Advanced DHCP and DNS Deployments

7/22/2019 Advanced DHCP and DNS Deployments

1/119

BRKNMS-2640

Advanced DHCP and DNS

Deployments

Bernie Volz


2/119

2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKNMS-2640 2

Introduction

This session describes the management of IPaddresses (host and domain) names. We explain thefunctionalities of DHCP and DNS and how theycollaborate to produce the foundation of a name and

address management system. The recentdevelopments in both areas will be touched as well.Finally we enumerate best practices for achievingreliability and security of both services.


3/119


Non-Information

Silence your phone, pda, pager, mp3 player

At CiscoLive! your evaluation is extremely important

Please remember to wear your badge at all times

Please visit the World of Solutions

There is extra material in the appendix at the end ofthis presentation; the explanatory notes contain

links to reference material; I tried to translate allacronyms

You can ask questions any time


4/119


Meet the Engineer

To make the most of your time at Networkers at CiscoLive 2011, schedule a Face-to-Face Meeting with topCisco Engineers.

Designed to provide a "big picture" perspective aswell as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue anda wealth of valuable insights and ideas.

Visit the Meeting Centre reception desk located in theMeeting Centre in World of Solutions.


5/119


6/119

Dynamic Host Configuration Protocol DHCP DHCP Scale Considerations

DHCP Reliability Considerations

IPv6 and DHCP

Domain Name System DNS

Interaction Between DNS and DHCP


7/119 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKNMS-2640 7

Managing the DHCP Server

Server configured with:

Network design (Layer 3): network segments, subnets,relay agents

Available addresses

Rules about address allocation

Network administrator controls DHCP service

Policies for hosts or groups of hosts

Specific configuration parameters

Which hosts to serve

DHCP Server Acts as Agent for Network Administrator


8/119


9/119


10/119


11/119

Dynamic Host Configuration Protocol DHCP DHCP Scale Considerations


IPv6 and DHCP





DHCP Relay

Agent

DHCP Relay

Agent

DHCPServer

DHCP Server

Distributed DHCP Service

DHCP Server

Centralized DHCP Service

Pro: Centralized

Management

Pro: Reliability

Through

redundancy

Architectures for DHCP Service (1)


13/119



Architectures for DHCP Service (2)

DHCP Server

Redundant DHCP ServiceHybrid DHCP Service

Pro: Independent

Operation of

Remote Site if

WAN Link Fails Pro: Reliability

Through Redundancy

with Failover

Remote

Site

DHCPServers

DHCPServer

DHCP Relay

AgentsDHCP Relay

Agent

DHCP RelayAgent



Best of Both Worlds

DHCP Server

Hybrid DHCP Service

Remote

Site

DHCPServers

DHCP Relay

Agents

Delegation


16/119



DHCP Relay

Agent

DHCP Relay

Agent

Slave Servers

IOS Slave Servers

For Millions of Subscribers

Redundant Master Servers

Delegation


18/119


19/119

Dynamic Host Configuration Protocol DHCP

DHCP Scale Considerations


IPv6 and DHCP





Reliable DHCP Service

Problem: provide increased reliability for DHCPservice through redundancy

Solution: deploy multiple DHCP servers and enableall servers to respond to messages

DHCP client broadcasts messages, and relay agent canforward to multiple servers, so more than one DHCP servermay receive messages from clients

DHCP client is required by protocol specification to be able

to receive responses from multiple serversDHCP client broadcasts rebinding request, so it can locatesecondary server if primary is not accessible


21/119


22/119


Better if Servers Shared State

Servers notify each other of assignments

If assigning server fails, other server(s) will have a recordof the assignment and can respond

However, notification may take some time

DHCP specification does not allow sufficient time todo update before responding

Most hosts will timeout and retransmit before theinterserver update completes

Therefore, server cant wait for update to complete beforesending response


23/119


Solution . DHCP Safe Failover

Main DHCP Server

Backup DHCP Server

Backup Address Pool

192.168.18.151-200Main Address Pool192.168.18.101-150


24/119


25/119


26/119


27/119


28/119


29/119


30/119


31/119


32/119


IPv6 Addresses

Divided into two conceptual parts (like IPv4)

Prefix

Globally unique

Assigned to a linkKnown as link address orlink prefix

Suffix

Only unique within a link

Assigned to an individual interfaceKnown as interface identifier


33/119


Address Assignment

Manual

DHCPv6

Stateless address auto-configuration; host:

