Convergence/Integrated Solutions

Addressing the Future

Organizations strive to make IP address management a priority

• By Richard Hyatt
• Nov 01, 2006

AS the Internet and other TCP/IP-based networks become busier and more sophisticated, organizations are faced with increasingly complex security and management challenges. The integration of IP address management (IPAM), including dynamic host configuration services, is a way to provide the knowledge required to maintain manageability, functionality and security on increasingly complex networks.

The integration of IP address management (IPAM), including dynamic host configuration services, is a way to provide the knowledge required to maintain manageability, functionality and security on increasingly complex networks.

A Brief History
To understand where technology is today, it is important to begin with a historical perspective. In the 1960s, the original advanced research projects agency network (ARPANET), developed by the Department of Defense, was the world's first experiment in packet-based networks. The model began with four hosts and quickly evolved through government, education and industry participation.

In 1981, transmission control protocol (TCP) and IP, or simply TCP/IP, was created as the new standard for networks. By the end of the decade, the Internet gained momentum with private sector participation and was being used commercially. Throughout the 1990s to the turn of the century, the network went from thousands of systems to tens of millions, becoming a standard fixture for corporations. Internet connectivity has now become a necessity of modern life for both people and organizations.

Even though the Internet has rapidly become more critical and ubiquitous as a communications infrastructure in the past 15 years, the original protocols that specified its inner workings essentially remain the same. Aside from minor refinements, the TCP/IP protocol suite has not in fact changed much in its fundamentals since 1981. The largest and ultimate challenge for TCP/IP will stem from its popularity rather than its failure or obsolescence.

Challenges Ahead
To enable communications on a network, an Internet address for each network device must be uniquely assigned to a host. The Internet address system, also known as IPv4, defines an address with a length of 32 bits and currently allows for more than 4 billion addresses.

Initially, IP addresses were allocated manually -- a process that continues to be performed with most network servers. Increased complexity in growing networks has driven the need for an automated system of configuring network devices in the form of dynamic host configuration protocol (DHCP), which enables devices to negotiate with the network to obtain a unique IP address and other configuration parameters.

Since IP addresses can change, there is a risk that addresses will be lost among the enormous number of hosts on the network. DNS ensures that does not happen by providing a mnemonic or human-readable address scheme, similar to a phone book, for a network that can be used to locate a device's current IP address and enable connectivity with it. Originally, in the days of ARPANET, a host's file of names was mapped to IP addresses to look up someone's current IP address. Modern DNS is a dynamically-updated hierarchical database hosted on servers all over the world that provides access to hosts on the Internet, as well as on private networks. DNS makes it possible to browse the Web, send e-mail and locate network services.

When TCP/IP protocols were designed, there was no way of knowing the challenges that lay ahead. There is no question that organizations are at varying stages in TCP/IP deployment. Some have run networks with TCP/IP as the underlying technology for years. Others are dealing with the IP protocol suite as a new phenomenon, with many networks having only become completely IP driven in the past few years.

The escalating number of networks running TCP/IP means increased complexity, as well as a growing proliferation of devices using TCP/IP -- all of which had led to an explosion of network-attached devices.

Today, the convergence of TCP/IP and the Internet is the primary transmission medium for communications and even entertainment. The explosive growth in networked desktop and portable PCs, wireless PDAs, VoIP devices, RFID and many network appliances is making it harder than ever to administer and manage IP addresses and network configuration information. Since an IP address is the essential element needed to enable any device to communicate across a network, the impact of not managing IP addresses properly can be sudden and severe.

We are now at a significant crossroads in terms of IP address management. Because of the hierarchical nature of the address scheme, only a portion of the addresses are in use. Newer, more efficient methods of subnetting, using classless inter-domain routing, will not extend the viability of the IPv4 addressing scheme much longer. Network address translation has mitigated the impending shortage somewhat by allowing an entire private network to share a single, Internet IP address. NAT does not support the end point visibility required for technologies, such as VoIP telephony, to function correctly. End point visibility means the device requires an IP address on the Internet itself, rather than on a private network with a NAT gateway translating the addressing for data requests and responses.

