IP address management (IPAM) isn't a simple matter in a large network. It has to keep track of public addresses, network address translation, DNS connections, DHCP, and IPv6 addresses. Without a reliable set of IPAM tools, a network can waste address spaces, encounter address collisions, experience security weaknesses, and have poor resiliency.
A small operation with a couple of dozen devices can manage its IP addresses manually. It can create a spreadsheet or a piece of paper that lists every device's address. Somewhat larger networks need just one DHCP server and can trust it to assign addresses for everyone. As networks grow bigger and more decentralized, though, such approaches break down.
When two devices try to use the same address, they encounter a serious loss of stability. Routers will disconnect and reconnect them in an attempt to resolve the problem. DHCP servers may repeatedly change a device's address. If one of the devices in question is a server, the address clash can disrupt the whole network.
The increasing use of the devices known as the Internet of Things can make the number of addresses on a network grow dramatically, adding to IPAM complications. It may force a move to IPv6 in order to maintain enough addresses without excessive juggling.
The v4 and v6 worlds
It's become almost a necessity to have IPv6 addresses for public-facing devices, yet it's hard to completely abandon IPv4. Many networks have to manage both kinds of addresses in parallel. IPv6 was supposed to eliminate the need for NAT and let every device have an unchanging address, but the situation has proven more complicated. When a network assigns addresses to the devices on it, it can have stateful addressing using DHCPv6. This means there are now two sets of potentially dynamic addresses to deal with.
Many networks, including such large enterprises as Microsoft, have moved their internal networks exclusively to IPv6. This eases the problem of allocating addresses, but NAT is still there, translating from public IPv4 to internal IPv6. NAT64, using either stateful or stateless mapping, is an often-used approach.
A large organization will have multiple subnets, often independently managed. Address spaces need to be allocated efficiently. If a subnet runs out of addresses, or if it's so large that other subnets can't get enough addresses, their ranges have to be reallocated, possibly forcing changes to existing static addresses. IPAM should be set up to anticipate future needs so that every department has reasonable room for growth.
This means tracking and having a central point of management for each subnet. If the allocation of subnet masks is poorly organized, they can overlap, with two or more machines claiming the same address.
Switches and DHCP servers can have configuration errors and not match the subnet masks which they are supposed to use. If actual subnets don't match the documented ones, that will cause increasing trouble over time.
IPAM isn't just a matter of allocating IP addresses. As a network discipline, it needs to be treated together with DNS and DHCP management. A network which uses many subdomains and changes them frequently will need to manage its own DNS zone. Its A and AAAA records need to map domain names to the correct IPv4 and IPv6 addresses respectively.
Normally, it's best for domains to map to fixed IP addresses. When a large number of subdomains exist — for instance, one for each account — this may not be practical. The DNS server needs to coordinate with the IPAM and update its address records whenever address assignments change. The records need to have a short TTL (time to live), and IP addresses should change as rarely as possible.
If the DNS server can't stay up to date with changing IP addresses, the network has to limit itself to static addresses for each subdomain. This may prevent optimal allocation of resources.
Most networks rely heavily on DHCP and DHCPv6 for management of IP addresses. This is fairly easy when there's just one DHCP server. When multiple DHCP zones reside on the same network, some care is needed. "Rogue" servers — usually meaning misconfigured ones, not surreptitiously installed ones — are a special headache.
One reason for having multiple DHCP servers is to provide failover capability. Another reason is to partition the responsibility, either to limit the burden on any server or to keep the physical distance from machine to server low. In the latter case, each server needs to manage a separate range of addresses. While this is straightforward to set up, errors can be hard to locate.
You'll sometimes see the term DDI for "DHCP, DNS, and IPAM." As used today, the term IPAM covers all three, so the two are equivalent.
Individual devices may misbehave. They may statically assign themselves addresses instead of using DHCP. Users may do this with their own computers, either by mistake or because they have some use in mind for a fixed address. Non-user devices such as printers may be set up statically so that users can easily address them; if this gets forgotten and a DHCP server tries to allocate the address, trouble will follow.
A DHCP server may be set up with a range of reserved addresses. Later, under pressure from a growing pool of devices, the admin may expand the range of dynamically assignable addresses. If this conflicts with a static address that the admin isn't aware of, that's trouble again.
Virtualization and cloud services
The growth of virtualization means IP addresses aren't tied to physical machines. VMs may appear and disappear on a regular basis. The hypervisor assigns them addresses upon their creation and has to recycle them in an orderly way. Cloud services present similar issues.
Sometimes a task will spawn a large number of VMs for a short period. There has to be a sufficient range of addresses to handle these bursts. If a subnet approaches its capacity, some kind of action is necessary. A flexible IPAM system can give the hypervisor more addresses on a temporary basis. If no automated fix is available, the administrators should get an alert before the generation of VMs has to stop short.
Cloud services are a form of virtualization, but they can present additional problems. Businesses often add services without going through as careful a process as they would for on-premises systems. If they need to map the service to their own address space, the managers may snag an address range informally. The service might not get as many addresses as it needs, or the addresses may conflict with ones assigned to another cloud service. Centrally based IPAM prevents these problems.
IPAM and security
Information from the management of IP addresses is valuable to maintaining network security. If an address is found which shouldn't be in use, that could indicate an unauthorized device within the network. If abnormal traffic is coming from a specific address, IPAM helps to find just what device is responsible. The addresses in log files are meaningful only if it's possible to tell what device was using an address at a given time.
The network may assign permissions based on IP addresses. For this to provide a real security benefit, it's important that devices stay in the IP ranges assigned to them. One that should have access could lose it by getting the wrong address, and another device could gain excessive privileges the same way.
If a network allows guest devices, such as smartphones, it shouldn't give them all the privileges a company-owned device has. The visiting devices should have their own IP address range so that firewalls and servers can distinguish them. IP address management can ensure that these devices don't wander outside their pen.
"Shadow IT" may add devices to a network and assign them addresses without going through proper channels. They can create not only address collisions but security risks in the process. IPAM can detect these unauthorized addresses and find out what's going on.
Errors in the assignment of IP addresses can create unreliable connections and security problems. Poor control over their assignment can waste parts of the available address range, making it more difficult to allocate addresses efficiently. Modern networks, which may have thousands of devices, require a more robust approach than lists of addresses. IPAM tools centralize administrators' control over the address space and let them easily discover errors and poor configurations. These tools play an important role in keeping a network running smoothly and minimizing downtime.