click here and type document title web viewthis document has been security ... wan gateway is an...
TRANSCRIPT
Click here and type document title
QGEAPUBLICIPv4 interconnection standard
Queensland Government Enterprise Architecture
Internet protocol version 4 (IPv4) interconnection standard
Final
February 2017
V2.0.0
PUBLIC
Document details
Security classification
UNCLASSIFIED Internal use only
Date of review of security classification
May 2016
Authority
Queensland Government Chief Information Officer
Author
Queensland Government Chief Information Office
Documentation status
Working draft
Consultation release
Final version
Contact for enquiries and proposed changes
All enquiries regarding this document should be directed in the first instance to:
Queensland Government Chief Information [email protected]
Acknowledgements
This version of the Internet protocol version 4 (IPv4) interconnection standard was developed and updated by Queensland Government Chief Information Office.
Feedback was also received from a number of agencies, which was greatly appreciated.
Copyright
Internet protocol version 4 (IPv4) interconnection standard
Copyright The State of Queensland (Queensland Government Chief Information Office) 2016
Licence
This work is licensed under a Creative Commons Attribution 4.0 International licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/4.0/. For permissions beyond the scope of this licence, contact [email protected].
To attribute this material, cite the Queensland Government Chief Information Office.
The licence does not apply to any branding or images.
Information security
This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
Contents
1Introduction4
1.1Purpose4
1.2Audience4
1.3Scope4
1.4QGEA domains4
1.5Agency specific changes5
1.6Glossary5
2Whole-of-government IPv4 logical architecture6
2.1Design principles6
2.2High level structure6
2.3Data centre interconnection logical architecture9
2.4BGP autonomous system numbering10
2.5Autonomous system numbers10
3Governance requirements11
3.1Governance responsibilities11
3.2Compliance and migration11
3.3Conservation of addresses11
4Whole-of-government public IPv4 addressing scheme allocations11
4.1CITEC registered public ranges11
4.2Use of agency registered public ranges and autonomous systems12
Figures
Figure 1: High level IPv4 range summarisation7
Figure 2: Agency logical network connectivity8
Figure 3: Agency logical network connectivity9
Figure 4: Layer 2 data centre interconnection high level architecture10
Tables
Table 1: Glossary5
Table 2: Governance responsibilities11
QGEAPUBLICIPv4 interconnection standard
Final | v2.0.0 | February 2017Page 6 of 14
PUBLIC
Introduction Purpose
A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government departments on the mandatory and recommended practices for a given topic area. They are intended to help departments understand the appropriate approach to address a particular issue or to do a particular task. Unlike a guideline, which is best practice advice, a QGEA standard is mandatory a standard and is enforced by policy. For further information on QGEA document types, go to the QGCIO website.
This standard, in conjunction with the related Internet protocol version 4 (IPv4) addressing policy covers the requirements for IPv4 addressing and routing between Queensland Government agencies and with Queensland Government whole-of-government infrastructure.
Audience
This document is primarily intended for:
agency chief information officers
agency ICT operational management and staff
CITEC ICT operational management and staff.
ScopeIn scope
It applies to:
all Queensland Government agencies
Any other entity connecting to whole of Queensland government network infrastructure.
Out of scope
The following is out of scope of the current standard:
IPv6 ranges.
QGEA domains
This standard relates to the following domains:
Classification framework
Domain
Service Lines
SL-2.5.1 Information Communication Technology
Business Process
BP-9.6.3 Manage network operations
Information
I-10.1.1 Electronic
Technology
T-4.4 Network
Agency specific changes
Agencies are able to extend this standard for use within their agency, but must not at any time conflict with the specifications marked as must or required in this document. Agencies are strongly encouraged to consult the Queensland Government Chief Information Office to resolve any issues conflicting with the required conventions. The copyright, acknowledgement and permissions sections must be included in any extensions to these standards.
Glossary
Term
Definition
Autonomous system
A collection of connected internet protocol (IP) routes under the control of one or more network operators that presents a common, clearly defined routing policy to the internet.
AS number
Autonomous system number.
The number associated with an individual autonomous system.
BGP
Border gateway protocol - A protocol for establishing routes between asynchronous systems
Hosted systems
Agency systems running on whole-of-government infrastructure with the operating system maintained by CITEC and the application maintained by the agency.
Housed systems
Agency systems running on agency infrastructure that is physically housed within whole-of-government datacentres.
IP
Internet protocol - This is the principal underlying communications protocol used to transport all traffic on the internet.
IPv4
Internet protocol version 4 - Currently the primary version of IP, however it is currently being replaced by version 6. It is expected that these versions will co-exist in parallel for a significant period of time.
Managed systems
Agency systems running on whole-of-government infrastructure with both the operating system and the application maintained by CITEC.
MPLS
Multi-protocol label switching - A standard for including routing information in the traffic packets of an IP network and is used to ensure that all packets in a particular flow take the same route over the network.
VRF
Virtual routing and forwarding - A means for creating multiple separated virtual networks on a common physical network.
WAN gateway
WAN gateway is an umbrella term to describe the network infrastructure used to terminate/aggregate one or more wide area network (WAN) carrier services. This infrastructure also provided a demarcation point between the whole-of-government core infrastructure and the WAN.
Table 1: Glossary
Whole-of-government IPv4 logical architectureDesign principles
In the whole-of-government environment, the IPv4 architecture is based on the following design aims:
standardisation of routing through:
summarisation of ranges
use of BGP
deletion of leakage routes.
IP ranges used between agencies will be able to be blocked from the internet to aid with security.
High level structure
The high level IPv4 range summarisation plan is shown in figure 1 (page 7) and a logical network architecture for agency connectivity is shown in figure 2 (page 8).
This high level architecture has been developed using the following aspects:
the architecture will be based on virtual routing and forwarding (VRF) domains (IETF RFC 4026) and MPLS (multi-protocol label switching)
an inter-agency VRF, for semi-trusted traffic between agencies, will be connected to the external side of agency firewalls
multi-agency shared applications servers and whole-of-government applications servers at both datacentres will be connected to the intra-government VRF
the agency WAN will be connected only to the agency internal VRF via the WAN gateway
agency dedicated application servers housed at either datacentre will only be connected to the agency internal VRF
agency dedicated application servers hosted on shared servers at either datacentre may also be connected to the intra-government VRF or internet VRF via the datacentre firewall
the IP addressing of agency regional sites and the agency dedicated applications servers at the datacentres will be according to the agency internal addressing scheme controlled by the agency.
Figure 1: High level IPv4 range summarisation
Figure 2: Agency logical network connectivity
QGEAPUBLICIPv4 interconnection standard
Final | v2.0.0 | February 2017Page 8 of 14
PUBLIC
Data centre interconnection logical architectureLayer 3 architecture
The default architecture for interconnection between systems and applications implemented across datacentres is via a layer three model as shown in figure 3 below.
In this model, all communications with these systems and applications, including system internal communications between elements in different datacentres will be via layer 3 networking.
High availability for these systems is to