Preface xixAcknowledgments xxiiiAbout the Authors xxvPart I IPAM Introduction 11 Introduction 3IP Networking Overview 3IP Routing 6IP Addresses 7Protocol Layering 12OSI and TCP/IP Layers 14TCP/UDP Ports 15Intra-Link Communications 15Are We on the Same Link? 17Limiting Broadcast Domains 18Interlink Communications 19Worldwide IP Communications 20Dynamic Routing 22Routers and Subnets 24Assigning IP addresses 25The Human Element 26Why Manage IP Space? 26Basic IPAM Approaches 27Early History 27Today's IP Networks and IP Management Challenges 282 IP Addressing 31Internet Protocol History 31The Internet Protocol, Take 1 32Class-Based Addressing 32Internet Growing Pains 35Private Address Space 38Classless Addressing 40Special Use IPv4 Addresses 40The Internet Protocol, Take 2 41IPv6 Address Types and Structure 42IPv6 Address Notation 43Address Structure 45IPv6 Address Allocations 462000::/3 - Global Unicast Address Space 47fc00::/7 - Unique Local Address Space 47fe80::/10 - Link Local Address Space 47ff00::/8 - Multicast Address Space 48Special Use IPv6 Addresses 48IPv4-IPv6 Coexistence 493 IP Address Assignment 51Address Planning 51Regional Internet Registries 51RIR Address Allocation 53Address Allocation Efficiency 54Multi-Homing and IP Address Space 55Endpoint Address Allocation 58Server-based Address Allocation Using DHCP 58DHCP Servers and Address Assignment 61Device Identification by Class 62DHCP Options 62DHCP for IPv6 (DHCPv6) 62DHCP Comparison IPv4 vs. IPv6 63DHCPv6 Address Assignment 64DHCPv6 Prefix Delegation 65Device Unique Identifiers (DUIDs) 66Identity Associations (IAs) 66DHCPv6 Options 67IPv6 Address Autoconfiguration 67Neighbor Discovery 68Modified EUI-64 Interface Identifiers 69Opaque Interface IDs 69Reserved Interface IDs 72Duplicate Address Detection (DAD) 724 Navigating the Internet with DNS 75Domain Hierarchy 75Name Resolution 76Resource Records 80Zones and Domains 81Dissemination of Zone Information 83Reverse Domains 84IPv6 Reverse Domains 89Additional Zones 91Root Hints 91Localhost Zones 92DNS Update 925 IPAM Technology Applications 93DHCP Applications 93Device Type Specific Configuration 94Broadband Subscriber Provisioning 95Related Lease Assignment or Limitation Applications 101Pre-Boot Execution Environment (PXE) clients 102PPP/RADIUS Environments 103Mobile IP 104Popular DNS Applications 105Host Name and IP Address Resolution 106A - IPv4 Address Record 107AAAA - IPv6 address record 107PTR - Pointer Record 107Alias Host Name Resolutions 108CNAME - Canonical Name Record 108Network Services Location 108SRV - Services Location Record 109Textual Information Lookup 110TXT - Text Record 110Many More Applications 110Part II IPAM Mechanics 1116 IP Management Core Tasks 113IPAM Is Foundational 113Impacts of Inadequate IPAM Practice 114IPAM Is Core to Network Management 115FCAPS Summary 116Configuration Management 117Address Allocation Considerations 118Address Allocation Tasks 120IP Address Assignment 133Address Deletion Tasks 135Address Renumbering or Movement Tasks 136Network Services Configuration 140Fault Management 143Monitoring and Fault Detection 143Troubleshooting and Fault Resolution 144Accounting Management 147Inventory Assurance 147Performance Management 151Services Monitoring 151Address Capacity Management 152Auditing and Reporting 152Security Management 153ITIL(r) Process Mappings 153ITIL Practice Areas 154Conclusion 1627 IPv6 Deployment 163IPv6 Deployment Process Overview 164IPv6Address Plan Objectives 165IPv6 Address Plan Examples 166Case 1 166Observations 168Case 2 169Observations 169General IPv6 Address Plan Guidelines 170ULA Considerations 