As I start working more and more with IPv6 and find myself having to address
services, I am wondering if there are any sort of written or unwritten
'conventions'/best practices that are being adopted about how to address
devices/servers/services.
Specifically:
1) Is there a general convention about addresses for DNS servers? NTP
servers? dhcp servers?
2) Are we tending to use different IPs for each service on a device?
3) Any common addresses/schemes for other common services?
(smtp/snmp/http/ldap/etc)?
Finally, what tools do people find themselves using to manage IPv6 and
addressing? It seems to me that IPAM is almost required to manage IPv6 in
any sane way, even for very small deployments (My home ISP gave me a /56 and
a /64).
I figured this was a fairly operational question/set of questions, so I hope
this is the right venue.
As I start working more and more with IPv6 and find myself having to address
services, I am wondering if there are any sort of written or unwritten
'conventions'/best practices that are being adopted about how to address
devices/servers/services.
Specifically:
1) Is there a general convention about addresses for DNS servers? NTP
servers? dhcp servers?
2) Are we tending to use different IPs for each service on a device?
3) Any common addresses/schemes for other common services?
(smtp/snmp/http/ldap/etc)?
Depends mostly on personal preference I would say.
Same applies to IPv4 as IPv6.
If you want a service to map always to a specific IP, eg because you
anycast/failover-IP it, then a "service IP" makes sense.
If you have a smaller deployment then just a service per host and/or
using CNAMEs (except for MX can make sense.
Only thing you might want to know is that 2000::/3 is global unicast,
that there is ULA and link-local. For the rest you don't need to know
anything about address blocks, just what the address space is that is
routed to you and that is what you get to use.
Finally, what tools do people find themselves using to manage IPv6 and
addressing? It seems to me that IPAM is almost required to manage IPv6 in
any sane way, even for very small deployments (My home ISP gave me a /56 and
a /64).
1) Is there a general convention about addresses for DNS servers? NTP
servers? dhcp servers?
There are people who do stuff like blah::53 for DNS, or blah:193:77:81:20 for a machine that has IPv4 address 193.177.81.20.
For the DNS, I always recommend using a separate /64 for each one, as that way you can move them to another location without having to renumber, and make the addresses short, so a ::1 address or something, because those are the IPv6 addresses that you end up typing a lot.
For all the other stuff, just use stateless autoconfig or start from ::1 when configuring things manually although there is also a little value in putting some of the IPv4 address in there. Note that 2001:db8::10.0.0.1 is a valid IPv6 address. Unfortunately when you see it copied back to you it shows up as 2001:db8::a00:1 which is less helpful.
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
Finally, what tools do people find themselves using to manage IPv6 and
addressing?
Stateless autoconfig for hosts, EUI-64 addressing for routers, VLAN ID in the subnet bits. That makes life simple. Simple be good.
> 1) Is there a general convention about addresses for DNS servers? NTP
> servers? dhcp servers?
There are people who do stuff like blah::53 for DNS, or blah:193:77:81:20
for a machine that has IPv4 address 193.177.81.20.
For the DNS, I always recommend using a separate /64 for each one, as that
way you can move them to another location without having to renumber, and
make the addresses short, so a ::1 address or something, because those are
the IPv6 addresses that you end up typing a lot.
For all the other stuff, just use stateless autoconfig or start from ::1
when configuring things manually although there is also a little value in
putting some of the IPv4 address in there. Note that 2001:db8::10.0.0.1 is a
valid IPv6 address. Unfortunately when you see it copied back to you it
shows up as 2001:db8::a00:1 which is less helpful.
> 2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
> Finally, what tools do people find themselves using to manage IPv6 and
> addressing?
Stateless autoconfig for hosts, EUI-64 addressing for routers, VLAN ID in
the subnet bits. That makes life simple. Simple be good.
You may want to use some randomness to limit address scanning. Ymmv on how
well this works or applies, I do it.
1) Is there a general convention about addresses for DNS servers? NTP
servers? dhcp servers?
DNS server addresses should be short and easy to tape, as already
mentioned.
2) Are we tending to use different IPs for each service on a device?
In many cases yes - because that makes it possible to easily move the
service to a different box.
Finally, what tools do people find themselves using to manage IPv6 and
addressing?
Excel spreadsheets, HaCi.
It seems to me that IPAM is almost required to manage IPv6 in
any sane way, even for very small deployments (My home ISP gave me a /56 and
a /64).
