mailbox Record 533
MG - Mail Group Member Record 534
MINFO - Mailbox/Mailing List Information 534
Security Applications 534
Securing Name Resolution - DNSSEC Resource Record Types 534
DNSKEY - DNS Key Record 534
DS - Delegation Signer Record 536
NSEC - Next Secure Record 536
NSEC3 - NSEC3 Record 537
NSEC3PARAM - NSEC3 Parameters Record 538
RRSIG - Resource Record Set Signature Record 539
Other Security-oriented DNS Resource Record Types 540
TA - Trust Authority Record 540
CERT - Certificate Record 540
IPSECKEY - Public Key for IPSec Record 541
KEY - Key Record 542
KX - Key Exchanger Record 543
SIG - Signature Record 543
SSHFP - Secure Shell Fingerprint Record 544
Geographical Location Lookup 544
GPOS - Geographical Position Record 544
LOC - Location Resource Record 545
Non-IP Host-Address Lookups 545
ISDN - Integrated Services Digital Network Record (Experimental) 545
NSAP - Network Service Access Point Record 545
NSAP-PTR - Network Service Access Point Reverse Record 546
PX - Pointer for X.400 546
X25 - X.25 PSDN Address Record (Experimental) 546
RT - Route Through 547
The Null Record Type 547
NULL 547
Experimental Name-Address Lookup Records 547
IPv6 Address Chaining - The A6 Record (Experimental) 547
APL - Address Prefix List Record (Experimental) 548
DNS Resource Record Summary 549
20 RFC Reference 555
Glossary 583
Bibliography 585
Index 601