As I start working more and more with IPv6 and find myself having to address services, I am wondering if there are any sort of written or unwritten 'conventions'/best practices that are being adopted about how to address devices/servers/services. Specifically: 1) Is there a general convention about addresses for DNS servers? NTP servers? dhcp servers? 2) Are we tending to use different IPs for each service on a device? 3) Any common addresses/schemes for other common services? (smtp/snmp/http/ldap/etc)? Similarly, I've been referring to http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml for a list of the 'reserved' space - are there any other blocks/conventions around addressing that exist? Finally, what tools do people find themselves using to manage IPv6 and addressing? It seems to me that IPAM is almost required to manage IPv6 in any sane way, even for very small deployments (My home ISP gave me a /56 and a /64). I figured this was a fairly operational question/set of questions, so I hope this is the right venue. Cheers, Todd.
On 2011-May-18 16:44, Todd Snyder wrote:
As I start working more and more with IPv6 and find myself having to address services, I am wondering if there are any sort of written or unwritten 'conventions'/best practices that are being adopted about how to address devices/servers/services.
Specifically:
1) Is there a general convention about addresses for DNS servers? NTP servers? dhcp servers? 2) Are we tending to use different IPs for each service on a device? 3) Any common addresses/schemes for other common services? (smtp/snmp/http/ldap/etc)?
Depends mostly on personal preference I would say. Same applies to IPv4 as IPv6. If you want a service to map always to a specific IP, eg because you anycast/failover-IP it, then a "service IP" makes sense. If you have a smaller deployment then just a service per host and/or using CNAMEs (except for MX :) can make sense.
Similarly, I've been referring to http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml for a list of the 'reserved' space - are there any other blocks/conventions around addressing that exist?
Only thing you might want to know is that 2000::/3 is global unicast, that there is ULA and link-local. For the rest you don't need to know anything about address blocks, just what the address space is that is routed to you and that is what you get to use. Except maybe for BGP where you want to limit what you want to receive/announce. See google(gert ipv6) aka http://www.space.net/~gert/RIPE/ipv6-filters.html for information on that.
Finally, what tools do people find themselves using to manage IPv6 and addressing? It seems to me that IPAM is almost required to manage IPv6 in any sane way, even for very small deployments (My home ISP gave me a /56 and a /64).
Textfiles, SQL databases. Depends on your need. Greets, Jeroen
On 18 mei 2011, at 16:44, Todd Snyder wrote:
1) Is there a general convention about addresses for DNS servers? NTP servers? dhcp servers?
There are people who do stuff like blah::53 for DNS, or blah:193:77:81:20 for a machine that has IPv4 address 193.177.81.20. For the DNS, I always recommend using a separate /64 for each one, as that way you can move them to another location without having to renumber, and make the addresses short, so a ::1 address or something, because those are the IPv6 addresses that you end up typing a lot. For all the other stuff, just use stateless autoconfig or start from ::1 when configuring things manually although there is also a little value in putting some of the IPv4 address in there. Note that 2001:db8::10.0.0.1 is a valid IPv6 address. Unfortunately when you see it copied back to you it shows up as 2001:db8::a00:1 which is less helpful.
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
Finally, what tools do people find themselves using to manage IPv6 and addressing?
Stateless autoconfig for hosts, EUI-64 addressing for routers, VLAN ID in the subnet bits. That makes life simple. Simple be good.
On May 18, 2011 8:07 AM, "Iljitsch van Beijnum" <iljitsch@muada.com> wrote:
On 18 mei 2011, at 16:44, Todd Snyder wrote:
1) Is there a general convention about addresses for DNS servers? NTP servers? dhcp servers?
There are people who do stuff like blah::53 for DNS, or blah:193:77:81:20
for a machine that has IPv4 address 193.177.81.20.
For the DNS, I always recommend using a separate /64 for each one, as that
way you can move them to another location without having to renumber, and make the addresses short, so a ::1 address or something, because those are the IPv6 addresses that you end up typing a lot.
For all the other stuff, just use stateless autoconfig or start from ::1
when configuring things manually although there is also a little value in putting some of the IPv4 address in there. Note that 2001:db8::10.0.0.1 is a valid IPv6 address. Unfortunately when you see it copied back to you it shows up as 2001:db8::a00:1 which is less helpful.
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
Finally, what tools do people find themselves using to manage IPv6 and addressing?
Stateless autoconfig for hosts, EUI-64 addressing for routers, VLAN ID in
the subnet bits. That makes life simple. Simple be good.
You may want to use some randomness to limit address scanning. Ymmv on how well this works or applies, I do it. Cb
On May 18, 2011, at 8:05 AM, Iljitsch van Beijnum wrote:
On 18 mei 2011, at 16:44, Todd Snyder wrote:
1) Is there a general convention about addresses for DNS servers? NTP servers? dhcp servers?
There are people who do stuff like blah::53 for DNS, or blah:193:77:81:20 for a machine that has IPv4 address 193.177.81.20.
For the DNS, I always recommend using a separate /64 for each one, as that way you can move them to another location without having to renumber, and make the addresses short, so a ::1 address or something, because those are the IPv6 addresses that you end up typing a lot.