171Renumbering Impacts 172IPv4-IPv6 Coexistence Technologies 173Dual Stack Approach 173Dual Stack Deployment 174DNS Considerations 174DHCP Considerations 175Tunneling Approaches 176Tunneling Scenarios for IPv6 Packets over IPv4 Networks 176Dual-Stack Lite 177Lightweight 4over6 181Mapping of Address and Port with Encapsulation (MAP-E) 181Additional Tunneling Approaches 183Translation Approaches 184IP/ICMP Translation 185Address Translation 186Packet Fragmentation Considerations 187IP Header Translation Algorithm 188Bump in the Host (BIH) 189Network Address Translation for IPv6-IPv4 (NAT64) 192NAT64 and DNS64 193464XLAT 195Mapping of Address and Port with Translation (MAP-T) 195Other Translation Techniques 196Planning Your IPv6 Deployment Process 1978 IPAM for the Internet of Things 201IoT Architectures 2016LoWPAN 203Summary 2099 IPAM in the Cloud 211IPAM VNFs 212Cloud IPAM Concepts 212IP Initialization Process 212IP Initialization Implementation 213DHCP Method 214Private Cloud Static Method 216Public Cloud Static Method 218Cloud Automation with APIs 218Multi-Cloud IPAM 220Private Cloud Automation 221Public Cloud Automation 223IPAM Automation Benefits 223Unifying IPAM Automation 224Streamlined Subnet Allocation Workflow 226Workflow Realization 230Tips for Defining Workflows 233Automation Scenarios 234Intra-IPAM Automation 234DHCP Server Configuration 235DNS Server Configuration 236Subnet Assignment 236IP Address Assignment Request 236Extra-IPAM Workflow Examples 237Regional Internet Registry Reporting 237Router Configuration Provisioning 238Customer Provisioning 238Asset Inventory Integration 238Trouble Ticket Creation 239Summary 239Part III IPAM and Security 24110 IPAM Services Security 243Securing DHCP 244DHCP Service Availability 244DHCP Server/OS Attacks 244DHCP Server/OS Attack Mitigation 245DHCP Service Threats 245DHCP Threat Mitigation 246DHCP Authentication and Encryption 247DNS Infrastructure Risks and Attacks 248DNS Service Availability 249DNS Server/OS Attacks 249DNS Server/OS Attack Mitigation 250DNS Service Denial 250Distributed Denial of Service 251Bogus Domain Queries 251Pseudorandom Subdomain Attacks 252Denial of Service Mitigation 253Reflector Style Attacks 253Reflector Attack Mitigation 254Authoritative Poisoning 254Authoritative Poisoning Mitigation 255Resolver Redirection Attacks 256Resolver Attack Defenses 256Securing DNS Transactions 257Cache Poisoning Style Attacks 257Cache Poisoning Mitigation 259DNSSEC Overview 259The DNSSEC Resolution Process 260Negative Trust Anchors 262DNSSEC Deployment 263Last Mile Protection 264DNS Cookies 264DNS Encryption 264DNS Over TLS (DoT) 264DNS Over HTTPS (DoH) 265Encryption Beyond the Last Mile 26711 IPAM and Network Security 269Securing Network Access 269Discriminatory Address Assignment with DHCP 269DHCP Lease Query 274Alternative Access Control Approaches 275Layer 2 Switch Alerting 275802.1X 276Securing the Network Using IPAM 277IP-Based Security Policies (ACLs, etc.) 277Malware Detection Using DNS 277Malware Proliferation Techniques 278Phishing 279Spear Phishing 279Software Downloads 279File Sharing 279Email Attachments 280Watering Hole Attack 280Replication 280Brute Force 280Malware Examples 280Malware Mitigation 281DNS Firewall 282DNS Firewall Policy Precedence 284Logging Configuration 285Other Attacks that Leverage DNS 285Network Reconnaissance 285Network Reconnaissance Defenses 286DNS Rebinding Attack 287Data Exfiltration 287Data Exfiltration Mitigation 287DNS as Data Transport (Tunneling) 288Advanced Persistent Threats 289Advanced Persistent Threats Mitigation 29012 IPAM and Your Internet Presence 291IP