Derives EUI-64 interface identifier from MAC address

Constructs address from prefix advertised by router andEUI-64 interface identifier

Performs duplicate address detection to confirm address isnot already in use

2001:DB8:3:0:Prefix from RA:

MAC Address from Interface:

214:51ff:fed9:a45a

00:14:51:d9:a4:5a

2001:DB8:3:0::/64


34/119


Improvements in DHCPv6 over DHCPv4

L3-only transport

Link-local addressing between client and server (or relay agent)

No need for all-zeros IP source address

Assignment of multiple addresses to a client

Unique, uniform client identification

Explicit lease renewal and lease rebinding messages

Larger option code space (16-bit option code)

Most information carried in options (instead of fixed

header fields)

Relay agent chaining through message encapsulation

Server message to force client reconfiguration


35/119


36/119


37/119


38/119


DHCPv4/DHCPv6 Coexistence

IETF design decision: DHCPv4 and DHCPv6 areseparate protocols

Different message formats

Different message exchanges

Separate options

Host runs DHCPv4 and DHCPv6 as separatefunctions

What about options that provide same informationin DHCPv4 and DHCPv6; e.g., DNS servers?


39/119


Server 1 Client Server 2

Basic DHCPv6 Message Exchange

Client multicasts SOLICITmessage on local subnet

Servers send ADVERTISEmessage with leaseinformation

Client selects lease andmulticast REQUESTmessage

Selected server sends

REPLY message


40/119


41/119


Stateless DHCPv6

Used in conjunction with stateless address auto-configuration

DHCPv6 server does not need to retain state foreach client; e.g., assigned addresses, lease state

Client uses stateless DHCPv6 (RFC 3736) to obtainconfiguration information

Very simple protocol server; can be easily deployed

in routers rather than as centralized service


42/119


IPv6 Deployment Model for SOHO

IPv6 has enough prefixes to assign a prefix to everyservice provider subscriber or branch office

Subscriber network will have IPv6 router (instead ofcomputer or NAT) connected to service provider

DHCPv6 prefix delegation informs subscriber routerof prefix to use

Assignment of a prefix to a subscriber or an organization,rather than a single address, is recommended for IPv6

IPv6 prefix delegation uses DHCPv6 to provision a routerwith the prefix to be used at that site

Site router then assigns /64 prefixes from delegated prefix toeach link in the site network


43/119

IP 6 D l t M d l f


44/119


IPv6 Deployment Model forBranch Office

IPv6 prefix can be assigned to enterprise branchoffice

Branch office gateway router provides IPv6 serviceto branch office network

DHCPv6 prefix delegation informs branch officerouter of prefix to use

Branch office router assigns /64 prefixes from

delegated prefix to each branch office network linkAdd interface index to /48 prefix to generate /64 for each link

Delegated prefix 2001:DB8:3::/48 and assign prefix2001:DB8:3:1::/64 to interface 1


45/119


Branch Office IPv6 Network Model

Branch Office Network

Servers

DHCP

DNS

Management

Core

BranchRouter

Router

Branch Router initiates DHCPv6

Receives IPv6 address for enterprise net link

Receives 2001:DB8:3::/48 (prefix delegation)

Receives list of DNS servers and other configuration

Branch Router assigns /64 prefixes from2001:DB8:3::/48 to branch office network links

Enterprise Network Link: Assigned 2001:DB8:FFFF:0::/64

Branch Office Link 0 (Wireless): Assigned 2001:DB8:3:0::/64

Branch Office Link 1 (Desktop): Assigned 2001:DB8:3:1::/64

Branch Office Link 2 (Data Center): Assigned 2001:DB8:3:2::/64


46/119


Routing and DHCPv6 Prefix Delegation

Prefix delegation requires routing updates indelegating router and requesting router

Injection of routing information for delegated prefix

Determination of default router

DHCPv6 snooping typically used

DHCPv6 leasequery (RFC 5007 and 5460) allowsrequesting router to obtain information aboutdelegated prefixes from DHCPv6 server


47/119



DNS Deployment

DNS Service Security



48/119


Names

org

(root)

bucknell

edu

purdue

cswww

example

com

.

com.

example.com.

www.example.com.


49/119


The Domain Name System (DNS)

DNS is a distributed database, with distributedadministration and responsibility

The database key is a Fully Qualified Domain Name(FQDN) that consists of a string of tokens separated by

.Example : www.cisco.com

The data is stored in Resource Records (RR) of whichthere are many types, examples are A, AAAA, PTR andMX.

