==============
IP management
==============

.. note::
    IPv6 addresses are not managed using allocations and delegations at this time

IP management features in Bonded Internet allow IP networks to be
managed in very powerful ways, defining exactly what networks are valid
at a routing group and which spaces are allowed to use which subnets of
those networks. For instructions on adding, updating, and removing IP
management records, see `Managing IP allocations and
delegations <managing-ip-allocations-and-delegations.html>`__.

|image0|

This example demonstrates how public IPs could be allocated in a Bonded
Internet environment. In most circumstances, private IPs do not need to
be allocated.

IP management allows two main capabilities:

-  Verification that IPs are only used at routing groups where the IP is
   valid. This prevents accidentally assigning IPs valid at one
   datacentre to bonds running on aggregators at a different datacentre.
-  Delegation of networks from a parent space to a child space,
   indicating that the child space is allowed to use the subnet and to
   allow users in the child space to assign IPs from the subnet to bonds
   in the space.

Routing group validation
-------------------------

The first main use for IP management is to ensure that IPs are only used
at routing groups where they are actually available—to prevent, for
example, an IP address only valid at a partner's Vancouver datacentre
from being assigned to a bond running on an aggregator at its New York
datacentre.

In the example above, a bond in GN could be assigned an IP from
198.18.0.0/24 (except for 198.18.0.0/28, as noted earlier, because that
is delegated to CDC) no matter if it was assigned to an aggregator in
the Vancouver routing group or New York routing group, because
198.18.0.0/24 is valid at both routing groups. The bond could have a
primary aggregator in Vancouver and a secondary aggregator in New York,
or vice versa.

However, if a bond in GN was assigned an IP from 198.51.100.0/24, then
it could only be assigned to aggregators (primary or secondary) in the
Vancouver routing group, because 198.51.100.0/24 is only valid at
Vancouver. It could not have, for example, a primary aggregator in
Vancouver and a secondary aggregator in New York, because its IPs would
not work if it was failed over to its secondary aggregator.

Routing group validation applies to bonds in child spaces too—a bond in
CDC only assigned IPs in 198.18.0.0/28 could be assigned to a primary
aggregator in Vancouver and a secondary aggregator in New York, but a
bond in CDC assigned an IP in 198.51.100.0/28 could only be assigned to
aggregators in Vancouver.

Network delegation
-------------------

The second use for IP management is to specify IP networks that can be
used in a particular space, and to allow child spaces to use certain
specific subnets from a parent's network allocations. This is for
convenience and for security—it prevents unknown networks from being
configured on a bond or private WAN space such that the network would be
announced by aggregators or private WAN routers into a partner's OSPF or
BGP routing network. Bonds cannot be assigned public connected IPs, CPE
NAT IPs, or routes, nor private WAN spaces configured with 1:1 NAT, port
forward, or NAT gateway rules, unless the necessary public IPs have been
allocated to the space.

In the example above, Granville Networks (GN) has allocated the
following networks:

-  198.18.0.0/24, valid at both the Vancouver and New York routing
   groups
-  198.51.100.0/24, valid at the Vancouver routing group only
-  203.0.113.0/24, valid at the New York routing group only

GN has delegated a /28 from each of those subnets to their child space
Chase Dental Clinics (CDC), but has not delegated any subnets to Stanley
Internet (SI) because SI has its own routing group, aggregators, and IP
address assignments.

Because GN has allocated 198.18.0.0/24 at both its routing groups, bonds
in GN can be assigned connected IPs, CPE NAT IPs, and routes from
198.18.0.0/24, except for 198.18.0.0/28, which has been delegated to
CDC. Networks delegated to a child space cannot be used in the parent
space. Bonds in CDC could be assigned IPs from 198.18.0.0/28, or IPs in
198.18.0.0/28 could be used to configure private WAN rules if CDC used
private WAN.

Similarly, SI has allocated 192.0.2.0/24 at its Fremont routing group
and delegated 192.0.2.10 to Murphy Electrical (ME). A bond in ME could
be configured with a private connected IP (for example, 192.168.1.1/24)
and a CPE NAT IP of 192.0.2.10. The private connected IP would not
require an IP allocation.


.. |image0| image:: /attachments/11667089/11667345.png
