RA+DHCPv6+DDNS in DCs

Mark Kamichoff prox at prolixium.com
Tue Nov 15 17:46:55 CET 2011 

Hi - 

What do folks think about using RAs+DHCPv6+DDNS for IPv6 addressing in
enterprise data centers vs traditional static addressing?

Throughout the initial deployment in our organization, we've used static
assignment for servers and VIPs in the DCs and dynamic (SLAAC +
stateless DHCPv6 where it's available) assignment on campus networks. 
It's worked out fairly well.

I'm starting to hear certain vendors like Microsoft starting to preach
100% dynamic assignment in DCs via a combination of enabling RAs and
using DHCPv6+DDNS.  Their rationale is that static addressing hundreds
and thousands of servers with IPv6 addresses is hard (harder than IPv4),
and manually entering DNS entries is similarly undesirable.

At first thought, this seems like a fairly bad idea, as it relies on a
set of technologies that may or may not be implemented equally on all
types of operating systems (Windows, Linux, Solaris, AIX, etc.).  To me,
it seems like it adds more complexity and might actually be /harder/
than static assignments.

I don't mind DDNS by itself being used in DCs, but coupled with stateful
or stateless DHCPv6 triggered by RAs, basic connectivity to a single
server starts to rely on much more than just upstream network
connectivity (provided by VRRP, HSRP, etc.).

To further complicate the issue, firewall policies can also throw a
wrench into this.  In the case of stateless DHCPv6 each server might
still use EUI-64 (not even thinking about privacy extensions!) for the
last 64-bits of the address.  Firewall policies will then have to rely
on DNS since it would be absurd to swap out a NIC and have to update
firewall configuration.  With stateful DHCPv6 and the server assigning
IPv6 addresses to servers, firewall policies would still have to rely on
DNS or the addition of each server would require a reservation during
provisioning to always be guaranteed to receive the same address.

Am I stuck in an old mindset with this?  Or, am I missing something
crucial?

If folks are out there using this type of dynamic addressing in DCs, I'd
be curious to know how it's going and what kind of issues or problems
you've had to work through, and whether it's "worth it" or not :)

- Mark

-- 
Mark Kamichoff
prox at prolixium.com
http://www.prolixium.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20111115/5b93488e/attachment.bin

More information about the ipv6-ops mailing list