Rediscover fundamental and advanced topics in IPAM, DNS, DHCP and other core networking technologies with this updated one-stop reference

The thoroughly revised second edition ofIP Address Management is the definitive reference for working with core IP management technologies, like address allocation, assignment, and network navigation via DNS. Accomplished professionals and authors Timothy Rooney and Michael Dooley offer readers coverage of recent IPAM developments in the world of cloud computing, Internet of Things (IoT), and security, as well as a comprehensive treatment of foundational concepts in IPAM.

The new edition addresses the way that IPAM needs and methods have evolved since the publication of the first edition. The book covers the impact of mainstream use of private and public cloud services, the maturation of IPv6 implementations, new DNS security approaches, and the proliferation of IoT devices. The authors have also reorganized the flow of the book, with much of the technical reference material appearing at the end and making for a smoother and simpler reading experience.

The 2nd edition ofIP Address Management also covers topics like such as:

Perfect for IP network engineers and managers, network planners, network architects, and security engineers, the second edition ofIP Address Management also belongs on the bookshelves of senior undergraduate and graduate students studying in networking, information technology, and computer security-related courses and programs.

Michael Dooley is Vice President of Operations for BT Diamond IP division. He has over 20 years of experience managing and developing enterprise-scale software products. His professional expertise includes IP addressing, DHCP, and DNS. He is co-author ofIPv6 Deployment and Management andDNS Security Management.

Timothy Rooney is the Product Manager for BT Diamond IP product development and has led the market introduction of NetControl, IPControl, Sapphire Appliances, and ImageControl, four next-gen IP management systems. He is co-author ofIntroduction to IP Address Management, IP Address Management Principles and Practice, IPv6 Deployment and Management, andDNS Security Management.

