RA+DHCPv6+DDNS in DCs

Wed Nov 16 09:20:19 CET 2011

On 11/15/2011 04:46 PM, Mark Kamichoff wrote:
> Hi -
>
> What do folks think about using RAs+DHCPv6+DDNS for IPv6 addressing in
> enterprise data centers vs traditional static addressing?

One thing to note: DHCPv6 is actually poorly supported on even some 
high-end network equipment, in some configurations.

For example: DHCPv6 does not with in 6vPE configurations on the Cisco 
6500/sup720, if the next-hop address is via an MPLS LSP - it seems to do 
the routing lookup wrong and ends up picking Null0 as an output 
interface! I've bugged Cisco about this, and they're just not interested.

Sadly we're 6vPE everywhere, so it'll be some time before DHCPv6 is 
available to us.

> Throughout the initial deployment in our organization, we've used static
> assignment for servers and VIPs in the DCs and dynamic (SLAAC +
> stateless DHCPv6 where it's available) assignment on campus networks.
> It's worked out fairly well.

Likewise.

> I'm starting to hear certain vendors like Microsoft starting to preach
> 100% dynamic assignment in DCs via a combination of enabling RAs and
> using DHCPv6+DDNS.  Their rationale is that static addressing hundreds
> and thousands of servers with IPv6 addresses is hard (harder than IPv4),
> and manually entering DNS entries is similarly undesirable.

That seems like a poor argument. The server has to be provisioned 
somehow, either physically or virtually, by someone or something. Even 
if the VM is created automatically (e.g. cloned from a base template in 
response to high load, boots & completes post-install) the system doing 
the automatic creation could assign an IP, drop it into a .txt file for 
the VM guest config scripts to read, and drop it into the DNS at the 
same time.

When these vendors suggest it, who are they imagining will perform the 
DDNS update - the DHCP server, or the host itself (presumably 
authenticated)? If the latter, there's the authentication issues, and 
support for the protocol, to consider.

Bind 9.8 can do GSSAPI TSIG quite well, but even the "external callout" 
policy check mechanism is a bit weak w.r.t. limiting what the host can 
actually put into DDNS.

> I don't mind DDNS by itself being used in DCs, but coupled with stateful
> or stateless DHCPv6 triggered by RAs, basic connectivity to a single
> server starts to rely on much more than just upstream network
> connectivity (provided by VRRP, HSRP, etc.).

I think DHCP can be made sufficiently reliable. DDNS - depends on who is 
doing the update.

> firewall configuration.  With stateful DHCPv6 and the server assigning
> IPv6 addresses to servers, firewall policies would still have to rely on
> DNS or the addition of each server would require a reservation during
> provisioning to always be guaranteed to receive the same address.

With the enormous address space available you could reserve ranges of 
addresses big enough for any conceivable number of servers, grouped by 
firewall policy:

permit src any dst 2001:db8:1:1::100:/112 service-group GROUP1
permit src any dst 2001:db8:1:1::200:/112 service-group GROUP2
permit src any dst 2001:db8:1:1::300:/112 service-group GROUP3

Or you could play nasty tricks like:

permit src any dst 2001:db8:1:1::80:/112 port 80
permit src any dst 2001:db8:1:1::443:/112 port 443

etc. etc.

Yes, I know... Point being a range-based approach, rather than a 
per-server approach, can handle firewall rules.

I'm undecided about DHCPv6 for servers. Similarly DDNS. As it happens 
however, our kit doesn't support DHCPv6 so it's a moot point for us.

Cheers,
Phil