Product of the IETF to replace original HOSTS.TXT file


50/119


DNS Features

The DNS is designed for look-up queries

The DNS holds two major types of information

The actual data available as answers to queries

Structural information for DNS itself

Information is logically grouped in zones; a zone is theunit of control, modification rights and replicationoperations apply to zones


51/119


52/119


Queries

Lookup is based on FQDN, class, and type

Query for example.com

example.com. ? IN A ?

example.com. 4711 IN A 192.168.1.1


53/119


DNS is a Universal Lookup Service

Lookup by name to find IPv4 address(es)www.l.google.com: type A, class IN, addr 64.233.169.147

www.l.google.com: type A, class IN, addr 64.233.169.105

www.l.google.com: type A, class IN, addr 64.233.169.103

xn--9n2bp8q.xn--9t4b11yi5a : type A, class IN, addr 199.7.85.16

Lookup by name to find IPv6 address(es)ipv6.l.google.com: type AAAA, class IN, addr 2001:4860:b004::68

Lookup by name to find mail server(s)cisco.com: type MX, class IN, preference 10, mx sj-inbound-b.cisco.com

cisco.com: type MX, class IN, preference 15, mx rtp-mx-01.cisco.com

cisco.com: type MX, class IN, preference 25, mx syd-inbound-a.cisco.com

Lookup by IPv4 address to find domain name25.219.133.198.in-addr.arpa: type PTR, class IN, www9.cisco.com


54/119


DNS is a Universal Lookup Service

Lookup by service to find host and port_sip._tcp.example.com: type SRV, class IN,

priority 0, weight 10, port 5060, host sip.example.com

Lookup by name to find servicesexample.com: type NAPTR, class IN, 1 1 "s" "" "" _sip._tcp.example.com

example.com: type NAPTR, class IN, 1 1 "s" "" "" _clip._tcp.example.com

example.com: type NAPTR, class IN, 1 1 "s" "" "" _wins._tcp.example.com

Lookup by E.164 number to find URL or URN5.4.3.2.1.e164.arpa.: type NAPTR, class IN, 1 1 "u" "E2U+sip"

"!.*!sip:[email protected]!" .


55/119


56/119


Reverse Zone

PTR records used to resolve name for an IP address

Canonical representation of IP address used as FQDN

IPv4reversed dotted decimal concatenated with IN-ADDR.ARPA. (for

address 192.168.50.22)

22.50.168.192.in-addr.arpa 1800 IN PTR www.example.com

IPv6reversed dotted hexadecimal nibbles concatenated withIP6.ARPA. (for address 2001:db8:1:1::22)

2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa 1800 INPTR www.example.com

Zone delegations based on address-FQDNcomponents; gets tricky when delegations are not onFQDN component boundaries
http://www.example.com/http://www.example.com/http://www.example.com/http://www.example.com/


57/119


58/119


59/119


Domains and Zones

All nodes below anode are included inthe same domain

Nodes are grouped inadministrative zones

Each node can be thestart of a new zone,but it doesnt have tobe

A node which is thestart of a new zone iscalled a delegation

point

root-zone

bucknell

example.com-zone

com-zone

purdue.edu-zone

com-domain

Zone

Domain

edu

purdue

cswww

example

com org


60/119


A DNS Server performs two functions

Hosts must be able to query FQDNs of the entire DNS namespace

Recursive servers provide resolution service

Hosts and recursive servers must be able to issue DNS queriesabout zones you administer

Authoritative servers respond to queries for FQDNs under

their authority

Recursive

Server

InternetcomName

Server

example

Name Server

FQDN ResolutionRoot

Server

DNS Database

Application

StubResolver


61/119


DNS Name Resolution

1. An application wants to resolvewww.widgets.example.com into an IP address

2. Stub Resolver code (typically in a library on the host where the applicationruns) sends a DNS protocol request message to (local) recursive server

3. Recursive server sends DNS protocol request messages to many DNS nameservers; the recursive server may cache the answers

4. Recursive server returns IP address to stub resolver through a DNSprotocol message

5. Stub resolver communicates IP address to application

Recursive

Server

Internet

comName

Server

example

Name Server

1.2.3.4

Root

Server

DNS Database

Application

Stub

Resolver

Widgets

Name Server

1

2

43

5

www.widgets.example.com ?
http://www.widgets.example.com/http://www.widgets.example.com/


62/119


Recursive Resolution

1. Question = resolve www.widgets.example.com In the DNS protocol thequestion will always be the same.

2. Ask root server(s) (known via hint list); they will only answer which server(s)know com. which is likely a top level domain (TLD)

3. Ask server(s) forcom.; they return a NS list that know about example.com.

4. Ask server(s) forexample.com.; dependent on how the zones are laid out theymight return the answer forwww.widgets.example.com or else return a NS listthat know about widget.example.com.