At least as long as you use static addresses. We like static, and tend
to stay away from SLAAC. We do *not* use EUI-64 for router links. For
customer links we use /64, for backbone links we use /124 (ensures
that SLAAC can never ever be used on the link, and also that the two
ends can be numbered ending in 1 and 2 - nice and simple).
1) Is there a general convention about addresses for DNS servers? NTP
servers? dhcp servers?
There are people who do stuff like blah::53 for DNS, or blah:193:77:81:20 for a machine that has IPv4 address 193.177.81.20.
For the DNS, I always recommend using a separate /64 for each one, as that way you can move them to another location without having to renumber, and make the addresses short, so a ::1 address or something, because those are the IPv6 addresses that you end up typing a lot.
For all the other stuff, just use stateless autoconfig or start from ::1 when configuring things manually although there is also a little value in putting some of the IPv4 address in there. Note that 2001:db8::10.0.0.1 is a valid IPv6 address. Unfortunately when you see it copied back to you it shows up as 2001:db8::a00:1 which is less helpful.
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
I believe he meant different IP addresses and I highly recommend doing so.
If you do so, then you can move services around and name things independent of
the actual host that they happen to be on at the moment without having to renumber
or rename.
Finally, what tools do people find themselves using to manage IPv6 and
addressing?
Stateless autoconfig for hosts, EUI-64 addressing for routers, VLAN ID in the subnet bits. That makes life simple. Simple be good.
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
I believe he meant different IP addresses
No, that can't be, he would have said "IP addresses".
and I highly recommend doing so.
If you do so, then you can move services around and name things independent of
the actual host that they happen to be on at the moment without having to renumber
or rename.
The DNS is already a layer of indirection so in most cases this makes things harder first (having to remember which address is on which host) so they may be easier later (not touching the DNS when services go to a new box). In my opinion, this isn't a good tradeoff most of the time. Only if you want/need addresses to be a particular way (like short for DNS servers) that's helpful.
I was reluctant to do stateless autoconfig for servers at first but it's really rock solid, as long as you're reasonably sure no rogue router advertisements will show up on the subnet in question there's no reason to avoid it.
No, that can't be, he would have said "IP addresses".
> and I highly recommend doing so.
> If you do so, then you can move services around and name things independent of
> the actual host that they happen to be on at the moment without having to renumber
> or rename.
The DNS is already a layer of indirection so in most cases this makes things harder first (having to remember which address is on which host) so they may be easier later (not touching the DNS when services go to a new box). In my opinion, this isn't a good tradeoff most of the time. Only if you want/need addresses to be a particular way (like short for DNS servers) that's helpful.
Far from it. Running services on separate IP addresses is extremely
important to enable services to move (to a different box) independently.
It has little to do with wanting addresses to be a particular way, and
much more to do with *other* places (e.g. firewalls) where IP addresses
are used and not names.
I was reluctant to do stateless autoconfig for servers at first but it's really rock solid, as long as you're reasonably sure no rogue router advertisements will show up on the subnet in question there's no reason to avoid it.
2) Are we tending to use different IPs for each service on a device?
No, the same Internet Protocol.
I believe he meant different IP addresses
No, that can't be, he would have said "IP addresses".
No, it is not uncommon at least in America for people to refer to IP addresses by the shorter
term "IPs".
and I highly recommend doing so.
If you do so, then you can move services around and name things independent of
the actual host that they happen to be on at the moment without having to renumber
or rename.
The DNS is already a layer of indirection so in most cases this makes things harder first (having to remember which address is on which host) so they may be easier later (not touching the DNS when services go to a new box). In my opinion, this isn't a good tradeoff most of the time. Only if you want/need addresses to be a particular way (like short for DNS servers) that's helpful.
We can agree to disagree. You need to remember which box your particular
services are on anyway, so, I don't see much difference there. Often, the time
delay in DNS changes can be a blocking factor in addressing load issues
by moving things around quickly. IP addresses can be moved with much
greater agility than the DNS abstraction because there are too many broken
browsers and such out there (thank you Micr0$0ft) with ridiculous tendencies
to cache DNS information for a very long time (well beyond the TTL).
I was reluctant to do stateless autoconfig for servers at first but it's really rock solid, as long as you're reasonably sure no rogue router advertisements will show up on the subnet in question there's no reason to avoid it.
Well, there is one reason... If you have to swap a NIC or any superset of
a NIC such as an entire machine, you'll have to update
DNS. If you forget to do the DNS update in such a circumstance, you
can blackhole a lot of traffic in the time it takes to figure that out.
And having persistent IP address-to-service mappings aside from DNS can also be useful for other things like firewall/IDS rules that often don't use DNS at all.
can make sense.