Preface xix

Acknowledgments xxiii

About the Authors xxv

Part I IPAM Introduction 1

1 Introduction3

IP Networking Overview 3

IP Routing 6

IP Addresses 7

Protocol Layering 12

OSI and TCP/IP Layers 14

TCP/UDP Ports 15

Intra-Link Communications 15

Are We on the Same Link? 17

Limiting Broadcast Domains 18

Interlink Communications 19

Worldwide IP Communications 20

Dynamic Routing 22

Routers and Subnets 24

Assigning IP addresses 25

The Human Element 26

Why Manage IP Space? 26

Basic IPAM Approaches 27

Early History 27

Todays IP Networks and IP Management Challenges 28

2 IP Addressing31

Internet Protocol History 31

The Internet Protocol, Take 1 32

Class-Based Addressing 32

Internet Growing Pains 35

Private Address Space 38

Classless Addressing 40

Special Use IPv4 Addresses 40

The Internet Protocol, Take 2 41

IPv6 Address Types and Structure 42

IPv6 Address Notation 43

Address Structure 45

IPv6 Address Allocations 46

2000::/3 Global Unicast Address Space 47

fc00::/7 Unique Local Address Space 47

fe80::/10 Link Local Address Space 47

ff00::/8 Multicast Address Space 48

Special Use IPv6 Addresses 48

IPv4IPv6 Coexistence 49

3 IP Address Assignment51

Address Planning 51

Regional Internet Registries 51

RIR Address Allocation 53

Address Allocation Efficiency 54

Multi-Homing and IP Address Space 55

Endpoint Address Allocation 58

Server-based Address Allocation Using DHCP 58

DHCP Servers and Address Assignment 61

Device Identification by Class 62

DHCP Options 62

DHCP for IPv6 (DHCPv6) 62

DHCP Comparison IPv4 vs. IPv6 63

DHCPv6 Address Assignment 64

DHCPv6 Prefix Delegation 65

Device Unique Identifiers (DUIDs) 66

Identity Associations (IAs) 66

DHCPv6 Options 67

IPv6 Address Autoconfiguration 67

Neighbor Discovery 68

Modified EUI-64 Interface Identifiers 69

Opaque Interface IDs 69

Reserved Interface IDs 72

Duplicate Address Detection (DAD) 72

4 Navigating the Internet with DNS75

Domain Hierarchy 75

Name Resolution 76

Resource Records 80

Zones and Domains 81

Dissemination of Zone Information 83

Reverse Domains 84

IPv6 Reverse Domains 89

Additional Zones 91

Root Hints 91

Localhost Zones 92

DNS Update 92

5 IPAM Technology Applications93

DHCP Applications 93

Device Type Specific Configuration 94

Broadband Subscriber Provisioning 95

Related Lease Assignment or Limitation Applications 101

Pre-Boot Execution Environment (PXE) clients 102

PPP/RADIUS Environments 103

Mobile IP 104

Popular DNS Applications 105

Host Name and IP Address Resolution 106

A IPv4 Address Record 107

AAAA IPv6 address record 107

PTR Pointer Record 107

Alias Host Name Resolutions 108

CNAME Canonical Name Record 108

Network Services Location 108

SRV Services Location Record 109

Textual Information Lookup 110

TXT Text Record 110

Many More Applications 110

Part II IPAM Mechanics111

6 IP Management Core Tasks113

IPAM Is Foundational 113

Impacts of Inadequate IPAM Practice 114

IPAM Is Core to Network Management 115

FCAPS Summary 116

Configuration Management 117

Address Allocation Considerations 118

Address Allocation Tasks 120

IP Address Assignment 133

Address Deletion Tasks 135

Address Renumbering or Movement Tasks 136

Network Services Configuration 140

Fault Management 143

Monitoring and Fault Detection 143

Troubleshooting and Fault Resolution 144

Accounting Management 147

Inventory Assurance 147

Performance Management 151

Services Monitoring 151

Address Capacity Management 152

Auditing and Reporting 152

Security Management 153

ITIL® Process Mappings 153

ITIL Practice Areas 154

Conclusion 162

7 IPv6 Deployment163

IPv6 Deployment Process Overview 164

IPv6

Address Plan Objectives 165

IPv6 Address Plan Examples 166

Case 1 166

Observations 168

Case 2 169

Observations 169

General IPv6 Address Plan Guidelines 170

ULA Considerations 171

Renumbering Impacts 172

IPv4IPv6 Coexistence Technologies 173

Dual Stack Approach 173

Dual Stack Deployment 174

DNS Considerations 174

DHCP Considerations 175

Tunneling Approaches 176

Tunneling Scenarios for IPv6 Packets over IPv4 Networks 176

Dual-Stack Lite 177

Lightweight 4over6 181

Mapping of Address and Port with Encapsulation (MAP-E) 181

Additional Tunneling Approaches 183

Translation Approaches 184

IP/ICMP Translation 185

Address Translation 186

Packet Fragmentation Considerations 187

IP Header Translation Algorithm 188

Bump in the Host (BIH) 189

Network Address Translation for IPv6IPv4 (NAT64) 192

NAT64 and DNS64 193

464XLAT 195

Mapping of Address and Port with Translation (MAP-T) 195

Other Translation Techniques 196

Planning Your IPv6 Deployment Process 197

8 IPAM for the Internet of Things 201

IoT Architectures 201

6LoWPAN 203

Summary 209

9 IPAM in the Cloud211

IPAM VNFs 212

Cloud IPAM Concepts 212

IP Initialization Process 212

IP Initialization Implementation 213