5. Finally the widget.example.com name server returns the answer

com

Name Server

example.com

Name Server

Root Server

DNS Database

Widgets.example.com

Name Server

www.widgets.example.com ?

NS for com = a, b, c

NS for example.com = x, y

NS for widgets.example.com = m, n

www.widgets.example.com = 1.2.3.4
http://www.widgets.example.com/http://www.widgets.example.com/


63/119


64/119



DNS Deployment What Where Why?




65/119


Deploying Authoritative Servers

Use a hidden primary or gold master

It will make authorization of changes easier

Slave servers answer all requests authoritatively,they obtain info only from the master

Close to your own hosts

In your DMZ, reachable from outside

At least one slave somewhere else on the Internet

This gives responses when your own slaves are notreachable


66/119


67/119


Queries from the Inside

Hidden Master

= Authoritative

Internal Cache

= Recursive

DMZ Cache

= Recursive

External Slave

= Authoritative

Internal DMZ External

DMZ Slave

= Authoritative

Internet

Internal Cache

= Recursive

Internal Slave

= Authoritative


68/119


69/119


Queries from the Outside

External Slave

= Authoritative


DMZ Slave

= Authoritative

Internet


70/119


Queries from Subscribers


DMZ Slave

= Authoritative

Internet

Access

Network


71/119

Dynamic Host Configuration Protocol DHCP Domain Name System DNS

DNS Deployment




72/119


Security Exposures in DNS

1. Corruption of name server database: DDNS, admin spoofing

2. False zone transfers

3. Spoofed responses to recursive server queries

4. Spoofed responses to stub resolver queries

Recursive

Server

Internet

com

Server

widgets

Name Server

example

Name Server

(Master)

FQDN Resolution

example NameServer (Slave)

example

Name Server

(Database)

Root

Server

Application

StubResolver 4

2

1

3


73/119


TSIG, SIG(0), and DNSSEC

TSIG: uses shared secret key to protect DNStransactions

Sender computes hash of transaction using secret key

Received confirms integrity using secret key

SIG(0): uses public/private key pair to protect DNSqueries

Sender computes signature of transaction using private key ofpublic/private key pair

Receiver confirms authenticity using public key

DNSSEC: uses signed RRset to protect DNS data

Sender computes signature of RRset using private key ofpublic/private key pair

Receiver confirms authenticity using public key


74/119


75/119

ButHow Does the Resolver


76/119


www.example.com

Has AddressSignature

Key for

example.com

example.comKey

Has SignatureSignature

Key for com

Get the Key forexample.com?

Three new RR types used to storecryptographic data

DNSKEYholds public key

DSholds public key hash for a subzone

RRSIGholds RRset signature

(There are 3 other RRs: NSEC, NSEC3,

NSEC3PARAM)

Hash of public key forexample.comisstored in a DS RR in the comzone; public

key is stored in a DNSKEY RR in theexample.comzone

Resolver with public key for com

Uses public key forcomto authenticate signature of DSRR forexample.com

Retrieves public key forexample.comin DNSKEY RR

from example.com zone and authenticates with DS RR

Resolveswww.example.comand authenticates RR(s)

with key from example.com DNSKEY RR

Signature


77/119


Global view of signatures and keys

FQDN CL TYPE RDATA

com. IN DNSKEY xyz23Cryryptogrm4d3DS

example.com IN RRSIG

DS

Signature of DS

Hash for public key of

example.com

example.com IN DNSKEY 3245sdFD56G4ggf15R5

www.example.com IN A

RRSIG

64.64.64.64

Signature for RR

com.zone

example

.com.zone

means authentified bymeans used to validate


78/119


Why Arent We Using DNSSEC Today?

