Академический Документы
Профессиональный Документы
Культура Документы
BRKNMS-2640
Bernie Volz
Introduction
This session describes the management of IP addresses (host and domain) names. We explain the functionalities of DHCP and DNS and how they collaborate to produce the foundation of a name and address management system. The recent developments in both areas will be touched as well. Finally we enumerate best practices for achieving reliability and security of both services.
BRKNMS-2640
Cisco Public
Non-Information
Silence your phone, pda, pager, mp3 player
At CiscoLive! your evaluation is extremely important Please remember to wear your badge at all times Please visit the World of Solutions
There is extra material in the appendix at the end of this presentation; the explanatory notes contain links to reference material; I tried to translate all acronyms You can ask questions any time
BRKNMS-2640
Cisco Public
BRKNMS-2640
Cisco Public
Coordination between DNS and DHCP services Providing reliable and secure name and address services
BRKNMS-2640
Cisco Public
BRKNMS-2640
Cisco Public
DHCP Server
Cisco Public
Servers send DHCPOFFER messages with lease information Client selects lease and broadcasts DHCPREQUEST message
BRKNMS-2640
Cisco Public
BRKNMS-2640
Cisco Public
10
DHCP Server
DHCP Server
BRKNMS-2640
Cisco Public
12
Camera
Server
Sensor
Printer
Wireless AP
Range per type of clients (PC, sensor, etc.) Secures the LAN by coupling DHCP lease to ARP cache Manage your pools with syslog on threshold, MIB, and accounting Update the upstream DNS server from DHCP bindings
BRKNMS-2640
Cisco Public
13
DHCP Server
Remote Site
BRKNMS-2640
Cisco Public
14
Delegation
DHCP Server
Remote Site
BRKNMS-2640
Cisco Public
15
Automating Address
Pool Assignment
Improves efficiency of DHCP address assignment by moving available addresses to meet demand
BRKNMS-2640
Cisco Public
16
Delegation
BRKNMS-2640
Cisco Public
17
Regional Cluster
Easy to Integrate
API, CLI, and SNMP to facilitate automation and control
Highly-Available
DHCP failover (v4) HA-DNS
Backup Cluster Local Cluster
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
18
Solution: deploy multiple DHCP servers and enable all servers to respond to messages
DHCP client broadcasts messages, and relay agent can forward to multiple servers, so more than one DHCP server may receive messages from clients DHCP client is required by protocol specification to be able to receive responses from multiple servers
DHCP client broadcasts rebinding request, so it can locate secondary server if primary is not accessible
BRKNMS-2640
Cisco Public
20
If DNS is updated, both addresses in DNS If leasequery done, both servers might respond with active lease information
BRKNMS-2640
Cisco Public
21
DHCP specification does not allow sufficient time to do update before responding
Most hosts will timeout and retransmit before the interserver update completes
Therefore, server cant wait for update to complete before sending response
BRKNMS-2640
Cisco Public
22
BRKNMS-2640
Cisco Public
23
Goals
Client keeps existing address if communicating with either server
Client can get new address from either available server
BRKNMS-2640
Cisco Public
24
Shhhhh
5. DHCPBNDUPD 6. DHCPBNDACK
1. DHCPDISCOVER
Backup
Backup Pool: 201-254
Client
2. DHCPOFFER Any Address Between 1-200
Main
Cisco Public
25
Backup
Backup Pool: 201-254
1. DHCPDISCOVER
Client
Main
Address Pool: Main Pool: 10.10.10.1-254 1-200
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
However what if this update fails to happen because the server goes down?
Partner has no record of lease or lease extension
How does partner know when it is safe to (re)use the lease?
As MCLT time is usually short (60 minutes), how do clients get long lease times?
