Q&A: Dirk Marichal, Infoblox

The accelerating uptake of smart phones and tablets—each requiring its own IP address—has mandated the release of the last block of IPv4 address, far earlier than had been expected. Whilst IPv6 has been ready for some time, with most operating systems and network equipment being IPv6 compliant, the management of mixed IPv4/IPv6 environments and the eventual transition to an all IPv6 world is far from painless. Many network managers are investigating the issue but have no active migration plan and many applications simply do not support IPv6. Managing the transition to IPv6 is a complex task and therefore prone to human error unless supported by automation. We spoke to Infoblox’s Dirk Marichal to find out more.

Virtualisation represents a whole new IT paradigm. What are the biggest challenges facing IT organisations as they try to embrace virtualisation?

The highly dynamic nature of virtualisation is increasing network infrastructure complexity and requirements for real-time changes. For example, with virtualisation and cloud computing initiatives taking root, IT administrators can provision virtual machines in minutes, but conforming the network to support the VMs can take days because the tools and processes required to perform the changes are still mostly manual and siloed.

To realise the full potential of virtualisation and cloud initiatives, enterprises simply must adopt more automated tools, ranging from IP address automation to configuration management tools for both physical and virtual devices. If you are one of the lucky few expecting a significant increase in staff, you can try to apply more human resources to address the increased demand and dynamism in the network, but that won’t scale in the end.

The bottom line: As organisations begin to tackle the challenge of rolling out highly dynamic virtualisation initiatives, most of their “blueprints” are missing essential infrastructure automation elements which can result in catastrophic outages and ultimate failure of their virtualisation initiatives. Without the necessary network automation, the cracks in the foundation can manifest instability of the network due to more frequent re-configurations, business continuity and DR risks, and an IT staff that is too overwhelmed with manual tasks.

Many IT representatives fear that more automation may replace them/put them out of a job. Is this true?

For years, IT departments have spent their days—and nights—driving successful deployment of applications and tools designed to help automate finance, sales, marketing and engineering functions in the enterprise. Most would agree that the automated applications and tools did not result in the loss of jobs in those various departments, but simply helped the departments improve efficiency and produce more. Unfortunately, IT’s daily infrastructure management tasks represent one of the last frontiers for automation.

The analogy isn’t much different than the accountant who’s too busy to manage their own checkbook or the construction GM who has completed multiple home remodels throughout the year, but similar projects in his own house are left for months unfinished, in disarray or with haphazard workarounds.

The time has come to pick up the pieces, stop sweeping the disarray under the carpet and spend a little well deserved time and attention on improving IT processes with network automation. Not only because most IT departments are already overworked, and could use some relief with more efficient processes and intelligent tools, but also because significant expansion of IT team resources in the foreseeable future doesn’t seem likely. At the end of the day, the rate at which demand is increasing will overwhelm the existing staff if they don’t embrace automation.

What are the benefits of adding more automated infrastructure tools and processes?

More automated infrastructure tools and processes allows enterprise IT organisations to minimise errors, such as distribution of duplicate IP address, increase stability and uptime for the infrastructure, increase responsiveness and network visibility, which is important for compliance and planning purposes. Ultimately, IT can save hours of time and critical resources, increasing flexibility to reallocate key personnel to more strategic projects.

What’s at risk if IT organisations don’t start to automate more?

The days of using hacked together scripts written by multiple predecessors to make, track and document changes and devices are, for most organisations, no longer viable. Compliance and uptime requirements, along with the need for great efficiencies due to resource limitations force us them to sweat the details.

And, continuing to rely on manual, script based tools will lead to errors, downtime, unnecessary costs, unhappy end users, and stalled virtualisation and cloud initiatives, just to name a few. Ultimately, business continuity, DR, cost savings and efficiencies designed to be gained from private cloud and virtualisation initiatives can be compromised without the adoption of necessary automation and control mechanisms built into the infrastructure.

Where are the key areas IT should look to start building more automation in their network infrastructure?

There are several key areas where it’s essential to start building more automation in IT processes so that virtualisation and private cloud initiatives can be extensively deployed and IT operational efficiency maximised:

  • Institutionalise process: Embracing your organisations best practices and gold standards for configurations will help deliver a consistent stable and predictable network keeping policies intact; as the network becomes more dynamic, the ability to automatically predict responses and sync with real-time updates is very valuable.
  • Identify “machine speed” needs: Determine the top areas where you need “machine speed” configuration and change in response to VM provisioning and movement or VM life cycle, such as VLAN, VPN, Switch port, access control lists (security filters) and firewall settings. While a VM server can spin up in a matter of minutes, making all of these changes manually will take hours—and it could change again before you’re done.
  • Start where it all begins in the network, the IP address: Pick two network configuration tasks that are manual today (i.e. IP address assignment or VLAN configuration) that must change because of a vMotion event, like HA for example.
  • Indentify compliance requirements: Determine tasks that have to be automated for compliance purposes, such as access control list configurations; for example, a healthcare organization moving to the cloud should first and foremost consider how its cloud strategy is going to maintain HIPPA compliance.