Requires chain of signed zonesRoot TLDs organizations

Trust islands may be an interim step

Processes for key and trust anchor management and rollover need to beworked out

Organizations need to get keying information into TLDs

RFC 5011 mechanisms need to be deployed for trust anchors

Applications are unprepared for DNSSEC

How does an application react to an unsecured response or a response that failsauthentication?

Organizations need to deploy DNSSEC

Name servers; recursive servers

with a mechanism for securing DNS traffic between hosts and recursive servers

Root zone has been signed since July 15, 2010

Good information source - http://www.dnssec-deployment.org/
http://www.dnssec-deployment.org/http://www.dnssec-deployment.org/http://www.dnssec-deployment.org/http://www.dnssec-deployment.org/


79/119


RootZone

com

Zone

example.com

Zone

Trust Island for DNSSEC

Resolver can be configured with public key forexample.comzone

Resolver performs unsecured resolution through root andcomzones

Then, resolver applies example.comzone key for secureresolution ofexample.comzone

Resolver

Example.comZone

Public Key


80/119





81/119


DNS Namespace and IP Addressing

DNS namespace and IP addressing architecture arefundamentally orthogonal

Name hierarchy need not follow network topology; two devices onthe same link may use different domain names

Address assignment must follow network topology, so an address

assigned to a device must come from a prefix assigned to the link

but name and address management interact inseveral ways

IP addresses in PTR records

Configuration of host to know DNS servers (evaluation order)Configuration of host for evaluation order

Reverse delegationDelegation of IP addresses impliesdelegation of zone authority


82/119


Address Assignment and DNS

RRset(s) for a device must be updated withaddress(es) assigned to the device

IP addresses inA/AAAARRs for the devices FQDN

must reflect the IP addresses assigned to the host

Static: simultaneously add entries to DHCP and DNSservices

Automatic: simultaneously add entries when address is firstassigned

Dynamic: add entries when address is first assigned;update RRs if address changes; delete RRs if leaseexpires


83/119


Getting New IP Addresses into DNS

Update DNS server database manuallyEdit configuration file

Through a GUI

(Dynamic) DNS Update (DDNS) from host

Host sends DNS Update when new address is assigned

What name to use/allow?

Update both forward and reverse?

Authentication and authorization requires trust relationship

with each host; does this scale?What if the DHCP address lease expires?


84/119


Getting New IP Addresses into DNS

DNS update from DHCP server

DHCP and DNS servers must have a trustrelationship; fewer components to secure

Can purge expired addressRequires explicit collaboration if DHCP andDNS servers are in different admin domains

Only works for addresses assignedthrough DHCP

DHCP

ClientDHCP Relay

Agent

Organization

Network

DHCP

Server

DHCP Client DHCP Service

example

Name Server

comName

Server

widgets Name

Server

DNS Database

Root

Server

bvolz.widgets.example.com

DNS update forbvolz.widgets.example.com


85/119


Why Use DNS Update?

Mobility is easierLaptops are not the only devices that uses IP addresses andneed domain names

Platform and proprietary solutions have existed, buta standardized version was missing

Fast, secure updates of the DNS are required

DNS Update provides mechanism in DNS to updateRRs

Can be secured (i.e., TSIG)Used by host (with appropriate trust and security)

Used by DHCP server (for reverse and perhaps forward)


86/119


Update of PTR Record

PTRrecords should be updated at same time asA(andAAAA) when addresses are changed

If addresses are assigned through DHCP, thenetwork admin owns the address (reverse zone)

and should have the DHCP server do the updateDHCP server can learn host FQDN through DHCP optionsor can enforce its own naming policy

If clients name used, assumes implicit trust relationshipbetween host and DHCP server - host is authorized to use

name

Explicit authentication of host identity and authorization ofhost to use name and authentication of DHCP messageexchange is an unsolved problem

Cisco IOS DHCP Client and Server


87/119


DHCP

Server

Organization

Network

DHCP Client DHCP Service

example Name

Server

comName

Server

widgets Name

Server

DNS Database

Root

Server

router.widgets.example.com

DHCPClient

*RFC 4702 DHCP client FQDN option

Running DDNS

The Cisco IOS DHCP client canperform DNS* or HTTP updates anduse client FQDN option tocommunicate choice to the DHCPserver

The Cisco IOS DHCP server canperform DNS* or HTTP updates anduses or override client preference

C fi i f H f DNS


88/119


Configuration of Host for DNS

Obtaining pointers to DNS service is almost asimportant to host operation as obtaining an IPaddress

