dns dhcp ip address management
play

DNS, DHCP, IP address management KILIAN KRAUSE - PowerPoint PPT Presentation

Jun 08, 2023 •1.21k likes •1.48k views

Universitt Stuttgart Computing center DDI + IPAM @ Uni Stuttgart DNS, DHCP, IP address management KILIAN KRAUSE krause@tik.uni-stuttgart.de SIG NOC #1 TIK/NKS, 2015-04-08 page 1 Universitt Stuttgart Computing center AGENDA 1.

  1. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart DNS, DHCP, IP address management KILIAN KRAUSE krause@tik.uni-stuttgart.de SIG NOC #1 TIK/NKS, 2015-04-08 page 1

  2. Universität Stuttgart Computing center AGENDA 1. Motivation 2. Architecture DDI Uni Stuttgart DDI + IPAM @ Uni Stuttgart 3. Above the average... 4. Security & Orchestration What‘s next? 5. TIK/NKS, 2015-04-08 page 2

  3. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 MOTIVATION TIK/NKS, 2015-04-08 page 3

  4. Universität Stuttgart Computing center MOTIVATION  Mostly manual DNS config  Move to automated setup DDI + IPAM @ Uni Stuttgart  DHCP config by hand, no client self-service  IPv6 not integrated  single pane of glass for all network services DHCP/DNS/rDNS  Few workflow scripting / only partial monitoring  Move to database system and roll out systematic monitoring  Add admin self service, delegation (web frontend)  Hardware refresh  From heterogeneous to homogenous  Add DNSSEC TIK/NKS, 2015-04-08 page 4

  5. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 ARCHITECTURE TIK/NKS, 2015-04-08 page 8

  6. Universität Stuttgart Computing center BASIC DESIGN LAYOUT DDI + IPAM @ Uni Stuttgart Simple Network Interruption Protocol TIK/NKS, 2015-04-08 page 10

  7. Universität Stuttgart Computing center BLUECAT KEY FEATURES  IP blocks (e.g. static routes or aggregates)  IP networks (access subnet/SVI) DDI + IPAM @ Uni Stuttgart  DNS/rDNS automagically synchronized  DHCP and DNS from same database  Web frontend with DHCP range utilization view  Custom user defined fields (shared for multi-tenant!) per object  Authentication integration with LDAP (e.g. AD), Kerberos, RADIUS and TACACS+  Automatic network discovery and reconciliation  Centralized management  Templating and workflow support  Access right delegation TIK/NKS, 2015-04-08 page 11

  8. Universität Stuttgart Computing center REDUNDANCY / HA  Proteus (BAM) virtualized  No extra XHA config and licenses DDI + IPAM @ Uni Stuttgart  Adonis (DHCP only)  No XHA but master/slave for DHCPv4  works ok!  No Master/Slave für DHCPv6  not even stateless!  Adonis (DNS hidden master)  No XHA, since only „ zone file generator “  Runs as a VM -> fast recovery  Public DNS slaves and campus DNS recursive resolvers highly redundant on generic servers BUT: DNSSEC! TIK/NKS, 2015-04-08 page 14

  9. Universität Stuttgart Computing center DATA IMPORT  XML (BluePrint)  CSV DDI + IPAM @ Uni Stuttgart  Script/API (Perl, Java)  manual TIK/NKS, 2015-04-08 page 15

  10. Universität Stuttgart Computing center ADDRESSING SCHEME IPv6  Historically independent of IPv4 and network  New scheme based on distribution area and vlan ID DDI + IPAM @ Uni Stuttgart  Renumbering not yet neccessary  Fully automated workflow possible!  Network objects in BAM are still independent!  right delegation duplicated and potentially inconsistent  Vlan database still not in BAM  needs monitoring! TIK/NKS, 2015-04-08 page 16

  11. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 ABOVE THE AVERAGE TIK/NKS, 2015-04-08 page 31

  12. Universität Stuttgart Computing center ABOVE THE AVERAGE  DNSSEC with pre-defined policy a „ one click shop “  KSK rollover happens without DS-check! DDI + IPAM @ Uni Stuttgart  Monitoring based on database definitions (scripted via API)  SOA  WHOIS  DNSSEC  Anycast (also possible with Adonis if used as recursor)  on our recursors for both IPv4 and IPv6  Quagga (or bird, xorp) TIK/NKS, 2015-04-08 page 32

  13. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 SECURITY & ORCHESTRATION TIK/NKS, 2015-04-08 page 33

  14. Universität Stuttgart Computing center SECURITY  Segmentation by architecture  Database backend DDI + IPAM @ Uni Stuttgart  DNS hidden master  public servers  DMZ architecture (only required services permitted)  Rate-Limiting currently not required  Local server firewall might rate filter  No official distro package for rate limiting DNS server  No DNS filtering / manipulation (DNS64/NAT64)  No (more) public recursive resolvers  DNSSEC is said to raise amplification attack vector  BUT: EDNS usually combined with TCP!  so far not a problem for us TIK/NKS, 2015-04-08 page 34

