RA+DHCPv6+DDNS in DCs
Brian E Carpenter
brian.e.carpenter at gmail.com
Wed Nov 16 00:35:23 CET 2011
Everybody,
In exactly this context, I would love to get comments on
http://tools.ietf.org/html/draft-carpenter-6renum-static-problem
I will be presenting this at the IETF in Taipei this week,
but feedback from the real world would be very welcome.
Comments on http://tools.ietf.org/html/draft-jiang-6renum-enterprise
and http://tools.ietf.org/html/draft-liu-6renum-gap-analysis
would also help.
Regards
Brian Carpenter
On 2011-11-16 05:46, Mark Kamichoff wrote:
> Hi -
>
> What do folks think about using RAs+DHCPv6+DDNS for IPv6 addressing in
> enterprise data centers vs traditional static addressing?
>
> Throughout the initial deployment in our organization, we've used static
> assignment for servers and VIPs in the DCs and dynamic (SLAAC +
> stateless DHCPv6 where it's available) assignment on campus networks.
> It's worked out fairly well.
>
> I'm starting to hear certain vendors like Microsoft starting to preach
> 100% dynamic assignment in DCs via a combination of enabling RAs and
> using DHCPv6+DDNS. Their rationale is that static addressing hundreds
> and thousands of servers with IPv6 addresses is hard (harder than IPv4),
> and manually entering DNS entries is similarly undesirable.
>
> At first thought, this seems like a fairly bad idea, as it relies on a
> set of technologies that may or may not be implemented equally on all
> types of operating systems (Windows, Linux, Solaris, AIX, etc.). To me,
> it seems like it adds more complexity and might actually be /harder/
> than static assignments.
>
> I don't mind DDNS by itself being used in DCs, but coupled with stateful
> or stateless DHCPv6 triggered by RAs, basic connectivity to a single
> server starts to rely on much more than just upstream network
> connectivity (provided by VRRP, HSRP, etc.).
>
> To further complicate the issue, firewall policies can also throw a
> wrench into this. In the case of stateless DHCPv6 each server might
> still use EUI-64 (not even thinking about privacy extensions!) for the
> last 64-bits of the address. Firewall policies will then have to rely
> on DNS since it would be absurd to swap out a NIC and have to update
> firewall configuration. With stateful DHCPv6 and the server assigning
> IPv6 addresses to servers, firewall policies would still have to rely on
> DNS or the addition of each server would require a reservation during
> provisioning to always be guaranteed to receive the same address.
>
> Am I stuck in an old mindset with this? Or, am I missing something
> crucial?
>
> If folks are out there using this type of dynamic addressing in DCs, I'd
> be curious to know how it's going and what kind of issues or problems
> you've had to work through, and whether it's "worth it" or not :)
>
> - Mark
>
More information about the ipv6-ops
mailing list