DHCP service can be (and usually is) configured to

pass information about DNS to the DHCP client viaDHCP options

Addresses of recursive servers

List of domain names for FQDN resolution


89/119

Dynamic Host ConfigurationProtocol DHCP

DHCP Scale Considerations


IPv6 and DHCP


DNS Deployment



NMS i ff d


90/119


NMS sessions offered (1 of 2)Session Title

Monday:

BRKNMS-1204

Introduction to Network Performance Measurement with Cisco IOS

IP Service Level Agent

BRKNMS-2032 Rapid and Repeatable Service Delivery Through Automation

BRKNMS-3021 Advanced Cisco IOS Device Instrumentation

Tuesday:

BRKNMS-1032 Network Management KPI's

BRKNMS-1532 Introduction to Accounting Principles with NetFlow and NBAR

BRKNMS-2010 Using a Network Hypervisor to Build Public and Private Clouds

BRKNMS-2031 SYSLOG Design, Methodology and Best Practices

BRKNMS-2035 Ten Cool LMS Tricks to Better Manage Your Network

BRKNMS-2501 Enterprise QoS Deployment, Monitoring and Management

NMS sessions offered (2 of 2)


91/119


Session Title

Wednesday:

BRKNMS-2031 SYSLOG Design, Methodology and Best Practices

BRKNMS-1942 Managing Infrastructure as a Service (IaaS) for Cloud Environment

BRKNMS-2499 Operating and Managing Converged Enterprise Architectures

BRKNMS-3043

Advanced Performance Measurement for Critical IP Traffic with

Cisco IOS IP Service Level Agreements

BRKNMS-3132 Advanced NetFlow

Thursday:

BRKNMS-2006 Energy Management

BRKNMS-2030 Onboard Automation with Cisco IOS Embedded Event Manager

BRKNMS-2640 Advanced DHCP and DNS Deployments

BRKNMS-2658 Securely Managing Your Networks and SNMPv3

BRKNMS-1035 The NOC at CiscoLive

Complete Your OnlineS i E l ti


92/119


Session Evaluation

Receive 25 Cisco Preferred Access points for each sessionevaluation you complete.

Give us your feedback and you could win fabulous prizes.Points are calculated on a daily basis. Winners will be notifiedby email after July 22nd.

Complete your session evaluation online now (open a browserthrough our wireless network to access our portal) or visit oneof the Internet stations throughout the Convention Center.

Dont forget to activate your Cisco Live and Networkers Virtual

account for access to all session materials, communities, andon-demand and live activities throughout the year. Activateyour account at any internet station or visitwww.ciscolivevirtual.com.

R d d R di
http://www.ciscolivevirtual.com/http://www.ciscolivevirtual.com/


93/119


Recommended Reading

The DHCP Handbook

Ralph Droms and Ted Lemon.

Sams Publishing, 2002.

ISBN: 978-0-672-32327-3

Available Onsite at the Cisco Company Store

R d d R di


94/119


Recommended Reading

DNS and BINDby Cricket Liu & Paul AlbitzOReillyISBN: 978-0-596-10057-5

Available Onsite at the Cisco Company Store

R d d R di


95/119


Recommended Reading

IP Address ManagementPrinciples and Practice

by Timothy Rooney

ISBN 978-0-470-58587-0

Introduction to IP AddressManagement

by Timothy Rooney

ISBN 978-0-470-58588-7
http://www.amazon.com/Introduction-Address-Management-Press-Network/dp/0470585889/ref=sr_1_2?ie=UTF8&s=books&qid=1306371960&sr=1-2http://www.amazon.com/Introduction-Address-Management-Press-Network/dp/0470585889/ref=sr_1_2?ie=UTF8&s=books&qid=1306371960&sr=1-2http://www.amazon.com/Address-Management-Principles-Practice-Network/dp/0470585870/ref=sr_1_1?ie=UTF8&s=books&qid=1306371960&sr=1-1


96/119


Thank you.


