Who is responsible for managing your unit’s IP space? Is it you? Is it the 255A or 53? Do you actually have someone who is responsible for issuing and controlling the IP space for the unit? There was a recent discussion in the 255N Facebook group about things we can do to secure the network. One of the things brought up was knowing every device that was on the network. While that is important (and one I will get too shortly), today I want to talk about something a little simpler, knowing where all of your IP space is.
Seven years ago when I was a new net tech, I took over the network for 2/1 ID. At the time, the unit was running the MITT mission but we soon transitioned to a normal HBCT. As part of that, we were fielded with WIN-T and I became the keeper of our network space. At the time that meant 28 SIPR and 16 NIPR class C networks (or a total of 11,264 addresses altogether).
No one appointed me as the keeper of the IP space. Truth be told, initially I didn’t even worry about it. I had a bright shiny LDIF that very nicely laid out where every single IP address resided. On the off chance that I needed a spare slice of IP space, they were identified in the LDIF too, and I would simply grab one without worrying much about it. This system worked fine for probably about 2 years until the time came for me to come to Fort Irwin for my NTC rotation. So what happened at NTC? For the first time I was forced to integrate enablers, we received systems that we were supposed to have, but were never fielded, etc. In short, people needed IP addresses and someone had to hand them out. I quickly tried to fill the role, once again looking to our LDIF for the answers only to find out that addresses were being used and I wasn’t tracking it.
Fast-forward to October 2008 when I deployed to Iraq and the situation exploded. Instead of falling into a network where I would deploy my 6 CPNs and 2 JNNs, I had that an additional JNN, 5 or 6 CPNs attached to me, and a huge hodgepodge of other systems that had been thrown together to support the nearly 30 locations my unit was taking over. And the scary part was that most of these systems didn’t have their own organic IP space attached to them and the unit (2/101) that I was replacing wanted their IP space back when they left a few weeks later. Managing IP space quickly moved from being a not bad idea to an absolute necessity.
So what is the LDIF? The LDIF is basically the address book for all of the systems within an unit that tells them how to talk to each other. The file itself is only a single file, but it is vitally important that it is complete and accurate. Depending on the system, it can be addressed in up to three different ways; IP Address, role name, and unit reference number (URN). You can think of the LDIF as similar to DNS, it takes one way of identifying a system, and converts it into another form to allow communications.
The LDIF is centrally managed by the Army (although units are able to request changes) and needs to be updated as units are task organized. This can present problems for units as their task organization changes rapidly. The LDIF is primarily the concern of the FA 53 and 255A however the 255N needs to be aware of it because it identifies the location and purpose of various networks across the unit’s IP space.
One thing to remember is that while the LDIF is an important file and must absolutely be a consideration when it comes to configuring and managing the network, it is not the bible. Failing to follow the LDIF when you configure your network can break some of the functionality of some ABCS systems, while others may be largely unaffected. I will not go into what will and will not break if you don’t follow the LDIF however I would caution you to test changes in a controlled way so that you can identify and rectify problems as they are identified.
What is there to Manage?
So if the LDIF spells out what each IP address is for, what is there really to manage? The answer is EVERYTHING! First realize that while the LDIF does dedicate some of the over 11 thousand IP addresses within your network for a specific purpose, I have never seen anywhere near that number of systems actually fielded to a unit. The LDIF assumes a perfect world where your unit has been fielded with everything it should have (you have everything on your MTOE don’t you?). Also the LDIF only identifies program of records systems, not just regular workstations or other “good ideas” floating around. This is what we need to manage.
You must realize that there is a good possibility that the majority of the IP space allocated within your LDIF may not actually be in use just because your unit doesn’t have all of the systems that the LDIF assumes that you have. This means that if needed, that IP space is available for other uses (assuming your realize that the day may come where you need to give that space back up).
Additionally, the LDIF specifically calls out some “spare” network space for your use however you need to. It is important that you track the use of these spare networks as you issue them out to ensure that you don’t reuse IP space.
So what is the best way to manage your IP space? There is no real answer to that because there are hundreds of ways to do it, you just need to find the best way that works for you. For me personally when I was a net tech, I had a spreadsheet that I used. It was my entire IP space divided up into 29 bit networks, with columns for 28, 27, 26, and 25 bit networks to make subnetting extremely easy to do on the fly. There was also two additional columns, one that broke down the IP space based on the LDIF, and another that broke it down based on reality. As I would assign networks, our put IP space out on routers, I would simply update the reality column, and then highlight the IP space in yellow. It was by no means high tech, but it was extremely fast, easy, and effective.
One Response to “Managing IP Space”
Seems most will leave the management of the IPs to the Network Tech. Love the spreadsheet, I’ve used a similar one that actually spells out the IP Addresses instead of just the CIDR notations.