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Backup
(Within a short time)
Main
9. DHCPBNDUPD Lease Time = X+(X/2) 24+(24/2) hours = 36 10. DHCPBNDACK
Client
X = Desired Client Lease Time (Option 51) Assumed to be 24 hours Y = Maximum Client Lead Time Assumed to be 1 hour /2 = Client renewal time is 50% of lease time
Cisco Public
BRKNMS-2640
28
IPv6 Introduction
Functionally similar to IPv4
Connectionless network-layer protocol Used by transport protocols (TCP and UDP) Runs over all possible hardware technologies
But:
Larger addresses
Completely new datagram header format Fewer fields in header Option headers follow main header
BRKNMS-2640
Cisco Public
30
IPv6 Header
Total Length
Version
IHL
Type of Service
Traffic Class
Payload Length
Flow Label
Next Header Hop Limit
Flags
Fragment Offset
Header Checksum
Source Address
20 Bytes
Destination Address
Legend
Fields Name Kept from IPv4 to IPv6
40 Bytes
Cisco Public
31
IPv6 Addresses
Divided into two conceptual parts (like IPv4)
Prefix
Globally unique
Suffix
Only unique within a link Assigned to an individual interface Known as interface identifier
BRKNMS-2640
Cisco Public
32
Address Assignment
Manual
DHCPv6
Stateless address auto-configuration; host:
Derives EUI-64 interface identifier from MAC address Constructs address from prefix advertised by router and EUI-64 interface identifier
2001:DB8:3:0: 214:51ff:fed9:a45a
MAC Address from Interface: 00:14:51:d9:a4:5a
BRKNMS-2640
Cisco Public
33
Assignment of multiple addresses to a client Unique, uniform client identification Explicit lease renewal and lease rebinding messages Larger option code space (16-bit option code)
BRKNMS-2640
Cisco Public
34
35
Routers send router advertisement messages with list of prefixes and signal for use of DHCPv6
BRKNMS-2640
Cisco Public
36
Performs prefix delegation Uses IPv6 addressing modes, including link-local addresses and multicast
BRKNMS-2640
Cisco Public
37
DHCPv4/DHCPv6 Coexistence
IETF design decision: DHCPv4 and DHCPv6 are separate protocols
Different message formats Different message exchanges
Separate options
Host runs DHCPv4 and DHCPv6 as separate functions What about options that provide same information in DHCPv4 and DHCPv6; e.g., DNS servers?
BRKNMS-2640
Cisco Public
38
BRKNMS-2640
Cisco Public
39
Client
Server
L3 dst=FF02::1:2 src=FE80::214:51ff:fed9:a45a
L3 dst=FE80::214:51ff:fed9:a45a src=FE80::214:51ff:fe65:7413
BRKNMS-2640
Cisco Public
40
Stateless DHCPv6
Used in conjunction with stateless address autoconfiguration
DHCPv6 server does not need to retain state for each client; e.g., assigned addresses, lease state Client uses stateless DHCPv6 (RFC 3736) to obtain configuration information Very simple protocol server; can be easily deployed in routers rather than as centralized service
BRKNMS-2640
Cisco Public
41
Subscriber network will have IPv6 router (instead of computer or NAT) connected to service provider
DHCPv6 prefix delegation informs subscriber router of prefix to use
Assignment of a prefix to a subscriber or an organization, rather than a single address, is recommended for IPv6 IPv6 prefix delegation uses DHCPv6 to provision a router with the prefix to be used at that site Site router then assigns /64 prefixes from delegated prefix to each link in the site network
BRKNMS-2640
Cisco Public
42
Servers
DHCP, DNS
CNR CNR
BAC
Home Network
Customer Admin Domain Service Provider Admin Domain
TFTP
TOD
Management
Core
To Internet
HFC Link: Assigned 2001:DB8:FFFF:0::/64 (mgmt) and 2001:DB8:FFFE:0::/64 (Service) Customer Home Network Link 0 (Wireless): Assigned 2001:DB8:0:30::/64 Customer Home Network Link 1 (Bridged): Assigned 2001:DB8:0:31::/64 Customer Home Network Link 2 (ZigBee): Assigned 2001:DB8:0:32::/64
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Branch office gateway router provides IPv6 service to branch office network DHCPv6 prefix delegation informs branch office router of prefix to use Branch office router assigns /64 prefixes from delegated prefix to each branch office network link
Add interface index to /48 prefix to generate /64 for each link Delegated prefix 2001:DB8:3::/48 and assign prefix 2001:DB8:3:1::/64 to interface 1
BRKNMS-2640
Cisco Public
44
DNS
Management
Branch Router
Core
Router
Branch Router initiates DHCPv6 Receives IPv6 address for enterprise net link Receives 2001:DB8:3::/48 (prefix delegation) Receives list of DNS servers and other configuration Branch Router assigns /64 prefixes from 2001:DB8:3::/48 to branch office network links Enterprise Network Link: Branch Office Link 0 (Wireless): Branch Office Link 1 (Desktop): Branch Office Link 2 (Data Center):
BRKNMS-2640
45
DHCPv6 snooping typically used DHCPv6 leasequery (RFC 5007 and 5460) allows requesting router to obtain information about delegated prefixes from DHCPv6 server
BRKNMS-2640
Cisco Public
46
Names
. com.
