Click here and type document title

QGEAPUBLICIPv4 interconnection standard

Queensland Government Enterprise Architecture

Internet protocol version 4 (IPv4) interconnection standard

Final

February 2017

V2.0.0

PUBLIC

Document details

Security classification

UNCLASSIFIED Internal use only

Date of review of security classification

May 2016

Authority

Queensland Government Chief Information Officer

Author

Queensland Government Chief Information Office

Documentation status

Working draft

Consultation release

Final version

Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:

Queensland Government Chief Information Officeqgcio@qgcio.qld.gov.au

Acknowledgements

This version of the Internet protocol version 4 (IPv4) interconnection standard was developed and updated by Queensland Government Chief Information Office.

Feedback was also received from a number of agencies, which was greatly appreciated.

Copyright

Internet protocol version 4 (IPv4) interconnection standard

Copyright The State of Queensland (Queensland Government Chief Information Office) 2016

Licence

This work is licensed under a Creative Commons Attribution 4.0 International licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/4.0/. For permissions beyond the scope of this licence, contact qgcio@qgcio.qld.gov.au.

To attribute this material, cite the Queensland Government Chief Information Office.

The licence does not apply to any branding or images.

Information security

This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Contents

1Introduction4

1.1Purpose4

1.2Audience4

1.3Scope4

1.4QGEA domains4

1.5Agency specific changes5

1.6Glossary5

2Whole-of-government IPv4 logical architecture6

2.1Design principles6

2.2High level structure6

2.3Data centre interconnection logical architecture9

2.4BGP autonomous system numbering10

2.5Autonomous system numbers10

3Governance requirements11

3.1Governance responsibilities11

3.2Compliance and migration11

3.3Conservation of addresses11

4Whole-of-government public IPv4 addressing scheme allocations11

4.1CITEC registered public ranges11

4.2Use of agency registered public ranges and autonomous systems12

Figures

Figure 1: High level IPv4 range summarisation7

Figure 2: Agency logical network connectivity8

Figure 3: Agency logical network connectivity9

Figure 4: Layer 2 data centre interconnection high level architecture10

Tables

Table 1: Glossary5

Table 2: Governance responsibilities11

QGEAPUBLICIPv4 interconnection standard

Final | v2.0.0 | February 2017Page 6 of 14

PUBLIC

Introduction Purpose

A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government departments on the mandatory and recommended practices for a given topic area. They are intended to help departments understand the appropriate approach to address a particular issue or to do a particular task. Unlike a guideline, which is best practice advice, a QGEA standard is mandatory a standard and is enforced by policy. For further information on QGEA document types, go to the QGCIO website.

This standard, in conjunction with the related Internet protocol version 4 (IPv4) addressing policy covers the requirements for IPv4 addressing and routing between Queensland Government agencies and with Queensland Government whole-of-government infrastructure.

Audience

This document is primarily intended for:

agency chief information officers

agency ICT operational management and staff

CITEC ICT operational management and staff.

ScopeIn scope

It applies to:

all Queensland Government agencies

Any other entity connecting to whole of Queensland government network infrastructure.

Out of scope

The following is out of scope of the current standard:

IPv6 ranges.

QGEA domains

This standard relates to the following domains:

Classification framework

Domain

Service Lines

SL-2.5.1 Information Communication Technology

Business Process

BP-9.6.3 Manage network operations

Information

I-10.1.1 Electronic

Technology

T-4.4 Network

Agency specific changes

Agencies are able to extend this standard for use within their agency, but must not at any time conflict with the specifications marked as must or required in this document. Agencies are strongly encouraged to consult the Queensland Government Chief Information Office to resolve any issues conflicting with the required conventions. The copyright, acknowledgement and permissions sections must be included in any extensions to these standards.

Glossary

Term

Definition

Autonomous system

A collection of connected internet protocol (IP) routes under the control of one or more network operators that presents a common, clearly defined routing policy to the internet.

AS number

Autonomous system number.

The number associated with an individual autonomous system.

BGP

Border gateway protocol - A protocol for establishing routes between asynchronous systems

Hosted systems

Agency systems running on whole-of-government infrastructure with the operating system maintained by CITEC and the application maintained by the agency.

Housed systems

Agency systems running on agency infrastructure that is physically housed within whole-of-government datacentres.

IP

Internet protocol - This is the principal underlying communications protocol used to transport all traffic on the internet.

IPv4

Internet protocol version 4 - Currently the primary version of IP, however it is currently being replaced by version 6. It is expected that these versions will co-exist in parallel for a significant period of time.

Managed systems

Agency systems running on whole-of-government infrastructure with both the operating system and the application maintained by CITEC.

MPLS

Multi-protocol label switching - A standard for including routing information in the traffic packets of an IP network and is used to ensure that all packets in a particular flow take the same route over the network.

VRF

Virtual routing and forwarding - A means for creating multiple separated virtual networks on a common physical network.

WAN gateway

WAN gateway is an umbrella term to describe the network infrastructure used to terminate/aggregate one or more wide area network (WAN) carrier services. This infrastructure also provided a demarcation point between the whole-of-government core infrastructure and the WAN.

Table 1: Glossary

Whole-of-government IPv4 logical architectureDesign principles

In the whole-of-government environment, the IPv4 architecture is based on the following design aims:

standardisation of routing through:

summarisation of ranges

use of BGP

deletion of leakage routes.

IP ranges used between agencies will be able to be blocked from the internet to aid with security.

High level structure

The high level IPv4 range summarisation plan is shown in figure 1 (page 7) and a logical network architecture for agency connectivity is shown in figure 2 (page 8).

This high level architecture has been developed using the following aspects:

the architecture will be based on virtual routing and forwarding (VRF) domains (IETF RFC 4026) and MPLS (multi-protocol label switching)

an inter-agency VRF, for semi-trusted traffic between agencies, will be connected to the external side of agency firewalls

multi-agency shared applications servers and whole-of-government applications servers at both datacentres will be connected to the intra-government VRF

the agency WAN will be connected only to the agency internal VRF via the WAN gateway

agency dedicated application servers housed at either datacentre will only be connected to the agency internal VRF

agency dedicated application servers hosted on shared servers at either datacentre may also be connected to the intra-government VRF or internet VRF via the datacentre firewall

the IP addressing of agency regional sites and the agency dedicated applications servers at the datacentres will be according to the agency internal addressing scheme controlled by the agency.

Figure 1: High level IPv4 range summarisation

Figure 2: Agency logical network connectivity

QGEAPUBLICIPv4 interconnection standard

Final | v2.0.0 | February 2017Page 8 of 14

PUBLIC

Data centre interconnection logical architectureLayer 3 architecture

The default architecture for interconnection between systems and applications implemented across datacentres is via a layer three model as shown in figure 3 below.

In this model, all communications with these systems and applications, including system internal communications between elements in different datacentres will be via layer 3 networking.

High availability for these systems is to