dns dhcp ip address management
play

DNS, DHCP, IP address management KILIAN KRAUSE - PowerPoint PPT Presentation

Jun 08, 2023 •1.21k likes •1.48k views

Universitt Stuttgart Computing center DDI + IPAM @ Uni Stuttgart DNS, DHCP, IP address management KILIAN KRAUSE krause@tik.uni-stuttgart.de SIG NOC #1 TIK/NKS, 2015-04-08 page 1 Universitt Stuttgart Computing center AGENDA 1.

  1. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart DNS, DHCP, IP address management KILIAN KRAUSE krause@tik.uni-stuttgart.de SIG NOC #1 TIK/NKS, 2015-04-08 page 1

  2. Universität Stuttgart Computing center AGENDA 1. Motivation 2. Architecture DDI Uni Stuttgart DDI + IPAM @ Uni Stuttgart 3. Above the average... 4. Security & Orchestration What‘s next? 5. TIK/NKS, 2015-04-08 page 2

  3. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 MOTIVATION TIK/NKS, 2015-04-08 page 3

  4. Universität Stuttgart Computing center MOTIVATION  Mostly manual DNS config  Move to automated setup DDI + IPAM @ Uni Stuttgart  DHCP config by hand, no client self-service  IPv6 not integrated  single pane of glass for all network services DHCP/DNS/rDNS  Few workflow scripting / only partial monitoring  Move to database system and roll out systematic monitoring  Add admin self service, delegation (web frontend)  Hardware refresh  From heterogeneous to homogenous  Add DNSSEC TIK/NKS, 2015-04-08 page 4

  5. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 ARCHITECTURE TIK/NKS, 2015-04-08 page 8

  6. Universität Stuttgart Computing center BASIC DESIGN LAYOUT DDI + IPAM @ Uni Stuttgart Simple Network Interruption Protocol TIK/NKS, 2015-04-08 page 10

  7. Universität Stuttgart Computing center BLUECAT KEY FEATURES  IP blocks (e.g. static routes or aggregates)  IP networks (access subnet/SVI) DDI + IPAM @ Uni Stuttgart  DNS/rDNS automagically synchronized  DHCP and DNS from same database  Web frontend with DHCP range utilization view  Custom user defined fields (shared for multi-tenant!) per object  Authentication integration with LDAP (e.g. AD), Kerberos, RADIUS and TACACS+  Automatic network discovery and reconciliation  Centralized management  Templating and workflow support  Access right delegation TIK/NKS, 2015-04-08 page 11

  8. Universität Stuttgart Computing center REDUNDANCY / HA  Proteus (BAM) virtualized  No extra XHA config and licenses DDI + IPAM @ Uni Stuttgart  Adonis (DHCP only)  No XHA but master/slave for DHCPv4  works ok!  No Master/Slave für DHCPv6  not even stateless!  Adonis (DNS hidden master)  No XHA, since only „ zone file generator “  Runs as a VM -> fast recovery  Public DNS slaves and campus DNS recursive resolvers highly redundant on generic servers BUT: DNSSEC! TIK/NKS, 2015-04-08 page 14

  9. Universität Stuttgart Computing center DATA IMPORT  XML (BluePrint)  CSV DDI + IPAM @ Uni Stuttgart  Script/API (Perl, Java)  manual TIK/NKS, 2015-04-08 page 15

  10. Universität Stuttgart Computing center ADDRESSING SCHEME IPv6  Historically independent of IPv4 and network  New scheme based on distribution area and vlan ID DDI + IPAM @ Uni Stuttgart  Renumbering not yet neccessary  Fully automated workflow possible!  Network objects in BAM are still independent!  right delegation duplicated and potentially inconsistent  Vlan database still not in BAM  needs monitoring! TIK/NKS, 2015-04-08 page 16

  11. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 ABOVE THE AVERAGE TIK/NKS, 2015-04-08 page 31