com (root)
org
edu
example.com.
example purdue
bucknell
www.example.com.
www
cs
BRKNMS-2640
Cisco Public
48
The database key is a Fully Qualified Domain Name (FQDN) that consists of a string of tokens separated by .
Example : www.cisco.com
The data is stored in Resource Records (RR) of which there are many types, examples are A, AAAA, PTR and MX.
Product of the IETF to replace original HOSTS.TXT file
BRKNMS-2640
Cisco Public
49
DNS Features
The DNS is designed for look-up queries
Information is logically grouped in zones; a zone is the unit of control, modification rights and replication operations apply to zones
BRKNMS-2640
Cisco Public
50
www.example.com. www.example.com.
1800 1800
IN IN
AAAA A
2001:DB8:1:1::22 192.168.50.22
BRKNMS-2640
Cisco Public
51
Queries
Lookup is based on FQDN, class, and type
example.com.
IN
4711
IN
192.168.1.1
BRKNMS-2640
Cisco Public
52
BRKNMS-2640
Cisco Public
53
BRKNMS-2640
Cisco Public
54
ipv6.google.com: type CNAME, class IN, cname ipv6.l.google.com ipv6.l.google.com: type AAAA, class IN, addr 2001:4860:b004::68
BRKNMS-2640
Cisco Public
55
Reverse Zone
PTR records used to resolve name for an IP address
IPv6reversed dotted hexadecimal nibbles concatenated with IP6.ARPA. (for address 2001:db8:1:1::22)
2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa 1800 IN PTR www.example.com
Zone delegations based on address-FQDN components; gets tricky when delegations are not on FQDN component boundaries
BRKNMS-2640
Cisco Public
56
60 percent of Internet users are non-English speakers, while the dominant language used on the Internet is English Enter the URL http://.
This is example.test in Korean Hangul script result = query for xn--9n2bp8q.xn--9t4b11yi5a
BRKNMS-2640
Cisco Public
57
IDN
BRKNMS-2640
Cisco Public
58
root-zone
org
edu
example example.com-zone
bucknell
www
cs
purdue.edu-zone
com-domain
Domain Zone
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Recursive servers provide resolution service Hosts and recursive servers must be able to issue DNS queries about zones you administer Authoritative servers respond to queries for FQDNs under their authority DNS Database
FQDN Resolution Application Stub Resolver Internet Root Server
Recursive Server
BRKNMS-2640
Cisco Public
60
1.2.3.4
Recursive Server
4. Recursive server returns IP address to stub resolver through a DNS protocol message
5. Stub resolver communicates IP address to application
BRKNMS-2640
Cisco Public
61
Recursive Resolution
www.widgets.example.com ? NS for com = a, b, c
NS for example.com = x, y
NS for widgets.example.com = m, n
www.widgets.example.com = 1.2.3.4
1. Question = resolve www.widgets.example.com In the DNS protocol the question will always be the same. 2. Ask root server(s) (known via hint list); they will only answer which server(s) know com. which is likely a top level domain (TLD)