  15. Universität Stuttgart Computing center ORCHESTRATION  Proteus / BAM offers workflows internally  UI sometimes too overwhelming for newbies DDI + IPAM @ Uni Stuttgart  BlueCat offers TRITON as a workflow engine  Web service  Drag and drop customization  Third party APIs (SQL, LDAP etc.)  Custom API programming with SOAP  Future version shall bring REST TIK/NKS, 2015-04-08 page 35

  16. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 WHAT‘S NEXT TIK/NKS, 2015-04-08 page 43

  17. Universität Stuttgart Computing center WHAT‘S NEXT  Further integration with database  Monitoring (e.g. routing, firewalling) DDI + IPAM @ Uni Stuttgart  Establish deployment procedures around database(s)  Rolling out new subnets (dual-stack)  Self service for network features? Like:  Activate/remove DHCPv4 from my Vlan  Dual stack my Vlan / remove IPv4  ACL self-service  Cloud automation (VM lifecycle)  … TIK/NKS, 2015-04-08 page 44

  18. Universität Stuttgart Computing center WHAT IPAM IS NOT  Endpoint assessment  Not even (passive) DHCP fingerprinting or SoH DDI + IPAM @ Uni Stuttgart  Can do custom DHCP vendor options based on match clauses  Threat protection (endpoint, DDoS, DHCP exhaustion)  Device registration portal (related product)  Captive portal  NAT gateway (e.g. NAT64)  Certificate authority (for device authorization/tracking etc.)  Policy framework  No RFC3118 support in Adonis  Network management (only network _address_ management!)  Wireless LAN management controller TIK/NKS, 2015-04-08 page 45

  19. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 SUMMARY TIK/NKS, 2015-04-08 page 48

  20. Universität Stuttgart Computing center SUMMARY  Works as designed!  DNS/rDNS synchronized DDI + IPAM @ Uni Stuttgart  DHCPv4 and stateless DHCPv6 deployed with central config  IPv6 available for all networks  DNSSEC running stable  Common web UI for all NOC and campus admins  Robust architecture according to latest standards TIK/NKS, 2015-04-08 page 49

  21. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 QUESTIONS? TIK/NKS, 2015-04-08 page 50

  22. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart THANKS fn100525 fn100525 … more questions later? Find me around here or email us: noc@tik.uni-stuttgart.de TIK/NKS, 2015-04-08 page 51

Recommend

DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why Tackled? Log wasnt great.

DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why Tackled? Log wasnt great.

DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why Tackled? Log wasnt great. Purely based on DHCP ACK messages. No tie together between assigned IP address and MAC address. Load balancing issues Mix of broadcast

626 views • 14 slides
DHCP (RFC 2131) Deliver host-specific configuration parameters from DHCP server to host.

DHCP (RFC 2131) Deliver host-specific configuration parameters from DHCP server to host.

DHCP (RFC 2131) Deliver host-specific configuration parameters from DHCP server to host. Allocate network address to nodes: Automatic allocation: permanent assignment. Dynamic allocation: for a limited period of time. Manual

387 views • 9 slides
Stanford NetDB- An Open Source Network Management Application for DNS, DHCP, IP Address Spaces,

Stanford NetDB- An Open Source Network Management Application for DNS, DHCP, IP Address Spaces,

Stanford NetDB- An Open Source Network Management Application for DNS, DHCP, IP Address Spaces, etc. http://stanfordnetdb.stanford.edu Sunia Yang sunia@stanford.edu Rob Riepel riepel@stanford.edu Stanford University

534 views • 28 slides
BootP and DHCP Flexible and Scalable Host Configuration 2005/03/11 (C) Herbert Haas

BootP and DHCP Flexible and Scalable Host Configuration 2005/03/11 (C) Herbert Haas

BootP and DHCP Flexible and Scalable Host Configuration 2005/03/11 (C) Herbert Haas Shortcomings of RARP Reverse Address Resolution Protocol Only IP Address distribution No subnet mask Using hardware address for identification

443 views • 29 slides
RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address Auto Configuration Prof. Anja Feldmann, Philipp S. Tiesel, Thorben Krger, Apoorv Shukla IPv6 Scoped Address Architecture IPv6 addresses have

679 views • 19 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 14ws 1 Outline IPv4 Address Allocation NAT DHCP 2 Outline IPv4

543 views • 29 slides
How Dynamic is the ISPs Address Space? Towards Internet-Wide DHCP Churn Estimation Giovane C. M.

How Dynamic is the ISPs Address Space? Towards Internet-Wide DHCP Churn Estimation Giovane C. M.

