Internet protocol version 4 (IPv4) interconnection standard
Final | August 2020 | v3.0.0 | OFFICIAL - Public | QGCDG
Purpose
A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government departments on the mandatory and recommended practices for a given topic area. They are intended to help departments understand the appropriate approach to address a particular issue or to do a particular task. Unlike a guideline, which is best practice advice, a QGEA standard is mandatory a standard and is enforced by policy. For further information on QGEA document types, see QGEA document governance.
This standard, in conjunction with the related Internet protocol version 4 (IPv4) addressing policy covers the requirements for IPv4 addressing and routing between Queensland Government agencies and with Queensland Government whole-of-government infrastructure.
Audience
This document is primarily intended for:
- agency chief information officers
- agency ICT operational management and staff
- CITEC ICT operational management and staff.
Scope
In scope
This standard is mandated under the Internet protocol version 4 (IPv4) addressing policy and applies to departments and any other entity connecting to whole of Queensland government network infrastructure.
Out of scope
Internet protocol version 6 (IPv6) ranges are out of scope of the current standard.
Agency specific changes
Agencies are able to extend this standard for use within their agency, but must not at any time conflict with the specifications marked as must or required in this document. Agencies are strongly encouraged to consult the Queensland Government Customer and Digital Group (QGCDG) to resolve any issues conflicting with the required conventions. The copyright, acknowledgement and permissions sections must be included in any extensions to these standards.
Glossary
Term | Definition |
---|---|
Autonomous system | A collection of connected internet protocol (IP) routes under the control of one or more network operators that presents a common, clearly defined routing policy to the internet. |
AS number | Autonomous system number. The number associated with an individual autonomous system. |
BGP | Border gateway protocol - A protocol for establishing routes between asynchronous systems. |
Hosted systems | Agency systems running on whole-of-government infrastructure with the operating system maintained by CITEC and the application maintained by the agency. |
Housed systems | Agency systems running on agency infrastructure that is physically housed within whole-of-government data centres. |
IP | Internet protocol - This is the principal underlying communications protocol used to transport all traffic on the internet. |
IPv4 | Internet protocol version 4 - Currently the primary version of IP, however it is currently being replaced by version 6. It is expected that these versions will co-exist in parallel for a significant period of time. |
Managed systems | Agency systems running on whole-of-government infrastructure with both the operating system and the application maintained by CITEC. |
MPLS | Multi-protocol label switching - A standard for including routing information in the traffic packets of an IP network and is used to ensure that all packets in a particular flow take the same route over the network. |
VRF | Virtual routing and forwarding - A means for creating multiple separated virtual networks on a common physical network. |
WAN gateway | WAN gateway is an umbrella term to describe the network infrastructure used to terminate/aggregate one or more wide area network (WAN) carrier services. This infrastructure also provided a demarcation point between the whole-of-government core infrastructure and the WAN. |
Whole-of-government IPv4 logical architecture
Design principles
In the whole-of-government environment, the IPv4 architecture is based on the following design aims:
- standardisation of routing through:
- summarisation of ranges
- use of BGP
- deletion of leakage routes.
- IP ranges used between agencies will be able to be blocked from the internet to aid with security.
High level structure
The high level IPv4 range summarisation plan is shown in figure 1 and a logical network architecture for agency connectivity is shown in figure 2.
This high level architecture has been developed using the following aspects:
- the architecture will be based on virtual routing and forwarding (VRF) domains (IETF RFC 4026) and MPLS (multi-protocol label switching)
- an inter-agency VRF, for semi-trusted traffic between agencies, will be connected to the external side of agency firewalls
- multi-agency shared applications servers and whole-of-government applications servers at both datacentres will be connected to the intra-government VRF
- the agency WAN will be connected only to the agency internal VRF via the WAN gateway
- agency dedicated application servers housed at either datacentre will only be connected to the agency internal VRF
- agency dedicated application servers hosted on shared servers at either datacentre may also be connected to the intra-government VRF or internet VRF via the datacentre firewall
- the IP addressing of agency regional sites and the agency dedicated applications servers at the datacentres will be according to the agency internal addressing scheme controlled by the agency.
Figure 2: Agency logical network connectivity
Data centre interconnection logical architecture
Layer 3 architecture
The default architecture for interconnection between systems and applications implemented across datacentres is via a layer three model as shown in figure 3 below.
In this model, all communications with these systems and applications, including system internal communications between elements in different datacentres will be via layer 3 networking.
High availability for these systems is to be provided via load balancing or other layer 3 scenarios.
Figure 3: Agency logical network connectivity
Layer 2 architecture
Although it is not the preferred approach to connect systems across datacentres by spanning at layer 2 as shown in figure 4, this approach is allowed if it is essential for system operation. Due to the fact that this architecture model directly connects the sub-networks these systems are attached to at each datacentre, it has consequences for system reliability that must be acknowledged and accepted. These consequences relate to underlying network stability for the system in question and system owners and stakeholders must undertake a review of risks and formally accept these before implementation occurs.