For all the other stuff, just use stateless autoconfig or start from ::1 when configuring things manually although there is also a little value in putting some of the IPv4 address in there. Note that 2001:db8::10.0.0.1 is a valid IPv6 address. Unfortunately when you see it copied back to you it shows up as 2001:db8::a00:1 which is less helpful.
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
I believe he meant different IP addresses and I highly recommend doing so. If you do so, then you can move services around and name things independent of the actual host that they happen to be on at the moment without having to renumber or rename.
Finally, what tools do people find themselves using to manage IPv6 and addressing?
Stateless autoconfig for hosts, EUI-64 addressing for routers, VLAN ID in the subnet bits. That makes life simple. Simple be good.
Yep, where that works, those are fine ideas. Owen
On 19 mei 2011, at 5:21, Owen DeLong wrote:
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
I believe he meant different IP addresses
No, that can't be, he would have said "IP addresses".
and I highly recommend doing so.
If you do so, then you can move services around and name things independent of the actual host that they happen to be on at the moment without having to renumber or rename.
The DNS is already a layer of indirection so in most cases this makes things harder first (having to remember which address is on which host) so they may be easier later (not touching the DNS when services go to a new box). In my opinion, this isn't a good tradeoff most of the time. Only if you want/need addresses to be a particular way (like short for DNS servers) that's helpful. I was reluctant to do stateless autoconfig for servers at first but it's really rock solid, as long as you're reasonably sure no rogue router advertisements will show up on the subnet in question there's no reason to avoid it.
No, the same Internet Protocol.
I believe he meant different IP addresses
No, that can't be, he would have said "IP addresses".
and I highly recommend doing so.
If you do so, then you can move services around and name things independent of the actual host that they happen to be on at the moment without having to renumber or rename.
The DNS is already a layer of indirection so in most cases this makes things harder first (having to remember which address is on which host) so they may be easier later (not touching the DNS when services go to a new box). In my opinion, this isn't a good tradeoff most of the time. Only if you want/need addresses to be a particular way (like short for DNS servers) that's helpful.
Far from it. Running services on separate IP addresses is extremely important to enable services to move (to a different box) independently. It has little to do with wanting addresses to be a particular way, and much more to do with *other* places (e.g. firewalls) where IP addresses are used and not names.
I was reluctant to do stateless autoconfig for servers at first but it's really rock solid, as long as you're reasonably sure no rogue router advertisements will show up on the subnet in question there's no reason to avoid it.
Shudder. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On May 19, 2011, at 12:05 AM, Iljitsch van Beijnum wrote:
On 19 mei 2011, at 5:21, Owen DeLong wrote:
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
I believe he meant different IP addresses
No, that can't be, he would have said "IP addresses".
No, it is not uncommon at least in America for people to refer to IP addresses by the shorter term "IPs".
and I highly recommend doing so.
If you do so, then you can move services around and name things independent of the actual host that they happen to be on at the moment without having to renumber or rename.
The DNS is already a layer of indirection so in most cases this makes things harder first (having to remember which address is on which host) so they may be easier later (not touching the DNS when services go to a new box). In my opinion, this isn't a good tradeoff most of the time. Only if you want/need addresses to be a particular way (like short for DNS servers) that's helpful.
We can agree to disagree. You need to remember which box your particular services are on anyway, so, I don't see much difference there. Often, the time delay in DNS changes can be a blocking factor in addressing load issues by moving things around quickly. IP addresses can be moved with much greater agility than the DNS abstraction because there are too many broken browsers and such out there (thank you Micr0$0ft) with ridiculous tendencies to cache DNS information for a very long time (well beyond the TTL).
I was reluctant to do stateless autoconfig for servers at first but it's really rock solid, as long as you're reasonably sure no rogue router advertisements will show up on the subnet in question there's no reason to avoid it.
Well, there is one reason... If you have to swap a NIC or any superset of a NIC such as an entire machine, you'll have to update DNS. If you forget to do the DNS update in such a circumstance, you can blackhole a lot of traffic in the time it takes to figure that out. Owen
On 5/19/11 3:46 , Owen DeLong wrote:
Often, the time delay in DNS changes can be a blocking factor in addressing load issues by moving things around quickly. IP addresses can be moved with much greater agility than the DNS abstraction...
And having persistent IP address-to-service mappings aside from DNS can also be useful for other things like firewall/IDS rules that often don't use DNS at all. -e
1) Is there a general convention about addresses for DNS servers? NTP servers? dhcp servers?
DNS server addresses should be short and easy to tape, as already mentioned.
2) Are we tending to use different IPs for each service on a device?
In many cases yes - because that makes it possible to easily move the service to a different box.
Finally, what tools do people find themselves using to manage IPv6 and addressing?
Excel spreadsheets, HaCi.
It seems to me that IPAM is almost required to manage IPv6 in any sane way, even for very small deployments (My home ISP gave me a /56 and a /64).
At least as long as you use static addresses. We like static, and tend to stay away from SLAAC. We do *not* use EUI-64 for router links. For customer links we use /64, for backbone links we use /124 (ensures that SLAAC can never ever be used on the link, and also that the two ends can be numbered ending in 1 and 2 - nice and simple). Steinar Haug, Nethelp consulting, sthaug@nethelp.no
participants (7)
-
Cameron Byrne
-
Erik Muller
-
Iljitsch van Beijnum
-
Jeroen Massar
-
Owen DeLong
-
sthaug@nethelp.no
-
Todd Snyder