3. Ask server(s) for com.; they return a NS list that know about example.com.
4. Ask server(s) for example.com.; dependent on how the zones are laid out they might return the answer for www.widgets.example.com or else return a NS list that know about widget.example.com. 5. Finally the widget.example.com name server returns the answer
BRKNMS-2640
Cisco Public
62
Resolution Details
Recursive server provides complete resolution
Recursive server follows pointers to contact next name server to work its way through the components from right to left
Delegation = name servers return pointers to next name server(s)
BRKNMS-2640
Cisco Public
63
Slave servers answer all requests authoritatively, they obtain info only from the master
Close to your own hosts In your DMZ, reachable from outside
BRKNMS-2640
Cisco Public
65
Internet
1.168.51.15
192.168.2.2
Router B
192.168.3.5
Internal
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
DMZ
Cisco Public
External
66
Internet
Hidden Master = Authoritative
Internal
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
DMZ
Cisco Public
External
67
Internet
Internal
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
DMZ
Cisco Public
External
68
Internet
Internal
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
DMZ
Cisco Public
External
69
Internet
Access
DMZ Slave = Authoritative
Network
Internal
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
DMZ
Cisco Public
External
70
1
example Name Server (Master) example Name Server (Slave)
2 Recursive Server
2. False zone transfers 3. Spoofed responses to recursive server queries 4. Spoofed responses to stub resolver queries
BRKNMS-2640
Cisco Public
72
BRKNMS-2640
Cisco Public
74
TSIG between DNS components that are part of same administrative organization and that can share a private key
Zone transfers Resolution requests/responses between stub resolver and recursive server
BRKNMS-2640
Cisco Public
75
Resolver authenticates signature using matching public key RRset with signatures can be forwarded and cached
BRKNMS-2640
76
Hash of public key for example.com is stored in a DS RR in the com zone; public key is stored in a DNSKEY RR in the example.com zone
Resolver with public key for com
Uses public key for com to authenticate signature of DS RR for example.com Retrieves public key for example.com in DNSKEY RR from example.com zone and authenticates with DS RR Resolves www.example.com and authenticates RR(s) with key from example.com DNSKEY RR
Signature
BRKNMS-2640
Cisco Public
77
com.
example.com
IN
IN
DNSKEY
RRSIG DS
xyz23Cryryptogrm4d3DS
Signature of DS Hash for public key of example.com
example.com. zone
example.com
IN
DNSKEY
A RRSIG
3245sdFD56G4ggf15R5
64.64.64.64 Signature for RR
www.example.com IN
means authentified by
BRKNMS-2640
Cisco Public
78
Processes for key and trust anchor management and rollover need to be worked out
Organizations need to get keying information into TLDs RFC 5011 mechanisms need to be deployed for trust anchors
Root zone has been signed since July 15, 2010 Good information source - http://www.dnssec-deployment.org/
BRKNMS-2640
Cisco Public
79
example.com Zone
Resolver can be configured with public key for example.com zone Resolver performs unsecured resolution through root and com zones
Then, resolver applies example.com zone key for secure resolution of example.com zone
BRKNMS-2640 Cisco Public
80
Dynamic Host Configuration Protocol DHCP Domain Name System DNS Interaction Between DNS and DHCP
Configuration of host to know DNS servers (evaluation order) Configuration of host for evaluation order
Reverse delegationDelegation of IP addresses implies delegation of zone authority
BRKNMS-2640
Cisco Public
82
IP addresses in A/AAAA RRs for the devices FQDN must reflect the IP addresses assigned to the host
Static: simultaneously add entries to DHCP and DNS services
Automatic: simultaneously add entries when address is first assigned
Dynamic: add entries when address is first assigned; update RRs if address changes; delete RRs if lease expires
BRKNMS-2640
Cisco Public
83
Authentication and authorization requires trust relationship with each host; does this scale?