How Dynamic is the ISPs Address Space? Towards Internet-Wide DHCP Churn Estimation Giovane C. M. Moura , Carlos Gan, Qasim Lone, Payam Poursaied, Hadi Asghari, and Michel van Eeten

92 views • 6 slides
Summary Chapter 4 q IP Addressing v Network prefixes and Subnets v IP datagram format q DHCP

Summary Chapter 4 q IP Addressing v Network prefixes and Subnets v IP datagram format q DHCP

Smith College, CSC 249 March 2, 2018 1 Summary Chapter 4 q IP Addressing v Network prefixes and Subnets v IP datagram format q DHCP dynamic addressing v Obtain: own IP address Subnet mask, DNS server & first-hop v router IP address q

205 views • 20 slides
... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

Notes on Running Dsniff and the Lab Network Environment Cyber Security Lab 2/16/10 1 General Overview 1.1 Initial machine configuration Outside World DMZ Management 192.168.50.50 192.168.50.60 Dmz 192.168.50.0/24 FW1 Outside =

182 views • 4 slides
DHCP Relay agent Request from Multi Address Pool (draft-zi-dhc-agent-request-multi-pool-00.txt)

DHCP Relay agent Request from Multi Address Pool (draft-zi-dhc-agent-request-multi-pool-00.txt)

DHCP Relay agent Request from Multi Address Pool (draft-zi-dhc-agent-request-multi-pool-00.txt) IETF 64 Author: Zi Kang zikang@huwei.com Presentation: Li Guanfeng liguanfeng@huawei.com Motivation In some applications there is a need for

127 views • 12 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

Memory Management Basics 1 Basic Memory Management Concepts Address spaces MAX sys Physical address space The address space supported by the hardware Starting at address 0, going to address MAX sys MAX prog Logical/virtual address space

448 views • 22 slides
DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview EAP Encapsulated in DHCP Protocol DHCP protocol starts normally Relay (proxy)

881 views • 12 slides
iLab NAT / DHCP Florian Wohlfart Minoo Rouhi lastname @in.tum.de Chair of Network Architectures

iLab NAT / DHCP Florian Wohlfart Minoo Rouhi lastname @in.tum.de Chair of Network Architectures

iLab NAT / DHCP Florian Wohlfart Minoo Rouhi lastname @in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 6 17ws 1 / 39 Outline Meta IPv4 Address Scarcity NAT IPv6

957 views • 59 slides
Naming DNS & DHCP Naming IP addresses allow global connectivity But theyre pretty

Naming DNS & DHCP Naming IP addresses allow global connectivity But theyre pretty

This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But theyre pretty useless for humans! Cant be expected to pick their own IP address Cant be expected to

1.05k views • 80 slides
Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC

Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC

Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC DHCP Open-Source First version released in 1997 Default DHCP software in many distributions Server/relay/client for IPv4 & IPv6

303 views • 13 slides
IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early

IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early

IP Address Management The RIR System & IP policy Nurani Nimpuno APNIC Overview Early address management Evolution of address management Address management today Address policy development IP allocation Pre 1992 RFC 1261

547 views • 23 slides
Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

4/12/2017 Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign physical memory to processes 5B. Simple Memory Allocation explicit requests: malloc (sbrk) implicit: program loading, stack

205 views • 8 slides
Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

4/14/2018 Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign physical memory to processes 5B. Memory Allocation explicit requests: malloc (sbrk) implicit: program loading, stack extension

555 views • 9 slides
A SAVI Solution for DHCP Jun Bi, Jianping Wu, Guang Yao, Fred Baker draft ietf savi

A SAVI Solution for DHCP Jun Bi, Jianping Wu, Guang Yao, Fred Baker draft ietf savi

A SAVI Solution for DHCP Jun Bi, Jianping Wu, Guang Yao, Fred Baker draft ietf savi dhcp 01(02).txt IETF77, Anaheim Mar.23 2010 Outline Solution Basis Additional Features in 01(02) Version Next Step Solution Basis Basis

368 views • 26 slides
DHCP Relay Agent Assignment Notification Option IETF-64 Bernie Volz PD Route Injection

DHCP Relay Agent Assignment Notification Option IETF-64 Bernie Volz PD Route Injection

DHCP Relay Agent Assignment Notification Option IETF-64 Bernie Volz PD Route Injection Simple Cases 1. Delegating router is on same link as requesting router delegating router can manage the routing information 2. DHCP server

571 views • 7 slides
Memory Management Address binding Linking, loading Logical vs. physical address

Memory Management Address binding Linking, loading Logical vs. physical address

CPSC 410/611 : Operating Systems Memory Management Address binding Linking, loading Logical vs. physical address space Fragmentation Paging Segmentation Reading: Silberschatz (8 th ed.), Chapter 8 Memory

161 views • 14 slides
Memory Management Address binding Linking, loading Logical vs. physical address

Memory Management Address binding Linking, loading Logical vs. physical address

CPSC 410 / 611 : Operating Systems Memory Management Address binding Linking, loading Logical vs. physical address space Memory partitioning Paging Segmentation Reading: Silberschatz, Chapter 8 Memory

469 views • 12 slides
Architecture for CASM Coordinated Address Space Management

Architecture for CASM Coordinated Address Space Management

IETF 98 th Architecture for CASM Coordinated Address Space Management draft-li-casm-address-pool-management-architecture-00 draft-kumar-casm-requirements-and-framework-00 Chen Li, Chongfeng Xie(China Telecom), Jun Bi(Tsinghua University)

401 views • 19 slides

More recommend