DHCP Method 214

Private Cloud Static Method 216

Public Cloud Static Method 218

Cloud Automation with APIs 218

Multi-Cloud IPAM 220

Private Cloud Automation 221

Public Cloud Automation 223

IPAM Automation Benefits 223

Unifying IPAM Automation 224

Streamlined Subnet Allocation Workflow 226

Workflow Realization 230

Tips for Defining Workflows 233

Automation Scenarios 234

Intra-IPAM Automation 234

DHCP Server Configuration 235

DNS Server Configuration 236

Subnet Assignment 236

IP Address Assignment Request 236

Extra-IPAM Workflow Examples 237

Regional Internet Registry Reporting 237

Router Configuration Provisioning 238

Customer Provisioning 238

Asset Inventory Integration 238

Trouble Ticket Creation 239

Summary 239

Part III IPAM and Security241

10 IPAM Services Security243

Securing DHCP 244

DHCP Service Availability 244

DHCP Server/OS Attacks 244

DHCP Server/OS Attack Mitigation 245

DHCP Service Threats 245

DHCP Threat Mitigation 246

DHCP Authentication and Encryption 247

DNS Infrastructure Risks and Attacks 248

DNS Service Availability 249

DNS Server/OS Attacks 249

DNS Server/OS Attack Mitigation 250

DNS Service Denial 250

Distributed Denial of Service 251

Bogus Domain Queries 251

Pseudorandom Subdomain Attacks 252

Denial of Service Mitigation 253

Reflector Style Attacks 253

Reflector Attack Mitigation 254

Authoritative Poisoning 254

Authoritative Poisoning Mitigation 255

Resolver Redirection Attacks 256

Resolver Attack Defenses 256

Securing DNS Transactions 257

Cache Poisoning Style Attacks 257

Cache Poisoning Mitigation 259

DNSSEC Overview 259

The DNSSEC Resolution Process 260

Negative Trust Anchors 262

DNSSEC Deployment 263

Last Mile Protection 264

DNS Cookies 264

DNS Encryption 264

DNS Over TLS (DoT) 264

DNS Over HTTPS (DoH) 265

Encryption Beyond the Last Mile 267

11 IPAM and Network Security269

Securing Network Access 269

Discriminatory Address Assignment with DHCP 269

DHCP Lease Query 274

Alternative Access Control Approaches 275

Layer 2 Switch Alerting 275

802.1X 276

Securing the Network Using IPAM 277

IP-Based Security Policies (ACLs, etc.) 277

Malware Detection Using DNS 277

Malware Proliferation Techniques 278

Phishing 279

Spear Phishing 279

Software Downloads 279

File Sharing 279

Email Attachments 280

Watering Hole Attack 280

Replication 280

Brute Force 280

Malware Examples 280

Malware Mitigation 281

DNS Firewall 282

DNS Firewall Policy Precedence 284

Logging Configuration 285

Other Attacks that Leverage DNS 285

Network Reconnaissance 285

Network Reconnaissance Defenses 286

DNS Rebinding Attack 287

Data Exfiltration 287

Data Exfiltration Mitigation 287

DNS as Data Transport (Tunneling) 288

Advanced Persistent Threats 289

Advanced Persistent Threats Mitigation 290

12 IPAM and Your Internet Presence291

IP Address Space Integrity 291

Publicizing

Your Public Namespace 292

Domain Registries and Registrars 292

DNS Hosting Providers 294

Signing Your Public Namespace 295

DNSSEC Zone Signing 295

Key Rollover 296

Prepublish Rollover 297

Dual Signature Rollover 298

Algorithm Rollover 299

Key Security 301

Enhancing Internet Application Encryption Integrity 302

DNS-Based Authentication of Named Entities (DANE) 303

Securing Email with DNS 305

Email and DNS 305

DNS Block Listing 306

Sender Policy Framework (SPF) 307

Domain Keys Identified Mail (DKIM) 307

Domain-Based Message Authentication, Reporting, and Conformance (DMARC) 308

Part IV IPAM in Practice311

13 IPAM Use Case313

Introduction 313

IPv4 Address Allocation 316

First-Level Allocation 317

Second-Layer Allocation 318

Address Allocation Layer 3 320

Core Address Space 323

External Extensions of Address Space 323

Allocation Trade-Offs and Tracking 324

IPAM Worldwides Public IPv4 Address Space 325

IPAM Worldwides IPv6 Allocations 326

External Extensions Address Space 329

IP Address Tracking 332

DNS and IP Address Management 334

14 IPAM Deployment Strategies337

General Deployment Principles for DHCP/DNS 337

Disaster Recovery/Business Continuity 338

DHCP Deployment 339

DHCP Server Platforms 339

DHCP Servers 339

Virtualized DHCP Deployment 339

DHCP Appliances 339

DHCP Deployment Approaches 340

Centralized DHCP Server Deployment 340

Distributed DHCP Server Deployment 342

DHCP Services Deployment Design Considerations 344

DHCP Deployment on Edge Devices 347

DNS Deployment 348

DNS Trust Sectors 349

External DNS Trust Sector 350

Extranet DNS Trust Sector 355

Recursive DNS Trust Sector 357

Internal DNS Trust Sector 361

Deploying DNS Servers with Anycast Addresses 362

Anycast Addressing Benefits 362

Anycast Caveats 364

Configuring Anycast Addressing 365

IPAM Deployment Summary 366

High Availability 366

Multiple Vendors 366

Sizing and Scalability 367

Load Balancers 367

Lab Deployment 367