What kind of automation does Infoblox bring to the table?

With Infoblox, enterprise IT teams can quickly and easily manage a multi-vendor IP-based infrastructure with both virtual and physical devices. Traditionally, the ability to collect IP address information has been completely dependent on the error-prone, static and time consuming process of managing complicated spreadsheets. Infoblox offers the ability to collect all that information in real time by leveraging a distributed database and the ability to view and manage the associated data from a “single pane of glass” interface.

Infoblox also automates network discovery and change management, collecting information intelligently by finding areas in the network that are at risk, or are potential errors that will cause an outage in the future. Ultimately, Infoblox can show real-time network health as opposed to burning recurring hours for HIPAA, SOX, PCI or internal compliance management and to understand the impact of the day-to-day changes made to the network.

Where does IPv6 fit in all this?

IPv6 adds a new level of complexity with its longer IP addresses and the interim need to run both IPv4 and IPv6 in parallel. Automating the network infrastructure functions, including assigning, tracking and managing IP addresses—instead of using siloed, manual spreadsheet approaches—is becoming a vital necessity for any medium to large company with an Internet presence.

What are the risks if an organisation delays their IPv6 deployment?

Organisations that do nothing may not feel any pain in the short term. But once the requisite infrastructure is in place and certain applications and users of IPv6-only-enabled devices have only limited access to a company’s resources—say an eCommerce presence—all will recognise the advantages of the new technology and will migrate in larger numbers. Eventually, the new technology will be the standard and IPv4 will be seen as a curiosity.

There are workarounds available, including translation techniques like Network Address Translation (NAT). NAT (Network Address Translation) means that IPv4 addresses already in use elsewhere can be used within a network, and translated to a unique IPv6 address outside the network. As a message comes into the network, the NAT server translates that unique IPv6 address into the internal IPv4 address, and vice versa as a message leaves the network.

So it might appear that there is no need ever for any organisation to bother with the new protocol, as long as their provider performs NAT. However, in practice, NAT adds latency, another point of failure and, more importantly, some services simply do not work through NAT. The Internet connection is there, but the service offering will be degraded. In the long run, those who do not take up the IPv6 challenge will suffer a throttled-back service. In the move to cloud computing, that disadvantage will grow very serious.

Where should they start their IPv6 deployments?

First and foremost, network staff needs to be trained and educated on IPv6 configuration, troubleshooting and the process of modifying applications that use IP addresses. Infoblox offers an excellent IPv6 Resource Center with lots of valuable tutorials and videos. Once the team has been educated, a plan needs to be developed taking key migration considerations into account, such as:

  • Security policies need to be revised. While IPv4 security issues are well documented, IPv6 remains largely unexplored.
  • Application compatibility needs to be verified. Not all existing applications are IPv6 compliant; upgrades may be required.
  • IPv6 compatibility in networking equipment often comes with added risks. Unlike IPv4, several IPv6 implementations are still to be optimised, and they may not have been used long enough for their reliability to be confirmed.
  • Backend tools are still lacking. Current management and troubleshooting tools and methods may not work with IPv6.
  • Testing IPv6 services for compatibility. There are still not enough implementations to test against.

These considerations are non-trivial. When, for example, revising security policies, the firewalls will need to be updated to recognise both IPv4 and IPv6 because a firewall that does not recognise IPv6 addresses could simply pass such packets blindly through.

There are also IPv6 tunnels that allow IPv6 packets to be encapsulated inside IPv4 packets—unless protected by deep packet inspection, this could provide another risk. Such IPv6 security issues will need to be addressed, especially when many customers will still be on legacy IPv4 networks while others will have transitioned to IPv6.

In conclusion, managing the transition to IPv6 is a complex task, and therefore prone to human error unless supported by automation. The right automated tools will greatly reduce problems and costs.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Christian Harris is editor and publisher of BCW. Christian has over 20 years' publishing experience and in that time has contributed to most major IT magazines and Web sites in the UK. He launched BCW in 2009 as he felt there was a need for honest and personal commentary on a wide range of business computing issues. Christian has a BA (Hons) in Publishing from the London College of Communication.