SLIDE 1
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 1
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 2
DNS, DHCP, IP address management KILIAN KRAUSE - - PowerPoint PPT Presentation
DNS, DHCP, IP address management KILIAN KRAUSE - - PowerPoint PPT Presentation
Universitt Stuttgart Computing center DDI + IPAM @ Uni Stuttgart DNS, DHCP, IP address management KILIAN KRAUSE krause@tik.uni-stuttgart.de SIG NOC #1 TIK/NKS, 2015-04-08 page 1 Universitt Stuttgart Computing center AGENDA 1.
SLIDE 2
SLIDE 3
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 3
DDI + IPAM @ Uni Stuttgart
MOTIVATION
fn100525 fn100525
SLIDE 4
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 4
DDI + IPAM @ Uni Stuttgart MOTIVATION
- Mostly manual DNS config
- Move to automated setup
- DHCP config by hand, no client self-service
- IPv6 not integrated
- single pane of glass for all network services DHCP/DNS/rDNS
- Few workflow scripting / only partial monitoring
- Move to database system and roll out systematic monitoring
- Add admin self service, delegation (web frontend)
- Hardware refresh
- From heterogeneous to homogenous
- Add DNSSEC
SLIDE 5
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 8
DDI + IPAM @ Uni Stuttgart
ARCHITECTURE
fn100525 fn100525
SLIDE 6
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 10
DDI + IPAM @ Uni Stuttgart BASIC DESIGN LAYOUT Simple Network Interruption Protocol
SLIDE 7
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 11
DDI + IPAM @ Uni Stuttgart BLUECAT KEY FEATURES
- IP blocks (e.g. static routes or aggregates)
- IP networks (access subnet/SVI)
- DNS/rDNS automagically synchronized
- DHCP and DNS from same database
- Web frontend with DHCP range utilization view
- Custom user defined fields (shared for multi-tenant!) per object
- Authentication integration with LDAP (e.g. AD), Kerberos,
RADIUS and TACACS+
- Automatic network discovery and reconciliation
- Centralized management
- Templating and workflow support
- Access right delegation
SLIDE 8
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 14
DDI + IPAM @ Uni Stuttgart REDUNDANCY / HA
- Proteus (BAM) virtualized
- No extra XHA config and licenses
- Adonis (DHCP only)
- No XHA but master/slave for DHCPv4 works ok!
- No Master/Slave für DHCPv6 not even stateless!
- Adonis (DNS hidden master)
- No XHA, since only „zone file generator“
- Runs as a VM -> fast recovery
- Public DNS slaves and campus DNS recursive resolvers highly
redundant on generic servers
BUT: DNSSEC!
SLIDE 9
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 15
DDI + IPAM @ Uni Stuttgart DATA IMPORT
- XML (BluePrint)
- CSV
- Script/API (Perl, Java)
- manual
SLIDE 10
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 16
DDI + IPAM @ Uni Stuttgart ADDRESSING SCHEME IPv6
- Historically independent of IPv4 and network
- New scheme based on distribution area and vlan ID
- Renumbering not yet neccessary
- Fully automated workflow possible!
- Network objects in BAM are still independent!
right delegation duplicated and potentially inconsistent
- Vlan database still not in BAM
needs monitoring!
SLIDE 11
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 31
DDI + IPAM @ Uni Stuttgart
ABOVE THE AVERAGE
fn100525 fn100525
SLIDE 12
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 32
DDI + IPAM @ Uni Stuttgart ABOVE THE AVERAGE
- DNSSEC with pre-defined policy a „one click shop“
- KSK rollover happens without DS-check!
- Monitoring based on database definitions (scripted via API)
- SOA
- WHOIS
- DNSSEC
- Anycast (also possible with Adonis if used as recursor)
on our recursors for both IPv4 and IPv6
- Quagga (or bird, xorp)
SLIDE 13
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 33
DDI + IPAM @ Uni Stuttgart
SECURITY & ORCHESTRATION
fn100525 fn100525
SLIDE 14
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 34
DDI + IPAM @ Uni Stuttgart SECURITY
- Segmentation by architecture
- Database backend
- DNS hidden master public servers
- DMZ architecture (only required services permitted)
- Rate-Limiting currently not required
- Local server firewall might rate filter
- No official distro package for rate limiting DNS server
- No DNS filtering / manipulation (DNS64/NAT64)
- No (more) public recursive resolvers
- DNSSEC is said to raise amplification attack vector
BUT: EDNS usually combined with TCP! so far not a problem for us
SLIDE 15
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 35
DDI + IPAM @ Uni Stuttgart ORCHESTRATION
- Proteus / BAM offers workflows internally
- UI sometimes too overwhelming for newbies
- BlueCat offers TRITON as a workflow engine
- Web service
- Drag and drop customization
- Third party APIs (SQL, LDAP etc.)
- Custom API programming with SOAP
- Future version shall bring REST
SLIDE 16
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 43
DDI + IPAM @ Uni Stuttgart
WHAT‘S NEXT
fn100525 fn100525
SLIDE 17
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 44
DDI + IPAM @ Uni Stuttgart WHAT‘S NEXT
- Further integration with database
- Monitoring (e.g. routing, firewalling)
- Establish deployment procedures around database(s)
- Rolling out new subnets (dual-stack)
- Self service for network features? Like:
- Activate/remove DHCPv4 from my Vlan
- Dual stack my Vlan / remove IPv4
- ACL self-service
- Cloud automation (VM lifecycle)
- …
SLIDE 18
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 45
DDI + IPAM @ Uni Stuttgart WHAT IPAM IS NOT
- Endpoint assessment
- Not even (passive) DHCP fingerprinting or SoH
- Can do custom DHCP vendor options based on match clauses
- Threat protection (endpoint, DDoS, DHCP exhaustion)
- Device registration portal (related product)
- Captive portal
- NAT gateway (e.g. NAT64)
- Certificate authority (for device authorization/tracking etc.)
- Policy framework
- No RFC3118 support in Adonis
- Network management (only network _address_ management!)
- Wireless LAN management controller
SLIDE 19
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 48
DDI + IPAM @ Uni Stuttgart
SUMMARY
fn100525 fn100525
SLIDE 20
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 49
DDI + IPAM @ Uni Stuttgart SUMMARY
- Works as designed!
- DNS/rDNS synchronized
- DHCPv4 and stateless DHCPv6 deployed with central config
- IPv6 available for all networks
- DNSSEC running stable
- Common web UI for all NOC and campus admins
- Robust architecture according to latest standards
SLIDE 21
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 50
DDI + IPAM @ Uni Stuttgart
QUESTIONS?
fn100525 fn100525
SLIDE 22
Computing center
Universität Stuttgart
TIK/NKS, 2015-04-08 page 51