RA+DHCPv6+DDNS in DCs

Ben Jencks ben at bjencks.net
Tue Nov 15 23:17:19 CET 2011


On Nov 15, 2011, at 11:46 AM, Mark Kamichoff wrote:

> Hi - 
> 
> What do folks think about using RAs+DHCPv6+DDNS for IPv6 addressing in
> enterprise data centers vs traditional static addressing?
<snip>
> To further complicate the issue, firewall policies can also throw a
> wrench into this.  In the case of stateless DHCPv6 each server might
> still use EUI-64 (not even thinking about privacy extensions!) for the
> last 64-bits of the address.  Firewall policies will then have to rely
> on DNS since it would be absurd to swap out a NIC and have to update
> firewall configuration.  With stateful DHCPv6 and the server assigning
> IPv6 addresses to servers, firewall policies would still have to rely on
> DNS or the addition of each server would require a reservation during
> provisioning to always be guaranteed to receive the same address.
> 
> Am I stuck in an old mindset with this?  Or, am I missing something
> crucial?
> 
> If folks are out there using this type of dynamic addressing in DCs, I'd
> be curious to know how it's going and what kind of issues or problems
> you've had to work through, and whether it's "worth it" or not :)

We're a very small shop, but I'm going with straight-up SLAAC addressing. I'll add stateless DHCPv6 when I want to start using DNS over IPv6. The usual argument against this is the "don't want IP to change when you swap a NIC", but:
 * It's not a problem for VMs as they generally have their MACs specified as part of the VM definition, so it will be permanent across any moves or modifications. Plus, if you clone it and change the MAC, you automatically get a new IP address without having to change anything inside the VM.
 * Same with many blade enclosures.
 * With physical servers you can generally set the MAC, e.g. in /etc/network/interfaces.

If you're a big enough shop that manually handling DNS doesn't work, you can generate your zone files from your database of VMs (vSphere APIs or equivalents with other solutions), and either your inventory database (if using physical MACs) or whatever automation software is managing /etc/network/interfaces (if using your own MACs).

-Ben


More information about the ipv6-ops mailing list