97/119

Appendix A:Terminology, Acronyms, References

Terminology


98/119


Terminology

Class A field in a DNS Resource Record that class fieldspecifies the protocol group (usually IN for Internet)

DDNS A method for dynamic updates to DNS data through DNSmessages

DHCP Server Responds to DHCP messages; manages IP addressassignment and reclamation; assigns configurationinformation to hosts

DHCP Client Initiates DHCP message exchanges; implemented on ahost to obtain an IP address and other configurationinformation for the host

DHCP Relay Agent A function of a network element like a router, thatforwards DHCP messages between clients and serversand eventually modifies the messages

DHCPv6 PD Prefix delegation for DHCPv6; an extension to DHCPv6that allows a DHCPv6 server to delegate prefixes to otherDHCPv6 servers thus forming a delegation hierarchy

DNSSEC A method for securing DNS RRs using public/private keysand a trust chain to authenticate the public key

Terminology


99/119


Terminology

Domain A subtree of the global DNS name space. Often used torefer to an organizations subtree, e.g., the MIT domain,the ISI.EDU domain, the root domain

EDNS0 Updates to the DNS protocol, expanding several fieldsand allowing for longer UDP messages (RFC 2671)

FQDN Fully qualified domain name; the name of a node in theDNS name space

Link A communication facility or medium over which nodescan communicate at the link layer (RFC 2460)

Name Server A program that holds DNS data and answers queries

ODAP On Demand Address Pools; an extension to DHCPv4 thatallows DHCP servers to assign and recover addresses inaddress pools

Prefix A bit string that consists of some number of initial bits of an address (RFC 2461)

Recursive Server A program that accepts a DNS resolution request from ahost and exchanges DNS protocol messages to completethe name resolution

Terminology


100/119


Terminology

Resolver A program that accepts DNS resolution requests from anapplication and initiates a DNS protocol messageexchange

Root Server The name servers for the root of the DNS name space

RR Resource Record; the atomic unit of information in thedomain system

RRset A set of all RRs associated with an FQDN and typeSIG(0) A method for securing DNS message exchanges using

public/private keys (not in common use)

TLD Top level domain; e.g., .com, .edu, .org, .uk

TSIG A method for securing DNS message exchanges using ashared secret or GSS-API

TTL Time-to-LiveA field in a DNS Resource Record thatspecifies how long a domain resolver should cache theRR before it throws it out and asks a domain server again

Zone A zone is a portion of the DNS name space that ismanaged as a unit

DNS and the IETF


101/119


DNS and the IETF

DNS is a product of the IETF; specifications are publishedin RFCs

Original specification: RFC 1034, RFC 1035

DNS dynamic updates (DDNS): RFC 2136

EDNS0: RFC 2671

DNS securityDNSSEC: RFC 4033, RFC 4034, RFC 4035, RFC 5155

SIG(0): RFC 2931

TSIG: RFC 2845

DNS extensions (dnsext) working group of the IETF continues

to develop extensions to DNS DNS operations (dnsop) working group develops guidelines

for the operation of DNS software servers and theadministration of DNS zones


102/119


103/119

Significant Extensions


104/119


Significant Extensions

Relay agent options (RFC 3046)

DHCP message authentication (RFC 3318, RFC4030)

DHCP for IPv6 (RFC 3315) and DHCPv6 prefixdelegation (RFC 3633)

Many new options, redefinition of option codespace to allow for more DHCP options

IETF Standards


105/119


IETF Standards

RFC 951 (Bootstrap Protocol)

RFC 1048, 1395, 1497, 1542, 2132 (BOOTP Vendor Info)

RFC 1534 (Interoperation Between DHCP and BOOTP)

RFC 2131 (Dynamic Host Configuration Protocol)

RFC 3004 (User Class Option for DHCP)

RFC 3011 (IPv4 subnet selection)

RFC 3046 (DHCP Relay Agent Information Option)

RFC 3074 (DHCP Load Balancing)

RFC 3256 (The DOCSIS Device Class DHCP Relay Agent Information Suboption)

RFC 3442 (The Classless Static Route Option for Dynamic Host Configuration Protocol[DHCPv4])

RFC 3495 (Dynamic Host Configuration Protocol (DHCP) Option for CableLabs Client)

RFC 3527 (Link Selection Suboption for the Relay Agent Information Option for DHCPv4)

RFC 3594 (PacketCable Security Ticket Control Suboption for the DHCP CableLabsClient Config [CCC])

RFC 3315, 3633, 3736 (DHCP for IPv6, Prefix option, Stateless DHCP for IPv6)


106/119

Appendix B:DHCP as an IP address

management system

IPv4 Address Management


107/119


IPv4 Address Management

IPv4 address planStart with network link topology

Estimate hosts on each link

Pick IPv4 prefix length (subnet mask) to accommodate

expected hostsAssign IPv4 prefixes for aggregation

Can split a prefix later when new links are added

Sources of Information About Networks


108/119


Sources of Information About Networks

Network management tools should contain IPaddresses in use, observed or planned

Router configurations provide

Interfaces for link topology

Assigned networks and subnet masks

Can be obtained with grep from Cisco IOS

egrep ^[ \t]ip address *-confg |grep255\.255

Can be queried using SNMP

snmpwalk {options} mib-2.ip.ipAddrTable

How Do You Count theNumber Of Devices?