Address Space Integrity 291PublicizingYour Public Namespace 292Domain Registries and Registrars 292DNS Hosting Providers 294Signing Your Public Namespace 295DNSSEC Zone Signing 295Key Rollover 296Prepublish Rollover 297Dual Signature Rollover 298Algorithm Rollover 299Key Security 301Enhancing Internet Application Encryption Integrity 302DNS-Based Authentication of Named Entities (DANE) 303Securing Email with DNS 305Email and DNS 305DNS Block Listing 306Sender Policy Framework (SPF) 307Domain Keys Identified Mail (DKIM) 307Domain-Based Message Authentication, Reporting, and Conformance (DMARC) 308Part IV IPAM in Practice 31113 IPAM Use Case 313Introduction 313IPv4 Address Allocation 316First-Level Allocation 317Second-Layer Allocation 318Address Allocation Layer 3 320Core Address Space 323External Extensions of Address Space 323Allocation Trade-Offs and Tracking 324IPAM Worldwide's Public IPv4 Address Space 325IPAM Worldwide's IPv6 Allocations 326External Extensions Address Space 329IP Address Tracking 332DNS and IP Address Management 33414 IPAM Deployment Strategies 337General Deployment Principles for DHCP/DNS 337Disaster Recovery/Business Continuity 338DHCP Deployment 339DHCP Server Platforms 339DHCP Servers 339Virtualized DHCP Deployment 339DHCP Appliances 339DHCP Deployment Approaches 340Centralized DHCP Server Deployment 340Distributed DHCP Server Deployment 342DHCP Services Deployment Design Considerations 344DHCP Deployment on Edge Devices 347DNS Deployment 348DNS Trust Sectors 349External DNS Trust Sector 350Extranet DNS Trust Sector 355Recursive DNS Trust Sector 357Internal DNS Trust Sector 361Deploying DNS Servers with Anycast Addresses 362Anycast Addressing Benefits 362Anycast Caveats 364Configuring Anycast Addressing 365IPAM Deployment Summary 366High Availability 366Multiple Vendors 366Sizing and Scalability 367Load Balancers 367Lab Deployment 36715 The Business Case for IPAM 369IPAM Business Benefits 369Automation 370Outage Reduction 370Rapid Trouble Resolution 370Accurate IPAM Inventory and Reporting 371Expanded IP Services 371Distributed Administration 371Enhanced Security 371Business Case Overview 372Business Case Cost Basis 373Address Block Management 374Subnet Management 381IP Address Assignment - Moves, Adds, and Changes 383Inventory Assurance 386Address Capacity Management 387Auditing and Reporting 392Server Upgrade Management 392Outage and Security Recovery Costs 393IPAM System Administration Costs 396Cost Basis Summary 399Savings with IPAM Deployment 399Business Case Expenses 403Netting it Out: Business Case Results 403Conclusion 40516 IPAM Evolution/Trends 407Security Advancements 407Intent-Based Networking 409Artificial Intelligence Applied to IPAM 410IP Address Capacity Management 412DNS Query and Response Analytics 412DNS Malware Detection 413Network Address Intrusions 413IPAM Administration Activity Analysis 414AI Summary 414Edge Computing 414Identifier/Locator Networking 415InformationCentric Networking 416Part V IPAM Reference 41917 IP Addressing Reference 421IP Version 4 421The IPv4 Header 421IP Version 6 423The IPv6 Header 423IPv6 Multicast Addressing 424Flags 425Special Case Multicast Addresses 429Solicited Node Multicast Address 429Node Information Query Address 429IPv6 Addresses with Embedded IPv4 Addresses 430Reserved Subnet Anycast Addresses 43018 DHCP Reference 433DHCPv6 Protocol 433DHCPv6 Packet Format 433DHCPv6 Message Types 433DHCPv6 Failover Overview 437DHCPv6 Options 439DHCP for IPv4 454DHCP Packet Format 454DHCPv4 Message Types 456DHCP Options 47419 DNS Reference 475DNS Message Format 475Encoding of Domain Names 475Name Compression 