  12. Universität Stuttgart Computing center ABOVE THE AVERAGE  DNSSEC with pre-defined policy a „ one click shop “  KSK rollover happens without DS-check! DDI + IPAM @ Uni Stuttgart  Monitoring based on database definitions (scripted via API)  SOA  WHOIS  DNSSEC  Anycast (also possible with Adonis if used as recursor)  on our recursors for both IPv4 and IPv6  Quagga (or bird, xorp) TIK/NKS, 2015-04-08 page 32

  13. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 SECURITY & ORCHESTRATION TIK/NKS, 2015-04-08 page 33

  14. Universität Stuttgart Computing center SECURITY  Segmentation by architecture  Database backend DDI + IPAM @ Uni Stuttgart  DNS hidden master  public servers  DMZ architecture (only required services permitted)  Rate-Limiting currently not required  Local server firewall might rate filter  No official distro package for rate limiting DNS server  No DNS filtering / manipulation (DNS64/NAT64)  No (more) public recursive resolvers  DNSSEC is said to raise amplification attack vector  BUT: EDNS usually combined with TCP!  so far not a problem for us TIK/NKS, 2015-04-08 page 34

  15. Universität Stuttgart Computing center ORCHESTRATION  Proteus / BAM offers workflows internally  UI sometimes too overwhelming for newbies DDI + IPAM @ Uni Stuttgart  BlueCat offers TRITON as a workflow engine  Web service  Drag and drop customization  Third party APIs (SQL, LDAP etc.)  Custom API programming with SOAP  Future version shall bring REST TIK/NKS, 2015-04-08 page 35

  16. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 WHAT‘S NEXT TIK/NKS, 2015-04-08 page 43

  17. Universität Stuttgart Computing center WHAT‘S NEXT  Further integration with database  Monitoring (e.g. routing, firewalling) DDI + IPAM @ Uni Stuttgart  Establish deployment procedures around database(s)  Rolling out new subnets (dual-stack)  Self service for network features? Like:  Activate/remove DHCPv4 from my Vlan  Dual stack my Vlan / remove IPv4  ACL self-service  Cloud automation (VM lifecycle)  … TIK/NKS, 2015-04-08 page 44

  18. Universität Stuttgart Computing center WHAT IPAM IS NOT  Endpoint assessment  Not even (passive) DHCP fingerprinting or SoH DDI + IPAM @ Uni Stuttgart  Can do custom DHCP vendor options based on match clauses  Threat protection (endpoint, DDoS, DHCP exhaustion)  Device registration portal (related product)  Captive portal  NAT gateway (e.g. NAT64)  Certificate authority (for device authorization/tracking etc.)  Policy framework  No RFC3118 support in Adonis  Network management (only network _address_ management!)  Wireless LAN management controller TIK/NKS, 2015-04-08 page 45

  19. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 SUMMARY TIK/NKS, 2015-04-08 page 48

  20. Universität Stuttgart Computing center SUMMARY  Works as designed!  DNS/rDNS synchronized DDI + IPAM @ Uni Stuttgart  DHCPv4 and stateless DHCPv6 deployed with central config  IPv6 available for all networks  DNSSEC running stable  Common web UI for all NOC and campus admins  Robust architecture according to latest standards TIK/NKS, 2015-04-08 page 49

  21. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart fn100525 fn100525 QUESTIONS? TIK/NKS, 2015-04-08 page 50

  22. Universität Stuttgart Computing center DDI + IPAM @ Uni Stuttgart THANKS fn100525 fn100525 … more questions later? Find me around here or email us: noc@tik.uni-stuttgart.de TIK/NKS, 2015-04-08 page 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why Tackled? Log wasnt great.

DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why Tackled? Log wasnt great.

DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why Tackled? Log wasnt great. Purely based on DHCP ACK messages. No tie together between assigned IP address and MAC address. Load balancing issues Mix of broadcast

626 views • 14 slides
DHCP (RFC 2131) Deliver host-specific configuration parameters from DHCP server to host.