109/119


Number Of Devices?

00:fa:66:ee:2e:8b:12:aa

00:fa:66:e1:2e:8b:52:aa

00:fa:66:e1:2b:8b:12:aa

00:fa:66:3c:2e:8b:12:aa

00:fa:88:e1:2e:8b:22:aa

00:fa:16:e1:2e:8b:12:aa

00:fa:61:e1:2e:8b:12:aa

f0:fa:66:e1:2e:8b:12:aa

0f:fa:66:e1:2e:8b:12:aa

00:fa:66:e1:2e:8b:12:aa

00:fa:66:e1:2e:8b:12:9a

00:fa:66:e1:2e:8b:12:ea

00:fa:66:e1:2e:8b:12:aa

00:fa:66:e1:2e:8b:12:aa00:fa:66:ec:2e:8b:12:aa

00:fa:66:e1:2e:8b:12:aa00:fa:66:e1:2e:8b:12:aa

00:fa:66:e1:2e:8b:12:aa00:fa:66:e1:2e:8b:12:aa00:fa:66:e1:2e:8b:12:aa

Host Address Management


110/119


Host Address Management

Address assignmentManual

Static, automatic, dynamic => DHCP

Auto-configuration

DHCP service has to choose address from rightprefix

Address plan configured into DHCP server

DHCP server identifies subnet to which client is attachedfrom giaddr and chooses an address from the prefix for

that linkDHCP server uses Option 82 to identify last mile copperpair and decides subnet for customer


111/119

Appendix C:

DHCP Class of Service

Examples of Class of Service


112/119


Examples of Class of Service

Address leasesHow long a set of clients shouldkeep its addresses

IP address rangesFrom which lease pool toassign clients addresses, example: walled garden

DNS server addressesWhere clients shoulddirect their DNS queries

DNS hostnamesWhat name to assign clients

Denial of serviceWhether unauthorized clientsshould be offered leases

How the Client Is Classified


113/119


How the Client Is Classified

MAC address

Link (=subnet) to which client is attached

Port to which client is attached

Device type: PC, IP phone, cable modem

Device status: unauthenticated/authenticated

DHCP Relay: Centralized DHCP Service


114/119


DHCP Relay: Centralized DHCP Service

DHCP client broadcasts aDHCPDISCOVER packet

Relay agent on the router receivesthe message, fills in the giaddrfield with IP address of thereceiving interface of router, and

forwards it to the server

DHCP relay agent forwards(unicasts) the packet to multipleDHCP server ; client will choosethe best DHCPOFFER

DHCP server uses giaddr fieldof DHCP packet as an index intothe network topology and selectsan address from 192.168.1.0/24

Network Prefix

192.168.1.0/24

Relay Agent

IP Address

192.168.1.1

DHCP

Client

Organization

network

DHCP Server

192.168.200.8

Network Prefix

192.168.2.0/24

Relay Agent

IP Address

192.168.2.1DHCP

Packet

GIADDR

Relay Agent

IP Address

192.168.50.1

Relay Agent Options


115/119


Relay Agent Options

Relay agent can attach additional information to DHCP message inrelay agent options

Originally defined in RFC 3046 for cable broadband

Option encodes information about source of DHCPDISCOVER or DHCPREQUESTMESSAGE

Server returns options back to relay agent, which uses information to forwardmessage to cable modem client

Additional relay agent options encode informationsuch as DOCSIS device class, subnet for address assignment

DHCP Relay Options


116/119


DHCP Server192.168.1.5

DHCP Server192.168.2.5

DHCP Client

DHCP Relay Options

DHCP

Request

GIADDR

Option 82

DHCP

Request

Option 82

DHCP

Request


117/119



118/119

Visit the Cisco Store for RelatedTitles

http://theciscostores.com
http://theciscostore.com/http://theciscostore.com/


119/119

Thank you.

Advanced DHCP and DNS Deployments

Documents

Transcript of Advanced DHCP and DNS Deployments