BRKNMS-2640
Cisco Public
84
DHCP Client
DHCP Relay Agent
Organization Network
DHCP Server
DNS Database Root Server com Name Server example Name Server widgets Name Server
BRKNMS-2640
Cisco Public
85
Platform and proprietary solutions have existed, but a standardized version was missing
BRKNMS-2640
Cisco Public
86
If addresses are assigned through DHCP, the network admin owns the address (reverse zone) and should have the DHCP server do the update
DHCP server can learn host FQDN through DHCP options or can enforce its own naming policy
If clients name used, assumes implicit trust relationship between host and DHCP server - host is authorized to use name Explicit authentication of host identity and authorization of host to use name and authentication of DHCP message exchange is an unsolved problem
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
87
DHCP Service
DHCP Client
The Cisco IOS DHCP client can perform DNS* or HTTP updates and use client FQDN option to communicate choice to the DHCP server The Cisco IOS DHCP server can perform DNS* or HTTP updates and uses or override client preference
Database
Name
Cisco Public
88
DHCP service can be (and usually is) configured to pass information about DNS to the DHCP client via DHCP options
Addresses of recursive servers
BRKNMS-2640
Cisco Public
89
Title
BRKNMS-2010 Using a Network Hypervisor to Build Public and Private Clouds BRKNMS-2031 SYSLOG Design, Methodology and Best Practices BRKNMS-2035 Ten Cool LMS Tricks to Better Manage Your Network
BRKNMS-2501 Enterprise QoS Deployment, Monitoring and Management
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
91
Title
Cisco Public
92
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKNMS-2640
Cisco Public
93
Recommended Reading
Cisco Public
94
Recommended Reading
Cisco Public
95
Recommended Reading
BRKNMS-2640
Cisco Public
96
Thank you.
BRKNMS-2640
Cisco Public
97
Appendix A:
Terminology, Acronyms, References
Terminology
Class DDNS DHCP Server A field in a DNS Resource Record that class field specifies the protocol group (usually IN for Internet) A method for dynamic updates to DNS data through DNS messages Responds to DHCP messages; manages IP address assignment and reclamation; assigns configuration information to hosts Initiates DHCP message exchanges; implemented on a host to obtain an IP address and other configuration information for the host A function of a network element like a router, that forwards DHCP messages between clients and servers and eventually modifies the messages Prefix delegation for DHCPv6; an extension to DHCPv6 that allows a DHCPv6 server to delegate prefixes to other DHCPv6 servers thus forming a delegation hierarchy A method for securing DNS RRs using public/private keys and a trust chain to authenticate the public key
DHCP Client
DHCPv6 PD
DNSSEC
BRKNMS-2640
Cisco Public
99
Terminology
Domain A subtree of the global DNS name space. Often used to refer to an organizations subtree, e.g., the MIT domain, the ISI.EDU domain, the root domain Updates to the DNS protocol, expanding several fields and allowing for longer UDP messages (RFC 2671) Fully qualified domain name; the name of a node in the DNS name space A communication facility or medium over which nodes can communicate at the link layer (RFC 2460) A program that holds DNS data and answers queries On Demand Address Pools; an extension to DHCPv4 that allows DHCP servers to assign and recover addresses in address pools A bit string that consists of some number of initial bits of an address (RFC 2461) A program that accepts a DNS resolution request from a host and exchanges DNS protocol messages to complete the name resolution
BRKNMS-2640
Cisco Public
100
Terminology