DHCP (RFC 2131) Deliver host-specific configuration parameters from DHCP server to host.

DHCP (RFC 2131) Deliver host-specific configuration parameters from DHCP server to host. Allocate network address to nodes: Automatic allocation: permanent assignment. Dynamic allocation: for a limited period of time. Manual

387 views • 9 slides
Stanford NetDB- An Open Source Network Management Application for DNS, DHCP, IP Address Spaces,

Stanford NetDB- An Open Source Network Management Application for DNS, DHCP, IP Address Spaces,

Stanford NetDB- An Open Source Network Management Application for DNS, DHCP, IP Address Spaces, etc. http://stanfordnetdb.stanford.edu Sunia Yang sunia@stanford.edu Rob Riepel riepel@stanford.edu Stanford University

534 views • 28 slides
BootP and DHCP Flexible and Scalable Host Configuration 2005/03/11 (C) Herbert Haas

BootP and DHCP Flexible and Scalable Host Configuration 2005/03/11 (C) Herbert Haas

BootP and DHCP Flexible and Scalable Host Configuration 2005/03/11 (C) Herbert Haas Shortcomings of RARP Reverse Address Resolution Protocol Only IP Address distribution No subnet mask Using hardware address for identification

443 views • 29 slides
RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address Auto Configuration Prof. Anja Feldmann, Philipp S. Tiesel, Thorben Krger, Apoorv Shukla IPv6 Scoped Address Architecture IPv6 addresses have

679 views • 19 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 14ws 1 Outline IPv4 Address Allocation NAT DHCP 2 Outline IPv4

543 views • 29 slides
How Dynamic is the ISPs Address Space? Towards Internet-Wide DHCP Churn Estimation Giovane C. M.

How Dynamic is the ISPs Address Space? Towards Internet-Wide DHCP Churn Estimation Giovane C. M.

How Dynamic is the ISPs Address Space? Towards Internet-Wide DHCP Churn Estimation Giovane C. M. Moura , Carlos Gan, Qasim Lone, Payam Poursaied, Hadi Asghari, and Michel van Eeten

92 views • 6 slides
Summary Chapter 4 q IP Addressing v Network prefixes and Subnets v IP datagram format q DHCP

Summary Chapter 4 q IP Addressing v Network prefixes and Subnets v IP datagram format q DHCP

Smith College, CSC 249 March 2, 2018 1 Summary Chapter 4 q IP Addressing v Network prefixes and Subnets v IP datagram format q DHCP dynamic addressing v Obtain: own IP address Subnet mask, DNS server & first-hop v router IP address q

205 views • 20 slides
... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

Notes on Running Dsniff and the Lab Network Environment Cyber Security Lab 2/16/10 1 General Overview 1.1 Initial machine configuration Outside World DMZ Management 192.168.50.50 192.168.50.60 Dmz 192.168.50.0/24 FW1 Outside =

182 views • 4 slides
DHCP Relay agent Request from Multi Address Pool (draft-zi-dhc-agent-request-multi-pool-00.txt)

DHCP Relay agent Request from Multi Address Pool (draft-zi-dhc-agent-request-multi-pool-00.txt)

DHCP Relay agent Request from Multi Address Pool (draft-zi-dhc-agent-request-multi-pool-00.txt) IETF 64 Author: Zi Kang zikang@huwei.com Presentation: Li Guanfeng liguanfeng@huawei.com Motivation In some applications there is a need for

127 views • 12 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

Memory Management Basics 1 Basic Memory Management Concepts Address spaces MAX sys Physical address space The address space supported by the hardware Starting at address 0, going to address MAX sys MAX prog Logical/virtual address space

448 views • 22 slides
DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview EAP Encapsulated in DHCP Protocol DHCP protocol starts normally Relay (proxy)