15 The Business Case for IPAM369

IPAM Business Benefits 369

Automation 370

Outage Reduction 370

Rapid Trouble Resolution 370

Accurate IPAM Inventory and Reporting 371

Expanded IP Services 371

Distributed Administration 371

Enhanced Security 371

Business Case Overview 372

Business Case Cost Basis 373

Address Block Management 374

Subnet Management 381

IP Address Assignment Moves, Adds, and Changes 383

Inventory Assurance 386

Address Capacity Management 387

Auditing and Reporting 392

Server Upgrade Management 392

Outage and Security Recovery Costs 393

IPAM System Administration Costs 396

Cost Basis Summary 399

Savings with IPAM Deployment 399

Business Case Expenses 403

Netting it Out: Business Case Results 403

Conclusion 405

16 IPAM Evolution/Trends407

Security Advancements 407

Intent-Based Networking 409

Artificial Intelligence Applied to IPAM 410

IP Address Capacity Management 412

DNS Query and Response Analytics 412

DNS Malware Detection 413

Network Address Intrusions 413

IPAM Administration Activity Analysis 414

AI Summary 414

Edge Computing 414

Identifier/Locator Networking 415

Information

Centric Networking 416

Part V IPAM Reference419

17 IP Addressing Reference421

IP Version 4 421

The IPv4 Header 421

IP Version 6 423

The IPv6 Header 423

IPv6 Multicast Addressing 424

Flags 425

Special Case Multicast Addresses 429

Solicited Node Multicast Address 429

Node Information Query Address 429

IPv6 Addresses with Embedded IPv4 Addresses 430

Reserved Subnet Anycast Addresses 430

18 DHCP Reference433

DHCPv6 Protocol 433

DHCPv6 Packet Format 433

DHCPv6 Message Types 433

DHCPv6 Failover Overview 437

DHCPv6 Options 439

DHCP for IPv4 454

DHCP Packet Format 454

DHCPv4 Message Types 456

DHCP Options 474

19 DNS Reference475

DNS Message Format 475

Encoding of Domain Names 475

Name Compression 476

Internationalized

Domain Names 478

DNS Message Format 479

Message Header 480

Question Section 482

Answer Section 485

Authority Section 487

Additional Section 487

DNS Update Messages 487

DNS Extensions (EDNS0) 489

The DNS Resolution Process Revisited 494

DNS Resolution Privacy Extension 501

DNS Resolver Configuration 502

DNS Applications and Resource Records 504

Resource Record Format 504

Host Name and IP Address Resolution 506

A IPv4 Address Record 506

AAAA IPv6 Address Record 506

PTR Pointer Record 507

Alias Host and Domain Name Resolutions 507

CNAME Canonical Name Record 507

DNAME Domain Alias Record 508

Network Services Location 508

SRV Services Location Record 508

AFSDB DCE or AFS Server Record (Experimental) 509

WKS Well Known Service Record (Historic) 510

Host and Textual Information Lookup 510

TXT Text Record 510

HINFO Host Information Record 510

DNS Protocol Operational Record Types 512

SOA Start of Authority Record 512

NS Name Server Record 513

Dynamic DNS Update Uniqueness Validation 514

DHCID Dynamic Host Configuration Identifier Record 514

Telephone Number Resolution 515

NAPTR Naming Authority Pointer Record 517

Email and Anti-spam Management 518

Email and DNS 519

MX Mail Exchanger Record 519

Allow or Block Listing 523

Sender Policy Framework (SPF) 523

SPF Sender Policy Framework Formatting for a TXT Record 524

Mechanisms 524

Modifiers 526

Macros 527

Macro Examples 528

Sender ID (Historical) 528

Domain Keys Identified Mail (DKIM) 529

DKIM Signature Email Header Field 530

DKIM TXT Record 531

DMARC TXT Record 532

Historic Email Resource Record Types 533

MR Mail Rename Record 533

MB Mailbox Record 533

MG Mail Group Member Record 534

MINFO Mailbox/Mailing List Information 534

Security Applications 534

Securing Name Resolution DNSSEC Resource Record Types 534

DNSKEY DNS Key Record 534

DS Delegation Signer Record 536

NSEC Next Secure Record 536

NSEC3 NSEC3 Record 537

NSEC3PARAM NSEC3 Parameters Record 538

RRSIG Resource Record Set Signature Record 539

Other Security-oriented DNS Resource Record Types 540

TA Trust Authority Record 540

CERT Certificate Record 540

IPSECKEY Public Key for IPSec Record 541

KEY Key Record 542

KX Key Exchanger Record 543

SIG Signature Record 543

SSHFP Secure Shell Fingerprint Record 544

Geographical Location Lookup 544

GPOS Geographical Position Record 544

LOC Location Resource Record 545

Non-IP Host-Address Lookups 545

ISDN Integrated Services Digital Network Record (Experimental) 545

NSAP Network Service Access Point Record 545

NSAP-PTR Network Service Access Point Reverse Record 546

PX Pointer for X.400 546

X25 X.25 PSDN Address Record (Experimental) 546

RT Route Through 547

The Null Record Type 547

NULL 547

Experimental Name-Address Lookup Records 547

IPv6 Address Chaining The A6 Record (Experimental) 547

APL Address Prefix List Record (Experimental) 548

DNS Resource Record Summary 549

20 RFC Reference555

Glossary 583

Bibliography 585

Index 601