Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Migration IP Method 1
- Thread starter Fartout
- Start date
-
1
- #2
The easiest method to implement an address space migration is to add a secondary address your gateway (generally your router) that is in the new address space.
After that, you can migrate clients at will, and the router will handle any packets that need to move from one address space to the other. You do take a traffic hit as you are moving clients because packets moving between networks must go to the gateway and be resent (even though they are on the same physical net). For that reason, adding a secondary address to any heavy use servers is a good idea before migrating the clients.
But I am curious what security advantage you believe that you are getting with static IP addresses. I've never heard of any legitimate security advantage with static IPs, as they are trivial to forge or masquerade. And DHCP allows for static IP addressing based on MAC address, so you can have static IPs with centralized management.
pansophic
After that, you can migrate clients at will, and the router will handle any packets that need to move from one address space to the other. You do take a traffic hit as you are moving clients because packets moving between networks must go to the gateway and be resent (even though they are on the same physical net). For that reason, adding a secondary address to any heavy use servers is a good idea before migrating the clients.
But I am curious what security advantage you believe that you are getting with static IP addresses. I've never heard of any legitimate security advantage with static IPs, as they are trivial to forge or masquerade. And DHCP allows for static IP addressing based on MAC address, so you can have static IPs with centralized management.
pansophic
- Thread starter
- #3
- Thread starter
- #4
Of course you can use a secondary address with static addressing. I've yet to see a production OS that didn't support it (I know some embedded OSs do as well, but I'm not sure that your interface to them would).
And you don't need the secondary address on the clients, you need it on the default gateway while you do the transition to the new addressing scheme. You change the clients one at a time, and there you can do an actual replacement of the IP address. You need the gateway to be on both networks simultaneously so that it can route traffic between the two networks (even though they are on the same wire). That way, if your gateway is on both the 10. and 192.168 and you change client A to 192.168, it will not see the 10. hosts on its local network, so it will locate its default gateway and send the packet there. The default gateway will see the 192.168 packet because it has an address on that network. It will see that the route to 10. is the same interface, with a 10. address, so it will send the packet on to the 10. host. When the response is generated by the 10. host, it will recognized that it cannot send to the 192.168 network, so it will send to the gateway at its 10. address. The gateway will look up the 192.168 network, recognize that it is on the same interface and resend the packet to the 192.168 network.
Like I said, you take a traffic hit, but it works seemlessly and doesn't require a "hot cut" to the new addressing scheme.
And you can do static addressing with DHCP. It is hard one time, while you track down all of the MAC addresses and enter them into your DHCP scheme, but it works like a champ. The only machine with a static address on my small network is the firewall. Everyone else gets a DHCP address. Servers and clients. The servers get static addresses and the clients get random (not really, since they get the same lease over and over again) but you can pick and choose who gets what. By using arpwatch you can identify any rogue hosts on your network, unless they are cunning enough to use SMAC or macchanger, which means that they are really determined to get onto your network. Port security is about your only option at that point.
pansophic
And you don't need the secondary address on the clients, you need it on the default gateway while you do the transition to the new addressing scheme. You change the clients one at a time, and there you can do an actual replacement of the IP address. You need the gateway to be on both networks simultaneously so that it can route traffic between the two networks (even though they are on the same wire). That way, if your gateway is on both the 10. and 192.168 and you change client A to 192.168, it will not see the 10. hosts on its local network, so it will locate its default gateway and send the packet there. The default gateway will see the 192.168 packet because it has an address on that network. It will see that the route to 10. is the same interface, with a 10. address, so it will send the packet on to the 10. host. When the response is generated by the 10. host, it will recognized that it cannot send to the 192.168 network, so it will send to the gateway at its 10. address. The gateway will look up the 192.168 network, recognize that it is on the same interface and resend the packet to the 192.168 network.
Like I said, you take a traffic hit, but it works seemlessly and doesn't require a "hot cut" to the new addressing scheme.
And you can do static addressing with DHCP. It is hard one time, while you track down all of the MAC addresses and enter them into your DHCP scheme, but it works like a champ. The only machine with a static address on my small network is the firewall. Everyone else gets a DHCP address. Servers and clients. The servers get static addresses and the clients get random (not really, since they get the same lease over and over again) but you can pick and choose who gets what. By using arpwatch you can identify any rogue hosts on your network, unless they are cunning enough to use SMAC or macchanger, which means that they are really determined to get onto your network. Port security is about your only option at that point.
pansophic
- Status
Similar threads
- Locked
- Question
- Locked
- Question