881 views • 12 slides
iLab NAT / DHCP Florian Wohlfart Minoo Rouhi lastname @in.tum.de Chair of Network Architectures

iLab NAT / DHCP Florian Wohlfart Minoo Rouhi lastname @in.tum.de Chair of Network Architectures

iLab NAT / DHCP Florian Wohlfart Minoo Rouhi lastname @in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 6 17ws 1 / 39 Outline Meta IPv4 Address Scarcity NAT IPv6

957 views • 59 slides
Naming DNS & DHCP Naming IP addresses allow global connectivity But theyre pretty

Naming DNS & DHCP Naming IP addresses allow global connectivity But theyre pretty

This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But theyre pretty useless for humans! Cant be expected to pick their own IP address Cant be expected to

1.05k views • 80 slides
Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC

Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC

Kea An Open-Source DHCP Server Stephen Morris Internet Systems Consortium stephen@isc.org ISC DHCP Open-Source First version released in 1997 Default DHCP software in many distributions Server/relay/client for IPv4 & IPv6

303 views • 13 slides
User Perceptions of Do Not Track Aleecia M. McDonald aleecia @ aleecia.com

User Perceptions of Do Not Track Aleecia M. McDonald aleecia @ aleecia.com

User Perceptions of Do Not Track Aleecia M. McDonald aleecia @ aleecia.com http://www.aleecia.com Online User Study of Expectations for Do Not Track Mechanical Turk online study currently running - Multiple preliminary pilot studies -

266 views • 8 slides
Networking Friday Four Square! Outside Gates, 4:15PM Computer Networks Computer networks

Networking Friday Four Square! Outside Gates, 4:15PM Computer Networks Computer networks

Networking Friday Four Square! Outside Gates, 4:15PM Computer Networks Computer networks allow us to get amazing things done. Sharing knowledge (Wikipedia, Khan Academy, etc.) Solving huge problems (folding@home, SETI, etc.)

714 views • 42 slides
Port Restricted IP Address Assignment draft-bajko-v6ops-port-restricted-ipaddr-assign Gabor

Port Restricted IP Address Assignment draft-bajko-v6ops-port-restricted-ipaddr-assign Gabor

Port Restricted IP Address Assignment draft-bajko-v6ops-port-restricted-ipaddr-assign Gabor Bajko (Nokia) Teemu Savolainen (Nokia) Softwires WG meeting @ IETF#73 1 Intended usage scenarios Managed and tightly controlled networks

371 views • 11 slides
Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. Tiesel and Franziska

Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. Tiesel and Franziska

Overview L2/L3/L4 VPN Other tunneling technologies Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. Tiesel and Franziska Lichtblau June 1, 2016 1 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Overview 1

663 views • 27 slides
Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Software and Web Security 2 More attacks on Clients: More attacks on Clients: Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth reality y y Welcome user29. (IP address: (IP address:

691 views • 50 slides
Characterizing Global Web Censorship: Why is it so hard? Phillipa Gill The Citizen Lab/Stony

Characterizing Global Web Censorship: Why is it so hard? Phillipa Gill The Citizen Lab/Stony

Workshop on Active Internet Measurements CAIDA Feb. 8, 2012 Characterizing Global Web Censorship: Why is it so hard? Phillipa Gill The Citizen Lab/Stony Brook University Work done in collaboration with: Masashi Crete Nishihata, Jakub Dalek,

411 views • 39 slides
Networking Exercise Currently: 10.42.X.X pfSense: 10.42.X.1 Linux Server: 10.42.X.3

Networking Exercise Currently: 10.42.X.X pfSense: 10.42.X.1 Linux Server: 10.42.X.3

Networking Exercise Currently: 10.42.X.X pfSense: 10.42.X.1 Linux Server: 10.42.X.3 Ubuntu ClientA: 10.42.X.2 10.42.X.110 Ubuntu ClientB: 10.42.X.2 10.42.X.111 Windows Server: 10.42.X.4 Windows ClientA:

498 views • 39 slides
Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside Background The Great Fire Wall (GFW) A

322 views • 28 slides

More recommend