Figure 4: Layer 2 data centre interconnection high level architecture
BGP autonomous system numbering
Use of BGP routing will mean that networks within the whole-of-government infrastructure will need to be given autonomous system numbers. The following rules will apply:
- each agency will have an AS number, either a public number if the agency has one, or a private number allocated by CITEC
- the internet VRF will use a public AS number owned by CITEC
- public AS numbers owned by agencies may be transited through the CITEC internet VRF
- the intra government VRF will use a private CITEC allocated AS number
- data centres will have private AS numbers allocated by CITEC.
Autonomous system numbers
All agencies and other networks connected to the CITEC whole-of-government infrastructure will advertise ranges into the core network using BGP and autonomous system numbers (ASNs). The ASNs used can be either public numbers registered to the agency (internet use only) or private numbers provided by CITEC.
Governance requirements
Governance responsibilities
The breakup of governance responsibilities for IPv4 addressing and routing are:
Responsible entity | Responsibilities |
---|---|
QGCDG |
|
CITEC |
|
Agency |
|
Compliance and migration
Where agencies are not fully compliant with this standard, a plan for migration to that state must be in place.
Conservation of addresses
To conserve limited public IPv4 addresses, Queensland Government agencies must implement a private IP addressing scheme for internal networks and only use publicly routable addresses for communications external to their networks.
Agencies that directly hold public IPv4 address ranges will conserve Queensland Government ranges by:
- using these ranges for connections with non-government entities before use of any CITEC registered addresses (131.242.0.0/16, 161.143.0.0/16 and 147.132.0.0/16)
- transfer ownership, or delegate to CITEC ranges that are no longer required by the agency.
Whole-of-government public IPv4 addressing scheme allocations
CITEC registered public ranges
The schema for IPv4 addresses within the whole-of-government network is constructed using the three B class public ranges held by CITEC. These ranges are broadly divided as follows:
- 131.242.X.X range for internet facing requirements
- 161.143.X.X range for intra-government facing requirements
- 147.132.X.X range for infrastructure requirements
These ranges will be further divided into categories as follows:
- Agency internet facing -this category is for connectivity from an agency (applications, systems and desktops) to the Internet.
- Agency intra-government facing - this category is for connectivity from an agency (applications, systems and desktops) to applications and systems accessible via the intra-government VRF.
- Whole-of-government and multi-agency systems - systems and applications that are accessed by multiple agencies via the intra-government VRF. Some of these may also be accessed from the internet.
- Hosted and managed agency systems - systems and applications that are accessed by a single agency and are installed on consolidated infrastructure. Some of these may also be accessed from the internet.
- IP telephony services (anticipated) - telephony and unified communications will potential use gateways (such as soft PBX) between CITEC and/or agencies. This range is a reserve for possible future wholeof-government arrangements.
- Infrastructure management - address space for consolidated management systems.
- Foundation infrastructure addressing - address space for consolidated underlying infrastructure such as network equipment.
The above listed functional categories are not considered exhaustive. They are listed to provide agencies with an indication of IPv4 administration and routing policy within whole-of-government consolidated infrastructure.
Use of agency registered public ranges and autonomous systems
The following provisions are operational routing requirements and will apply to all entities that route registered, IPv4 address blocks via whole-of-government, consolidated infrastructure.
Where agencies have their own registered public address allocations from internet registries, these allocations may be used as follows;
Summary ranges
The entire summary of the agency registered APNIC allocation(s) must be announced via the internet. This is in line with current internet registry policy on address allocations and route aggregation. This requirement anticipates further tightening in APNIC policy, on IPv4 address space, in future. Conformance with this route announcement policy, and maintaining current administrative information in APNIC WHOIS records, will ensure an agency's address allocations should not be subject to current registry IPv4 reclamation policies.
Longer prefixes (subnets)
Where an agency has a requirement to use its public address space, for non-internet facing connectivity, (e.g. private peering arrangements, 3rd party connectivity) then more specific prefixes of the agency registered address space may be used to provide a unique IPv4 prefix to the 3rd party. Summary address ranges must not be used.
Similarly, where an agency is unable to implement whole-of-government addressing and routing in the specified timeframe (inter agency and inter government) due to legacy environments, then a smaller subnet of the agency prefix should be advertised via government infrastructure until the agency has migrated to the approved schema. It is not appropriate to advertise the entire summary to Queensland government infrastructure.
Agency registered IPv4 prefixes should not be used in whole-of-government infrastructure, with the exception of the whole of Queensland Government internet VRF.
Registered Autonomous systems numbers
Agency registered autonomous systems, from internet registries, should be used on the internet only. Transit of registered autonomous system information, within the Queensland government is not supported.
QGEA domains
This standard relates to the following domains:
Classification framework | Domain |
---|---|
Service Lines | SL-2.5.1 Information Communication Technology |
Business Process | 8.5.3 - Develop and manage service/solution architecture |
Information | I-10.1.1 Electronic |
Technology | T-4.4 Network |