Growing networks also have placed increased demand on the hardware running IP services. Routing protocols have been able to be replaced or upgraded because of the transparent nature of the service. With IP address management and DNS, the public and user-oriented nature of the services prevents this possibility.

IPv6, the newest iteration of the IP address system, has the capacity to assign approximately 56.9 billion unique addresses to each gram of matter on Earth. IPv6 has been designed and tested, but it has not been widely implemented outside the Pacific Rim (North America owns a vast majority of existing IPv4 addresses). Those IPv6 implementations that exist are either running parallel with IPv4 (dual-stacking) or replacing IPv4 completely. Despite slow growth outside the Pacific Rim, IPv6 compatibility has been mandated in some influential areas, including the U.S. military by 2008.

Although greater in number, IPv6 addresses are 128-bit hexadecimal numbers, and not as human-readable as IPv4 addresses. With IPv6, addresses are auto-configured, and DHCP is still used to manage complex configurations and options. Given the inherent complexity, IPAM systems must be more sophisticated to manage the networks today and in the future.

New Applicatoins, New Demands
New applications also are driving a need for richer client configuration services. A VoIP phone, for example, requires a different type of configuration than a PC. When network devices join a network, DHCP services provide rich and dynamic configuration information, including unique IP addresses. The complex configuration information comes with the task of organizing which devices on which subnets will receive different configurations. This means DHCP services must be deeply integrated with the IPAM system used to create and manage the subnets.

Today, dynamic DNS is used to update DNS records for clients joining the network and receiving an IP address through DHCP. It is only through tight integration of DNS and IPAM services, including DHCP, that clients can maintain a network presence with the correct DNS information advertising IP address. Mobile devices that frequently change IP addresses are a good example of why integration must be so seamless. When considering such DNS-dependent services, such as VoIP and Active Directory, the critical nature of this integration becomes clear.

The controversy around requirements to provide E911 access to emergency service providers through VoIP networks clearly demonstrates the regulatory and logistical concerns converged networks bring to the table. Organizations around the world are being asked to comply with increasingly stringent data retention regulations. In the United States, businesses must comply with industry regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA, by tracking which network resources are being accessed. Compliance provides a daunting challenge to large organizations especially, unless an IPAM system with adequate reporting facilities is employed. Such a system formalizes tracking and control of a network, providing the ability to manage and track resources proactively, rather than reacting to situations after occurring.

The need for more formalized network security will continue to grow as networks are required to handle increased volumes and more sophisticated applications. As usage increases, so does the likelihood of threats on a variety of fronts, including malicious hosts and network traffic. More sophisticated networks and usage also can mean longer, more involved investigations into events that occur and more ambiguous conclusions. It stands to reason network security can only be effectively promoted with a full working knowledge of the network.

Distributing Data
New devices also spawn new data distribution models. Staying informed of trends requires accurate information about hosts on the network. Convergence of new forms of media (data, telephony and video) also are bringing calls for bandwidth management, quality of service requirements and guarantees of service availability that will require tight control of IPAM. The economic drivers from convergence also will fuel IPv4 to IPv6 transition, despite the complexity of the process.

Once again, IPAM -- including DHCP -- must be fully integrated with DNS in order to achieve the level of network tracking and control required to manage complexity in modern networks. The approach provides a more simplified and refined method of managing large networks, allowing organizations to address increasingly complex security concerns and legislative requirements. The approach will help organizations as regulations for data management, and access tracking and restriction will only increase in months and years to come.

The Implementation Process
Integrating IPAM and DNS into a single application or server is only the first stage. Any IPAM system should integrate with the authentication and security systems on the host network to provide centralized data management and reporting. More complex clients, such as VoIP phones, can require ENUM zone and NAPTR record support, as well as advanced DHCP configuration options. Security and availability requirements also will mean that secure appliance servers and high-availability clustering will become the norm.

Evolving the Internet and other networks to combat rising complexity and embrace the rich new variety of uses appearing will not be easy. The close integration of DNS and IPAM is an essential step in making the evolution a reality.