Resolver A program that accepts DNS resolution requests from an application and initiates a DNS protocol message exchange The name servers for the root of the DNS name space Resource Record; the atomic unit of information in the domain system A set of all RRs associated with an FQDN and type A method for securing DNS message exchanges using public/private keys (not in common use) Top level domain; e.g., .com, .edu, .org, .uk A method for securing DNS message exchanges using a shared secret or GSS-API Time-to-Live A field in a DNS Resource Record that specifies how long a domain resolver should cache the RR before it throws it out and asks a domain server again A zone is a portion of the DNS name space that is managed as a unit
Root Server RR
RRset SIG(0) TLD TSIG
TTL
Zone
BRKNMS-2640
Cisco Public
101
DNS extensions (dnsext) working group of the IETF continues to develop extensions to DNS
DNS operations (dnsop) working group develops guidelines for the operation of DNS software servers and the administration of DNS zones
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
102
RFC 2317 (Classless in-addr.arpa) RFC 2181(DNS Clarification) RFC 2845 (Secret Key Transaction Authentication)
RFC 2915 (NAPTR) RFC 3152 (Delegation of ip6.arpa) RFC 3363 (Representing IPv6 Addr in DNS)
BRKNMS-2640
Cisco Public
103
Dynamic Host Configuration (DHC) working group of the IETF continue to develop extensions to DHCP
New options for services, location information, relay agents
DHCP for IPv6 (published as RFC 3315 in 2003)
BRKNMS-2640
Cisco Public
104
Significant Extensions
Relay agent options (RFC 3046)
DHCP message authentication (RFC 3318, RFC 4030) DHCP for IPv6 (RFC 3315) and DHCPv6 prefix delegation (RFC 3633) Many new options, redefinition of option code space to allow for more DHCP options
BRKNMS-2640
Cisco Public
105
IETF Standards
RFC 951 (Bootstrap Protocol) RFC 1048, 1395, 1497, 1542, 2132 (BOOTP Vendor Info) RFC 1534 (Interoperation Between DHCP and BOOTP)
RFC 3442 (The Classless Static Route Option for Dynamic Host Configuration Protocol [DHCPv4]) RFC 3495 (Dynamic Host Configuration Protocol (DHCP) Option for CableLabs Client)
RFC 3527 (Link Selection Suboption for the Relay Agent Information Option for DHCPv4) RFC 3594 (PacketCable Security Ticket Control Suboption for the DHCP CableLabs Client Config [CCC]) RFC 3315, 3633, 3736 (DHCP for IPv6, Prefix option, Stateless DHCP for IPv6)
BRKNMS-2640
Cisco Public
106
BRKNMS-2640
Cisco Public
108
BRKNMS-2640
Cisco Public
109
00:fa:16:e1:2e:8b:12:aa
00:fa:66:e1:2b:8b:12:aa
00:fa:66:ee:2e:8b:12:aa
f0:fa:66:e1:2e:8b:12:aa
00:fa:88:e1:2e:8b:22:aa
00:fa:61:e1:2e:8b:12:aa
00:fa:66:e1:2e:8b:52:aa
00:fa:66:e1:2e:8b:12:9a 00:fa:66:e1:2e:8b:12:ea
BRKNMS-2640
Cisco Public
110
BRKNMS-2640
Cisco Public
111
IP address rangesFrom which lease pool to assign clients addresses, example: walled garden DNS server addressesWhere clients should direct their DNS queries DNS hostnamesWhat name to assign clients Denial of serviceWhether unauthorized clients should be offered leases
BRKNMS-2640
Cisco Public
113
BRKNMS-2640
Cisco Public
114
Organization network
DHCP Packet
GIADDR
Relay Agent IP Address 192.168.1.1
Network Prefix 192.168.1.0/24
DHCP server uses giaddr field of DHCP packet as an index into the network topology and selects an address from 192.168.1.0/24
DHCP Client
BRKNMS-2640
Cisco Public
115
Additional relay agent options encode information such as DOCSIS device class, subnet for address assignment
BRKNMS-2640
Cisco Public
116
DHCP Request
Option 82
DHCP Request
DHCP Request
GIADDR Option 82
DHCP Client
BRKNMS-2640
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
117
BRKNMS-2640
Cisco Public
118
Thank you.
BRKNMS-2640
Cisco Public
120