476InternationalizedDomain Names 478DNS Message Format 479Message Header 480Question Section 482Answer Section 485Authority Section 487Additional Section 487DNS Update Messages 487DNS Extensions (EDNS0) 489The DNS Resolution Process Revisited 494DNS Resolution Privacy Extension 501DNS Resolver Configuration 502DNS Applications and Resource Records 504Resource Record Format 504Host Name and IP Address Resolution 506A - IPv4 Address Record 506AAAA - IPv6 Address Record 506PTR - Pointer Record 507Alias Host and Domain Name Resolutions 507CNAME - Canonical Name Record 507DNAME - Domain Alias Record 508Network Services Location 508SRV - Services Location Record 508AFSDB - DCE or AFS Server Record (Experimental) 509WKS - Well Known Service Record (Historic) 510Host and Textual Information Lookup 510TXT - Text Record 510HINFO - Host Information Record 510DNS Protocol Operational Record Types 512SOA - Start of Authority Record 512NS - Name Server Record 513Dynamic DNS Update Uniqueness Validation 514DHCID - Dynamic Host Configuration Identifier Record 514Telephone Number Resolution 515NAPTR - Naming Authority Pointer Record 517Email and Anti-spam Management 518Email and DNS 519MX - Mail Exchanger Record 519Allow or Block Listing 523Sender Policy Framework (SPF) 523SPF - Sender Policy Framework Formatting for a TXT Record 524Mechanisms 524Modifiers 526Macros 527Macro Examples 528Sender ID (Historical) 528Domain Keys Identified Mail (DKIM) 529DKIM Signature Email Header Field 530DKIM TXT Record 531DMARC TXT Record 532Historic Email Resource Record Types 533MR - Mail Rename Record 533MB - Mailbox Record 533MG - Mail Group Member Record 534MINFO - Mailbox/Mailing List Information 534Security Applications 534Securing Name Resolution - DNSSEC Resource Record Types 534DNSKEY - DNS Key Record 534DS - Delegation Signer Record 536NSEC - Next Secure Record 536NSEC3 - NSEC3 Record 537NSEC3PARAM - NSEC3 Parameters Record 538RRSIG - Resource Record Set Signature Record 539Other Security-oriented DNS Resource Record Types 540TA - Trust Authority Record 540CERT - Certificate Record 540IPSECKEY - Public Key for IPSec Record 541KEY - Key Record 542KX - Key Exchanger Record 543SIG - Signature Record 543SSHFP - Secure Shell Fingerprint Record 544Geographical Location Lookup 544GPOS - Geographical Position Record 544LOC - Location Resource Record 545Non-IP Host-Address Lookups 545ISDN - Integrated Services Digital Network Record (Experimental) 545NSAP - Network Service Access Point Record 545NSAP-PTR - Network Service Access Point Reverse Record 546PX - Pointer for X.400 546X25 - X.25 PSDN Address Record (Experimental) 546RT - Route Through 547The Null Record Type 547NULL 547Experimental Name-Address Lookup Records 547IPv6 Address Chaining - The A6 Record (Experimental) 547APL - Address Prefix List Record (Experimental) 548DNS Resource Record Summary 54920 RFC Reference 555Glossary 583Bibliography 585Index 601

Michael Dooley is Vice President of Operations for BT Diamond IP division. He has over 20 years of experience managing and developing enterprise-scale software products. His professional expertise includes IP addressing, DHCP, and DNS. He is co-author of IPv6 Deployment and Management and DNS Security Management.Timothy Rooney is the Product Manager for BT Diamond IP product development and has led the market introduction of NetControl, IPControl, Sapphire Appliances, and ImageControl, four next-gen IP management systems. He is co-author of Introduction to IP Address Management, IP Address Management Principles and Practice, IPv6 Deployment and Management, and DNS Security Management.