|
The number of web-based devices is expanding at an exponential clip, virtualization is making a very static environment dynamic, and now with the exhaustion of IPv4 and the oncoming complexities of IPv6 network operators must reevaluate what IP Address Management (IPAM) really is. The goal of this post is to define the various functions that make up IP Address Management.
* * *
“So, IPv6. You all know that we are almost out of IPv4 address space. I am a little embarrassed about that because I was the guy who decided that 32-bit was enough for the Internet experiment. My only defense is that that choice was made in 1977, and I thought it was an experiment. The problem is the experiment didn’t end, so here we are.” —Vint Cerf, LCA 2011 Keynote Speech
* * *
TCP/IP, (Trasmission Control Protocol/Internet Protocol) is the technology that devices use to interact. IP addresses are the unique identifier that devices use to communicate to each other over the Global Internet. At the inception of the Internet, IP version 4 (IPv4) was and is currently the most widespread protocol used to communicate. By their binary nature, IP addresses are a finite resource. IPv4, specifically, is approaching full deployment globally. The keeper of the free address pool, the Internet Assigned Numbers Authority, (IANA), is fully depleted of IPv4 resources. The Asia Pacific Regional Internet Registry, 1 of the 5 regional registries that report to IANA, is also fully depleted of IPv4 resources. Another, the American Registry for Internet Numbers, (ARIN), is not far behind. To continue the operation of the Internet, Internet Protocol version 6 (IPv6) was created. This address space is vast—more than 170 undecillion addresses—and unlikely to be depleted in the next 50 years. Networks wishing to grow, or new networks wishing to enter the market must transition to include both IPv6 and IPv4, eventually transitioning entirely to the new protocol. This evolution will require an entirely new paradigm of IP resource management.
Every host on every network must be unique in order for the Global Internet to function. The concept of uniqueness requires specific, 100% accurate accounting of where and to whom address space is deployed to preclude duplicate assignments. Also, with the diminishing of IPv4, it is imperative to know what space is free for assignment.
IP addresses are distributed in blocks called “subnets”. A subnet is assigned and routed to an organization, and then that organization can use that subset of IP addresses to access the Internet through the physical circuit connecting them to their Internet Service Provider (ISP). In the IPv4 world this can mean millions of IP addresses, and in IPv6 world octillions. It is up to the network engineer to “architect” a subnet, making sure he/she is subdividing those IP address across their network based on growth needs, growth projections, capacity planning, etc. This is a very crucial first step in the IP management process.
Think of subnetting in terms of a bag of M&M’s: If you start out with all yellow candies, divide them in two piles, then pull out half of them, you would no longer have two piles of yellow candies, but two piles of blue candies. If you split one of the two piles of blue into two, you would have two piles of green candies, and one larger pile of blue candies. Split one of the greens, and you have two reds, one green and the blue. This can go on to very small chunks, always divisible by two. When you start out with 16,777,216 (known in IPv4 as a /8 or historically a Class A) or start out with 79,228,162,514,264,337,593,543,950,336 (known in IPv6 as a /32) candies, keeping track of the piles and how they are split up is mission critical for enterprises and ISP’s alike.
Historically, IPAM was an add-on to DNS/DHCP tools and was little more than an expensive alternative to the widespread practice of using manual spreadsheets. Most IPAM tools sold since the early 2000’s, were really IP tracking modules tasked with identifying what a particular IP was being used for and by what. This is a conflation of IPAM and Asset Tracking, while both valuable, they are mutually exclusive. Little thought was put into the IP Network Planning and Architecture as part of these modules, leaving the planning of the architecture to the Network Architects to draw out on whiteboards outside of the tool. This is not what should be considered IPAM.
IPAM is the means of planning, architecting, tracking, and managing the address space used in a network. As you can see, tracking is a part of the definition, however it is only one component of the total definition.
IPAM is a five step process that should be followed to truly be called an IPAM solution as illustrated by our diagram above (6 steps if you include the normalization and importing of data. (This can take months to normalize and import if you have years of IPv4 data to import)).
Step 0 – Data normalization and importing. This is fairly self-explanatory, however, it can be one of the more intensive parts of the process to move from manual processes to automated platform based. We have seen this take some companies months, during which time they discover countless errors in data, duplications, erroneous entries and entries with no detailed information (one of the more compelling reasons to move to a more automated system).
Step 1 – Requesting space from RIR. Most tools today have little integration into the five RIRs. Requesting space used to be an ongoing task as IP resources were consumed, forcing one to go back to their RIR with justification for more space. Using a templatized email or leveraging the open APIs, a good IPAM should allow you to perform this task from within itself versus copying, pasting, formatting and then sending in to the RIR to await receipt and then input into an IP tracker.
Step 2 – Plan and architect the IP allocation and assignment policy and then execute. This is the heart and soul of a good IPAM solution and where most products on the market are not performing. Instead, it is left to the Network Architect to draw up a plan, create subnets accordingly and then input those subnets into the IP Tracker. A good IPAM solution will incorporate this planning structure in the engine and allow the Architect to simply write the policy for the highest level subnets.1
Note: In larger organizations there may be a difference between Network Architects and IP Analysts. A good IPAM should have various levels of permissions granting access to the system that allow for this type of delineation—sometimes referred to multi-level user access.
Step 3 – Assigning IP resources per policy or “Get Next Available IP Subnet”. This process is usually for the IP Analyst who is working to assign unique IP’s to down stream customers or services
Step 4 – Propagating IP data to and from other systems such as DNS, DHCP, Assets, etc. A good IPAM will integrate into ALL systems that relate to the IP address itself. This can include front-end sales tools holding information about clients (e.g. leveraging Salesforce’s API), or directly into internal DNS, DHCP systems and the like.
Step 5 – Reporting is an oft-overlooked component of IPAM. Most tools simply use log files to capture certain transactions. This creates a problem for many companies that are forced to comply with transparency/compliance protocols such as SAS 70, HIPPA, or Sarbanes-Oxley.
Following these five steps (six if you include data import—hard not to) in your evaluation will lead you to a great IPAM tool.
Our next article will talk about fundamental differences between IPv4 IPAM and IPv6 IPAM.
1 A fundamental difference between IPv4 (scarce) and IPv6 (unlimited) planning is changing mindsets from a plan geared towards very limited resources (IPv4) and one with near unlimited resources (IPv6). An entirely different mindset arises with planning for purpose instead of planning to run out.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign