This GigaOm Research Reprint Expires: Sep 29, 2023

GigaOm Radar for DDIv1.02

An Evaluation Guide for Technology Decision Makers

1. Summary

An integrated DDI solution provides increased visibility into potential IP conflicts in real time, provides context for audits and reporting, offers a structured workflow for basic network operations, enables routine maintenance tasks to be automated, and reduces the cost of network operations. However, with DNS mapping the IP addresses to names, DHCP assigning the IP addresses to hosts, and IPAM managing IP resources for both, using different tools introduces unnecessary risks and compromises an organization’s security posture.

This report provides an overview of the DDI landscape based on the following table stakes, which are common, mature, and stable features of all solutions:

  • Integrated DNS, DHCP, and IPAM (DDI): An integrated DDI solution provides administrators with complete control and visibility of the relationship between devices, users, and IP addresses from a single pane of glass, enabling automated maintenance tasks for increased resiliency, security, scalability, and support with complete auditing and reporting context. Eliminating the gap between IP address usage and reporting, an integrated solution updates records in real time, enabling bring your own technology (BYOT), internet of things (IoT), cloud, virtual, and emerging technologies to be selectively deployed and seamlessly managed without worrying about addressing conflicts.
  • Built-in DNS management: Purpose-built DNS management platforms allow network administrators to configure, manage, and visualize all aspects of DNS operations across cloud, physical, and virtual environments at scale via an intuitive user interface (UI). Incorporating DNS monitoring, security, and traffic control, role-based DNS management solutions use intelligent forwarding to optimize path resolution, apply policies to prevent unauthorized access, log internal and external DNS queries, simplify the tracking and monitoring of DNS assets and resources, and integrate with third-party security products for rapid threat detection and mitigation.
  • Built-in DHCP management: Managing the torrent of requests from fixed and mobile devices requiring connectivity, DHCP management tools orchestrate the discovery and capture of all network assets in a centralized single source of truth, providing complete visibility and simplifying the transition to IPv6. In addition, centralizing critical information for network connectivity—such as the size and location of routers, subnets, IP address hostnames, and IP address spaces—enables administrators to manage a proliferation of mobile devices and hybrid and multicloud infrastructure at scale.
  • Built-in IPAM management: Accessing a single source of truth for all network assets, an IPAM manager helps administrators organize, track, and fine-tune data related to a network’s IP address space. Providing advanced IP scanning and IP address tracking, IPAM allows IP addresses to be managed efficiently from a centralized IP management console. For example, hierarchies can be defined, subnets added based on location or usage, and the network scanned to obtain the real-time status of each IP address. Among other features, robust IPAM solutions should include role-based administration, flexible scanning, alert notification, and powerful search capabilities.

With so many different DDI solutions available and the landscape evolving, choosing the best option for your organization depends on your use cases, existing DNS and DHCP solutions, architectural choices, and in-house capabilities. Your current environment, growth plans, and in-house skill sets will most likely influence your decision about adopting an integrated, overlay, or managed DDI solution (these three models are described in the companion reportKey Criteria for Evaluating DDI Solutions”).

Figure 1. DDI Vendors and Delivery Models

Moreover, even if you’ve already deployed a DDI solution, don’t let that hold you back from exploring new management options and vendors with robust migration tools and services. In some cases, migrating to a new DDI solution can deliver significant benefits in terms of manageability and long-term cost savings.

This GigaOm Radar report provides an overview of notable DDI vendors and their available offerings. The corresponding GigaOm reportKey Criteria for Evaluating DDI Solutionsoutlines critical criteria and evaluation metrics for selecting a DDI solution. Together, these reports offer essential insights for IP addressing initiatives, helping decision-makers evaluate solutions before deciding where to invest.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

2. Target Markets and Deployment Models

To better understand the market and vendor positioning (Table 1), we assess how well a vendor’s DDI solution supports different target markets and deployment models. For the DDI sector, we recognize four target markets:

  • Cloud and network service providers (CSP/NSP): CSPs delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). NSPs sell network services—network access and bandwidth—providing entry points to backbone infrastructure or network access points (NAP). NSPs include data carriers, ISPs, telcos, and wireless providers.
  • Managed service providers (MSP): Service providers delivering managed application, communication, IT infrastructure, network, and security services and support for businesses at either the customer premises or via MSP (hosting) or third-party data centers (colocation).
  • Large enterprises: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
  • Small-to-medium business (SMB): Small businesses (<100 employees) to medium-sized businesses (100-1,000 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.

For the DDI sector, we recognize on-premises (hardware, software, and virtual) and cloud-based (private and public) deployment models:

  • On-premises hardware: DDI components are deployed as a hardware-based appliance.
  • On-premises software: DDI components are deployed on a dedicated edge node.
  • On-premises virtual: DDI components are deployed in a virtual machine.
  • Cloud-based (private): DDI components are deployed in a private cloud.
  • Cloud-based (public): DDI components are deployed in a public cloud.

Table 1. Vendor Positioning

Target Market

Deployment Model

CSP & NSP MSP Large Enterprise SMBs On-Premises Hardware On-Premises Software On-Premises Virtual Cloud-Based (Private) Cloud-Based (Public)
Cygna Labs
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent


3. Key Criteria Comparison

Following the general criteria introduced in GigaOm’s “Key Criteria for Evaluating DDI Solutions,” Tables 2 and 3 summarize how well each vendor included in this research performs in the areas we consider differentiating and critical for the sector.

  • Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating a service mesh, including built-in resilience, converged security, and AIOps automation.
  • Evaluation metrics provide insight into the impact of each product’s features and capabilities on the organization, reflecting fundamental aspects including availability, flexibility, and manageability.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Integrated Security IPv6 Support Hybrid & Multicloud Support API Support Automation DDI as a Service
6connect 2 3 3 2 2 3
ApplianSys 2 2 0 1 0 0
BlueCat 3 2 3 3 3 2
Cygna Labs 3 2 3 3 2 3
EfficientIP 3 2 2 2 3 1
FusionLayer 2 3 3 3 3 0
InfoBlox 3 3 3 3 2 3
Men&Mice 2 3 3 3 2 0
Microsoft 2 2 1 1 1 0
Nokia 2 2 1 2 2 0
TCPWave 3 2 3 3 3 1
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Built-In Resilience Openness Flexibility Availability Manageability Vendor Support Pricing & TCO Vision & Roadmap
6connect 2 3 3 3 2 2 2 3
ApplianSys 3 1 1 3 2 3 1 2
BlueCat 3 3 3 2 3 3 3 3
Cygna Labs 3 2 3 3 3 3 1 2
EfficientIP 3 2 3 3 3 3 2 3
FusionLayer 3 3 3 3 3 2 2 3
InfoBlox 3 2 3 3 2 3 2 3
Men&Mice 3 3 3 3 3 3 2 2
Microsoft 2 1 1 2 2 3 3 2
Nokia 3 2 2 3 2 3 2 2
TCPWave 3 2 2 3 2 2 3 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can understand the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to generate the GigaOm Radar in Figure 2. Based on their products’ technical capabilities and feature sets, the chart is a forward-looking perspective on all the vendors in this report.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—Maturity versus Innovation and Feature Play versus Platform Play—while the length of the arrow indicates the predicted evolution of the solution over the coming 12 to 18 months.

Figure 2. GigaOm Radar for DDI

As seen in Figure 2, and reflecting the overall maturity of the market, there are seven vendors in the Leaders circle (6connect, BlueCat, Cygna Labs, EfficientIP, FusionLayer, Infoblox, and Men&Mice) and four Challengers (ApplianSys, Microsoft, Nokia, and TCPWave). There are no New Entrants.

It should be noted that Maturity (that is, being positioned in the top two quadrants) does not exclude ongoing innovation. Instead, it identifies the solution as having the capabilities expected from a modern DDI solution and proven in a production setting compared to a newer solution undergoing innovation to achieve customer acceptance and adoption.

Vendors in the upper right-hand Maturity/Platform-Play quadrant offer full-featured DDI solutions with a choice of integrated, overlay, and DDI as a service (DDIaaS) delivery models. Vendors in the upper left-hand Maturity/Feature-Play quadrant prioritize modern overlay DDI solutions, while vendors in the bottom right-hand Innovation/Platform-Play quadrant offer integrated and overlay solutions with the possibility of adding DDIaaS capabilities. Finally, vendors in the bottom left-hand Maturity/Feature-Play quadrant only offer legacy integrated DDI solutions, including appliance-based hardware-only solutions often targeted for replacement.

In addition, BlueCat, FusionLayer, Men&Mice, and TCPWave are recognized as Outperformers. The length of the arrow (Forward Mover, Fast Mover, or Outperformer) represents execution against roadmap and vision (based on vendor input and in comparison to improvements made across the industry in general).

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

6connect: ProVision

Founded in 2009, 6connect’s dynamic network provisioning (DNP) platform, ProVision, facilitates the centralized provisioning of physical and virtual devices across data centers, distributed and mobile networks, and cloud platforms. Launched in 2012, ProVision leverages a robust connector library to automate device provisioning, configuration, and control, while DNP’s REST API provides easy integration and helps automate complex network provisioning workflows.

Figure 3. ProVision at-a-Glance

An overlay solution deployed either on-premises or in 6connect’s hosted cloud, ProVision includes multitenant capabilities for delegating administration to downstream customers or internal groups via either the customized UI or customer service portal. ProVision dynamically and holistically provisions all the network control factors required to initiate and operate network and data center elements, including IP addresses, DNS zones, DNSSEC implementation, and DHCP pools.

ProVision comprises the ProVision Resource Manager, DNS Controller Module, DHCP Controller Module, IPAM Controller Module, and a full set of REST APIs documented in Swagger with extensive SDKs and code samples.

  • ProVision Resource Manager: Enabling assets to be tracked and provisioned in real time, ProVision’s context-aware resource manager maps complex hierarchies and their metadata for all physical and virtual network assets across all data centers or points of presence (PoPs). Integration with other OSS/BSS systems via an API enables additional automation of provisioning workflows.
  • DNS Controller Module: Managing both on-premises DNS platforms and hosted DNS providers, the DNS Controller simplifies the automation of DNS infrastructure—even when provisioning against multiple vendor technologies—using an API-first approach. Delegated administrative tasks enable increased automation without requiring advanced infrastructure knowledge, supporting complex workflows.
  • DHCP Controller Module: Supporting both brownfield and greenfield DHCP deployments, DHCP Controller provides both conventional DHCP lifecycle management features and complex distributed multitenant physical and virtual DHCP environments. The module streamlines migrations between DHCP platforms with on-the-fly configuration, separating DHCP configuration information from the scope/reservation data.
  • IPAM Controller Module: Offering complete end-to-end IPv4 and IPv6 IP management from allocation to assignment, and built-in scanning, discovery, and auditing for assurance, ProVision IPAM supports extensive metadata options for IP ranges, allowing organizations to enact complex IP allocation policies and embed them within the IP allocation and assignment process.

ProVision includes support for both enterprises and service providers. Typically deployed on-premises or in 6connect’s hosted cloud, the enterprise version consists of a ProVision deployment with an optional API composer platform (ACP) deployment for DevOps integration. The service provider version includes specific features for integrating with existing systems, including a local internet registry (LIR) manager for managing IP space/allocations at the regional internet registry (RIR) level.

Strengths: A flexible, vendor-agnostic platform, 6connect’s ProVision provides comprehensive support for IPv6 and DNSSEC with advanced functions and a quarterly release cadence incorporating customer feedback. ProVision IPAM manages both internal and external address assignments and, according to 6connect, reduces the time required to provision a block of IP addresses from 45 minutes to just 15 seconds. ProVision includes REST APIs for Cisco Prime Network Registrar and the Internet Systems Consortium (ISC).

Challenges: While 6connect does not currently have an integrated DDI solution, DNS and DHCP products are on their 12-month roadmap, after which ProVision will continue to support other DNS/DHCP platforms, including DNS/DHCP server lifecycle management and monitoring support of both local and hosted IaaS offerings.

ApplianSys: DNSBOX

Founded in 2001, ApplianSys is a privately held server appliance specialist designing, building, and marketing a range of network appliances offered in 1U rackmount or small form factor (SFF) formats. ApplianSys’ portfolio includes more than 15 models split across DNSBOX (DNS, DHCP, and IP address management), CACHEBOX (web cache, proxy server, WAN optimization, and content filtering), and EDUGATEBOX (accelerated onboarding for schools). Appliances are configured via a secure web interface or central management console appliance for large-scale deployments.

Figure 4. DNSBOX400 at-a-Glance

Combining carrier-class IP address management software with security, reliability, and ease-of-use, DNSBOX400 is a master appliance for managing large IP spaces offering support for both integrated and overlay delivery models. First released in 1996 and now in its seventh generation, ApplianSys’ embedded management application offers a comprehensive set of DDI capabilities. Providing built-in RFC-compliant data validation of DNS and DHCP configuration entries, the application simplifies IPv4 and IPv6 address planning, automates the DNS management process, and centrally monitors DNS and DHCP service performance on all linked servers.

A central management DDI server controlling and synchronizing unlimited remote DNSBOX200 DNS and DHCP servers, DNSBOX400 offers distributed administration with a central super-administrator managing granular control over the rights of delegated administrators. Acting as a DNS subsidiary running authoritative and recursive (cache) DNS as separate services on the same physical server, the DNSBOX200 integrates seamlessly with the DNSBOX400 as a recursive resolver (DNS cache) and DHCP server for increased performance and security.

Built on the ApplianSys server appliance platform, all DNSBOX models use carefully selected, fit-for-purpose industrial-grade components optimized for reliability and performance. Solid state drives (SSDs) deliver enhanced reliability, faster boot times, and increased resilience to hardware failure—minimizing the risk of data or application corruption. In addition, DNSBOX’s dual CompactFlash architecture with swappable program and data cards offers extra redundancy.

DNSBOX’s security-hardened, in-memory Linux-based operating system (OS) is a custom-built appliance distribution developed by ApplianSys to maximize security and reliability. Stripped clean and locked down with a read-only compressed file system, the OS is more secure and boots significantly faster than a standard Linux server. A fully configurable in-box firewall opens ports only when services are enabled, automatically dropping all other traffic.

Used to configure and manage the DDI platform from anywhere in the world, an intuitive UI minimizes complexity with clear, logical methods and workflows. At the same time, automated assistants streamline the initial configuration by validating data entry and automating time-consuming tasks, such as bulk data changes and DNSSEC zone signing. In addition to agentless integration with Microsoft DNS and DHCP and a CLI for scripting large or complex DNS tasks, rich XML-RPC and SOAP APIs integrate with other systems.

Strengths: Architecting, deploying, and managing a distributed DNSBOX environment is relatively easy compared to other DDI solutions. In addition, by using different DNSBOX200 appliances as remote subsidiaries, DNSBOX400 can support medium- and high-performance environments with complex data requirements. ApplianSys offers a high-service support package, including software upgrade protection, hardware warranties, low-cost hardware refresh, and annual deployment reviews.

Challenges: ApplianSys is a hardware-only solution with appliances installed at central and remote sites with various redundancy options. Moreover, except for light-duty models designed for SMBs with tight budgets, ApplianSys’ DNSBOX portfolio does not support white box deployments. All other appliances are prebuilt with specific hardware, a customized OS, and embedded DDI management capabilities. In addition, DNSBOX400 does not offer an overlay option, with DNC, DHCP, and IPAM either integrated within the platform or offered as individual, disaggregated solutions.

BlueCat Networks: BlueCat Integrity

Founded in 2001, BlueCat Networks develops innovative, software-centric solutions enabling automated, centralized, scalable, and secure IP infrastructure. BlueCat Integrity, the flagship product of BlueCat’s Adaptive DNS portfolio, is a purpose-built enterprise DDI platform enabling network teams to centralize control of core DDI services—including updating resource records, managing DNS/DHCP servers, and assigning IP addresses—and gain insight into the relationships among devices, users, and IP addresses across the enterprise via a single web-based interface. BlueCat Integrity can be deployed in any environment as a physical or virtual appliance, allowing enterprises to consolidate their hybrid cloud IP space in one IPAM solution.

Figure 5. BlueCat Integrity at-a-Glance

BlueCat Integrity comprises BlueCat’s IPAM solution, BlueCat Address Manager, and authoritative DNS and DHCP servers. Accommodating a broad range of enterprise customers and use cases, BlueCat’s unique physical and virtual DNS/DHCP appliance architecture separates the management and services planes, delivering linear scalability for increasing queries per second and providing resilient backup servers for highly available DNS and DHCP services. In addition, BlueCat’s DDI telemetry and performance metrics provide real-time health monitoring (accessed via API calls), enabling network teams to address issues proactively before they experience downtime.

The BlueCat Integrity portfolio includes BlueCat Gateway, BlueCat Adaptive Applications, BlueCat Adaptive Plugins, BlueCat Edge, and BlueCat Cloud Resolver.

  • BlueCat Gateway: Leveraging a robust library of adaptive plugins and applications, BlueCat Gateway transforms mission-critical business requirements into DNS, DHCP, IPAM, and DDI workflows, plugins, and applications, enabling error-free, zero-touch automation of DNS services for managing cloud and on-premises resources.
  • BlueCat Adaptive Applications: A suite of out-of-the-box applications providing cloud and network discovery and visibility, health monitoring, and increased resilience, BlueCat Adaptive Applications includes BlueCat’s Overlay for Microsoft for importing DNS records, DHCP transactions, updates, and network data from Microsoft Active Directory (AD).
  • BlueCat Adaptive Plugins: Helping to automate everyday tasks and workflows, BlueCat Adaptive Plugins integrate the BlueCat platform with third-party IT applications and services, including Ansible, Cisco ACI, ExtraHop, OpenStack, and ServiceNow.
  • BlueCat Edge: An intelligent DNS resolver and caching layer leveraging existing DNS infrastructure to deliver increased visibility and control over DNS traffic, BlueCat Edge works seamlessly with BlueCat threat protection and policy-based network and security to protect against cyber threats, including domain name generation algorithms.
  • BlueCat Cloud Resolver: Once placed in a region, BlueCat Cloud Resolver—a cloud-native DNS resolver providing immediate resolution to and across any private virtual network—becomes cloud-aware, discovering all DNS zones and creating a single BlueCat Edge namespace for any endpoint in the data center or cloud to resolve queries.

Customers can deploy BlueCat Integrity on either high-performance appliances or existing branch network infrastructure—such as Cisco appliances—using BlueCat Fleet Service Points to extend the lifespan of existing infrastructure. Moreover, in addition to providing virtualization support for Citrix, Hyper-V, KVM, and VMware, BlueCat offers lighter-weight virtualization options with Docker containerization.

Strengths: Right-sized from the start, BlueCat Integrity offers deployment flexibility with true pay-as-you-grow linear scalability and safe, secure migrations backed by decades of experience and proven migration tools, providing customers with predictable, low-risk cutovers. Managing infrastructure as code, BlueCat’s extendable automation platform and robust library of adaptive applications and plugins transforms business logic into custom workflows using highly configurable and tailored APIs.

Challenges: With DNS viewed as a critical component in the networking security landscape and BlueCat’s Integrity platform providing real-time visibility, threat detection, policy enforcement, and client/endpoint query flagging, BlueCat needs to offer a comprehensive DDI security posture within the core BlueCat Integrity platform (rather than BlueCat Edge) incorporating granular alerting, additional threat feeds, distributed denial of service (DDoS) rate-limiting, enhanced role-based access control (RBAC), and out-of-the-box integration with additional identity management systems and SIEM/SOAR platforms.

Cygna Labs: Diamond IP

Founded in 2001, Cygna Labs, a specialized software manufacturer focused on cloud security and compliance technologies, acquired Diamond IP, one of the largest DDI vendors, from British Telecom (BT) in March 2022. Complementing Cygna Labs’ auditing, compliance, and recovery services, Cygna Labs’ Diamond IP is a multicloud, multiplatform DDI solution available as physical appliances or instantiated in private clouds—Docker, Hyper V, KVM, VMware, and Xen—and public clouds—Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud—to streamline the management of the entire IPv4 and IPv6 address lifecycle.

Figure 6. Diamond IP at-a-Glance

Offering top-to-bottom IPv4 and IPv6 address planning, allocation, and assignment with integrated multivendor DHCP and DNS support, Diamond IP bolsters network defenses with built-in security features providing DNS security, IP address integrity, and centralized reporting and forensics. A rich REST API provides automation with graphical workflows, triggered callouts, and third-party integrations, while Cygna Labs’ multivendor managed DDI services complement in-house teams and increase DDI resilience.

Cygna Labs’ Diamond IP comprises IPControl, Sapphire appliances, and DDI services.

  • IPControl: An advanced DDI system, IP Control provides centralized, complete lifecycle management of mission-critical IPAM functions, including the deployment of multivendor DNS and DHCP configurations, inventory assurance with Layer 2/3 discovery, IPv4 and IPv6 address space allocation/reallocation, assignments and blocks, pool monitoring and utilization tracking, and address and subnet reclaim. IPControl integrates with existing DNS and DHCP environments, providing support for Sapphire and third-party appliances.A robust REST API provides integration points between IPControl and external systems for advanced automation and workflow of IPAM tasks and processes. In addition, IPControl’s intuitive user interface, extensible templates, and built-in validation features enable accurate configuration, consistent policy deployment, and centralized management of IP address space and distributed DNS/DHCP servers delegated to multiple administrators across multiple dimensions with granular access controls.
  • Sapphire appliances: Providing the convenience of a prepackaged DDI appliance, Sapphire physical and virtual appliances are shipped with IPControl and DHCP, DNS, DNSSEC, or cloud automation services software pre-installed. Built from the ground up, the appliances incorporate numerous security features, including a hardened OS, jailed file system, network interface access control lists (ACLs), minimal open ports, rate limiting to mitigate reflector and denial of service (DOS) attacks, and an uninterruptible boot process. Physical and virtual Sapphire appliances can be centrally monitored via the IPControl system dashboard, third-party SNMP managers, or Sapphire EX appliances providing centralized monitoring, services control, and patch management of distributed Sapphire appliances.
  • Managed IPAM: Built on top of Cygna Labs’ Services Infrastructure Management (SIM) service—providing administration, backups, upgrades, and monitoring of deployed multivendor appliances—the managed IPAM service offers a complete IPAM services option. ISO-9001 and ISO-27001 certified, Managed IPAM provides system administration, monitoring, and upgrades of deployed Sapphire appliances, including day-to-day updates to address pools, IP address assignments and blocks, DNS domains, resource records, and subnets.

The Cygna Labs’ portfolio also includes the Sapphire A30 IPAM Auditor Appliance—a scalable auditing repository for tracking and reporting DDI transaction history—for forensics analysis, transaction auditing, and trend reporting.

Strengths: A multicloud, multiplatform DDI solution deployed as physical appliances or instantiated in private clouds and public clouds, Cygna’s Diamond IP solution offers a flexible IPAM portfolio—including managed infrastructure and DDI services—enabling users to simplify their IP address management tasks and streamline the entire IPv4 and IPv6 address lifecycle. Providing continuity for customers, BT continues to be a Diamond IP reseller.

Challenges: In addition to not offering a downloadable free trial with a subset of features, pricing information is available only after details about your organization have been submitted to a Cygna Labs representative.

EfficientIP: SOLIDserver DDI

Founded in 2004, Efficient IP is a network automation and security company specializing in DDI. Supporting a wide range of hardware and software appliances to match varying customer requirements—from small branch offices to large enterprises—the EfficientIP SOLIDserver DDI suite offers an all-in-one platform for IP address lifecycle management, increasing network reliability, resiliency, and security. Cloud- and orchestrator-agnostic, EfficientIP SOLIDserver maintains consistency between overlapping IP spaces, leveraging EfficientIP’s embedded SmartArchitecture automation capabilities to accelerate the deployment of new services and reduce operational costs.

Figure 7. SOLIDserver DDI at-a-Glance

The SOLIDserver portfolio comprises a suite of individually priced DDI (SOLIDserver DDI, IPAM for Microsoft, and IPAM For BIND DNS and ISC DHCP on Linux), DNS security (DNS Blast, DNS Cloud, DNS Firewall, DNS Guardian, and Hybrid DNS), network management (Device Manager, NetChange, and Service Provider Extension (SPX)), and application traffic management (DNS Global Server Load Balancing (GSLB)) extensions with incremental price increases for customers upgrading to higher levels of performance for DNS and DHCP services. In addition, EfficientIP offers DDIaaS through global partners such as DXC, Orange, or local partners.

SOLIDserver DDI appliances—running virtually or on third-party hardware—automate and simplify IPv4 and IPv6 address management and VLANs/VXLANs across multivendor DNS and DHCP services, including AWS Route 53, Azure DNS Zones, ISC BIND DNS and DHCP, and Microsoft DNS and DHCP, as well as SOLIDserver DNS/DHCP services and DNS security appliances and GSLB services. Enabling the rapid deployment of flexible, reliable, and scalable DDI architectures, EfficientIP’s embedded SmartArchitecture and SOLIDserver DDI’s intuitive UI provide consistent control, unified management, and global visibility across the entire network, including networking functions embedded in public cloud environments.

Reaching beyond DDI, an extensible IP data lake comprises details of applications, devices, networks, and users, providing a network single source of truth integrating seamlessly with heterogeneous clouds, orchestrators, and SaaS services via open APIs and plugins. Device Manager (inventory and allocation management), NetChange (discovery and automated configuration), and SPX (automated RIR declaration lifecycle) extensions integrate with the SOLIDserver DDI appliance suite to populate the data lake, delivering unified management of device port allocation and network configurations with DDI and VxLANs/VRF in a single process.

Simplifying complex administration tasks by automatically deploying and managing DHCP and DNS architectures as a single entity, SmartArchitecture is a library of state-of-the-art architectural templates of architectures applied to a group of multivendor servers, including Microsoft DHCP and DNS servers. Based on the selected SmartArchitecture, SOLIDserver’s centralized management platform automatically configures—or reconfigures—all DHCP and DNS servers according to their specific role within the chosen template, eliminating the need to configure each server manually. Supporting fully compatible hybrid architectures, the SmartArchitecture Catalog includes templates for DNS (master-client, multi-master, stealth, and load sharing) and DHCP (cluster, one-to-one failover, one-to-many failover, and Microsoft split scope) architectures.

Strengths: Simplifying architectures and reducing the number of servers, EfficientIP’s all-in-one appliances offer layered functionality automatically deployed and managed via EfficientIP’s embedded SmartArchitecture templates as a system rather than a collection of individual entities. Dynamic data collection capabilities populate an extended data lake with IPAM-centric rich data enabling advanced automation and consistent control and reconciliation processes. A unified and consistent UI across all products offers single-pane-of-glass management with holistic search capabilities, increasing usability and enhancing the user experience.

Challenges: EfficientIP needs to overcome the market perception of being a “low-cost Infoblox” by focusing on SOLIDserver’s key differentiators. While providing comprehensive security features, administrators currently have to use the CLI to configure user-level DNS client query filtering (CQF) to strengthen application access control. Full configuration of CQF via the SOLIDserver GUI is on the company’s 12-month roadmap. In addition, the company needs to improve and expand workflow features to support mission-based tasks and actions in a process- and role-based environment.

FusionLayer: FusionLayer Infinity

The result of Nixu Group’s pre-IPO reverse merger in 2015, FusionLayer bridges the gaps between network infrastructure, cloud orchestration, and network function virtualization (NFV) workflows, offering vendor-agnostic technology with centralized provisioning, control, automation, and visibility for networks spanning private data centers and private and public clouds. FusionLayer’s feature-rich platform, FusionLayer Infinity, functions as a centralized IPAM overlay for both FusionLayer and select third-party DNS, DHCP, and IP addressing solutions, including Microsoft DNS and DHCP, F5 BIG-IP DNS, AWS and Azure cloud stacks, and edge cloud technologies such as OpenStack and VMware Edge.

Figure 8. FusionLayer Infinity at-a-Glance

Claiming to be the world’s first software-defined IP address management (SD-IPAM) solution, FusionLayer Infinity expands the scope of a traditional IPAM solution to a patented network source of truth (NSoT) for all network information—including logical networks, NATs, VLANs, and VRFs—allowing networks and associated data to be abstracted under a single pane of glass for powering automation use cases spanning on-premises infrastructure and private, public, and edge clouds. Moreover, providing a single source of truth enforces secure management processes while providing a single integration point for different orchestrators requiring network information as input for end-to-end automation.

Infinity provides a range of zero-touch functions, including DNS entries and IP, subnet, and VLAN reservations. Using patented technology for managing IP and network assignments in multitenant, orchestrated environments with network overlap, Infinity supports centralized management of on-premises and edge and public cloud subnets, IPs, and VLANs in multitenant environment subnets, including AWS VPC subnets and Azure VNET. Edited via a UI, the fully configurable data structure accommodates any data associated with the managed objects, with a robust RESTful API supporting third-party orchestrators.

By implementing FusionLayer Infinity on top of their existing Microsoft AD architecture, organizations can automate and centralize the management of their IP, including audit trails, granular user management, user authentication via LDAP, and automated synchronization of dynamic and static clients to subnets managed by Infinity. In addition to supporting existing DNS and DHCP infrastructures in brownfield deployments, FusionLayer’s portfolio includes FusionLayer DHCP Server and FusionLayer DNS.

  • FusionLayer DHCP: Introduced in 2003, FusionLayer DHCP is a virtualized DHCP software appliance implementing a built-in security methodology for secure and scalable IP addressing for traditional networking and NFV-based environments. Providing centralized management, monitoring, and configuration, FusionLayer DHCP Server automates the manual routines of installing and running resilient DHCP services on almost any native or virtual x86-based computing environment.
  • FusionLayer DNS: Featuring proactive DNS security since 2006, FusionLayer DNS is a virtualized, highly scalable DNS server typically deployed at the edge as a virtual machine on KVM or VMware. Leveraging a patented security architecture based on least privilege and defense in depth, FusionLayer DNS includes embedded intrusion prevention and firewall capabilities to protect against DDoS attacks, rate-limiting and source randomization, and support for ACLs, DNSSEC, TSIGs, and RPZ Feeds.

However, while FusionLayer’s portfolio includes DHCP and DNS capabilities, the company’s primary focus is providing a network source of truth, enabling automated, zero-touch deployment and configuration. For customers with existing DNS and/or DHCP strategies in place, FusionLayer believes that overlaying Infinity’s management as the network source of truth on top of third-party DNS and/or DHCP systems creates the least disruption and greatest return.

Strengths: Offering centralized zero-touch operations, fully configurable data structures, and a patented NSoT spanning hybrid infrastructures, FusionLayer Infinity is an innovative IPAM overlay for both FusionLayer and select third-party DNS, DHCP, and IP addressing solutions. In addition, Infinity supports infrastructure modernization leveraging cVNFs with the option of deploying DNS and/or DHCP servers as a cloud-native Kubernetes pod.

Challenges: With business models evolving and demand for containerized VNFs (cVNFs) ramping up, FusionLayer needs to develop functionality to support containerization and new use cases, including private 5G, 5G vRAN, and release parameter provisioning for private 5G nodes. Moreover, as the usage of IP increases, the company needs to focus on ensuring scalability to meet future demand. In addition, FusionLayer needs to leverage its patented NSoT to increase observability with AI-driven insights.

Infoblox: NIOS DDI

Founded in 1999, Infoblox is the recognized industry leader in the DDI space with over 50% market share and more than 13,000 customers, including 75% of the Fortune 500. Leveraging patented Infoblox Grid technology that links distributed network appliances into a single, integrated system providing highly available core network services, Infoblox NIOS DDI consolidates DNS, DHCP, and IP address management into a single platform, deployed on-site and managed via a common console. Infoblox’s portfolio includes a range of hardware appliances and support for NIOS DDI virtual appliances running on Hyper-V, KVM, Nutanix, OpenShift, OpenStack, and VMware, and on AWS, Azure, GCP, and Oracle Cloud.

Figure 9. NIOS DDI at-a-Glance

NIOS DDI can be configured as either an integrated solution comprising DNS, DHCP, and IPAM capabilities—for customers wanting a single vendor DDI ecosystem—or as an overlay solution integrating third-party DNS and DHCP services. In addition to hardened appliances and OSs providing enhanced security, Infoblox offers extensions for implementing additional security features in both DNS and DHCP. The web-based UI includes a distributed database, granular role-based administration, and closed-loop workflows leveraging automation, customizable templates, and property inheritance.

NIOS DDI deploys in an Infoblox Grid configuration with all DNS services fully managed and all DNS-related operations controlled via a WebUI offering single-pane-of-glass management. The Infoblox Grid is a proprietary scaling and replication mechanism supporting dense, highly available configurations. Eliminating the need to deploy security patches, Infoblox’s Advanced DNS Protection uses constantly updated threat intelligence and hardware-accelerated security rules to detect and mitigate DoS, DDoS, and other network attacks targeting DNS caching and authoritative applications.

In addition to automated device discovery, single-control-plane visibility, and advanced DNS security, NIOS DDI includes identity mapping and DHCP fingerprinting.

  • Infoblox Identity Mapping: Making DHCP and DNS identity-aware, Infoblox Identity Mapping enhances the authoritative data in the IPAM database by matching username information to IP and MAC addresses, providing administrators with increased visibility and rich data for quickly analyzing historical resource usage and troubleshooting network and user-related issues.
  • Infoblox DHCP Fingerprinting: Eliminating the need for agents or mobile device management (MDM) software, DHCP fingerprinting enables each device and/or OS to be identified dynamically and in real-time without requiring additional discovery mechanisms, which allows administrators to flexibly enforce corporate policies for BYOD while blocking games, routers, and other prohibited devices.

Infoblox also offers BloxOne DDI, a cloud-managed DDI solution for branch office networks. Built on the cloud-native BloxOne Platform and available as a SaaS service with zero-touch provisioning (ZTP), BloxOne DDI eliminates the complexity, bottlenecks, and scalability limitations of traditional DDI using any combination of centrally managed hardware appliances, VMs, and containers. The appliances “phone home” to authenticate, download, and deploy configurations globally across all remote sites. Speeding up the user’s cloud experience and ensuring local survivability, BloxOne DDI’s lightweight on-premises physical or virtual appliances direct traffic to the closest cloud entry point for SaaS applications.

Strengths: Infoblox has established itself as the market leader with a comprehensive DDI platform incorporating robust DNS security features, integration with best-of-breed security platforms, a strong go-to-market strategy, and a well-trained channel. Infoblox is a Microsoft Gold partner offering seamless integration with—or migration from—Active Directory with bi-directional synchronization and centralized management from a unified UI. DNS changes made using Microsoft utilities are automatically reflected in Infoblox.

Challenges: Infoblox is very DNS-driven and typically leverages its DNS security features as a key differentiator to address traditional DDI use cases. In addition to being one of the more costly solutions, Infoblox’s rigid grid architecture lacks the flexibility of management and services plane separation, often forcing customers to re-architect zones at a high cost. Furthermore, Infoblox often claims to deploy “right-sized” hardware and virtual appliances in response to allegations of undersizing upfront and forcing customers into expensive upgrades. Infoblox addresses hundreds of customer enhancement requests by releasing software iteratively each quarter, which may disrupt stable environments if applied.

Men&Mice: Micetro

Founded in 1990, Men&Mice provides advanced, easy-to-implement and easy-to-use software solutions to meet network modernization requirements. Men&Mice’s flagship product, Micetro, is an overlay and orchestration solution simplifying DNS, DHCP, and IP address management for increasingly complex multivendor, multiplatform networks spanning on-premises and private, public, edge, and hybrid cloud environments via a single pane of glass. Providing robust RESTful and SOAP APIs and a single, unified UI for DNS, DHCP, and IPAM in the cloud and on-premises, Micetro delivers a single, searchable network source of truth for the end-to-end DDI environment with contextualized visibility, observability, and control.

Figure 10. Micetro at-a-Glance

Micetro comprises Micetro Central, Micetro database, and Micetro Web Services. Micetro Central and Web Services can be installed on either bare metal or Linux or Windows servers, while Micetro database can use an existing database. A highly available platform supporting various DNS and DHCP platforms, DHCP failover, and DNS redundancy, even if Micetro Central were to go down, DDI services would continue to run since Micetro Central operates as an overlay in the control plane.

As a non-disruptive software overlay that can be deployed in minutes, Micetro eliminates the need for proprietary DDI appliances, working with existing DNS and DHCP services and even managing other DDI solutions. Micetro’s bidirectional functionality allows users to manage their IP environment via either Micetro’s unified UI or the underlying DNS or DHCP service. Rather than forcing changes only through the Micetro platform, Micetro allows an underlying service to make changes, after which Micetro imports the information and updates the NSoT.

Micetro is also a non-authoritative DNS management solution. Rather than connecting to Micetro, clients connect to the underlying service that is authoritative for where the workload resides, enabling Micetro to maintain a non-disruptive and sustainable DNS management role. Micetro ingests the operational functionality and security of the underlying DNS services, including Microsoft DNS or ISC BIND DNS on-premises and Akamai, AWS Route 53, Azure DNS, NS1, and OpenStack in the cloud. Furthermore, as a non-authoritative solution, Micetro offers xDNS Redundancy, a unique multivendor DNS redundancy capability allowing customers to deploy automated failover between DNS providers for critical and non-critical zones.

Micetro also works with major DHCP services to provide dynamic IP address allocation for IPv4 and IPv6 environments from the unified UI or APIs. After discovering and validating IP information through CSV files, ICMP, SNMP, and LLDP, Micetro further validates the information by connecting to DNS and DHCP servers to contextualize the IP information and store it in the searchable NSoT. Micetro leverages third-party capabilities for DHCP high availability, including Kea High Availability’s failover and split scope support for both DHCPv4 and DHCPv6.

Micetro also integrates with third-party providers—such as Akamai—for edge security services. Men&Mice does not offer a traditional DDIaaS solution but partners with MSPs to offer customers DDIaaS style solutions as part of their service portfolio. However, Men&Mice does provide 24×7 monitoring and assists customers with automated lifecycle management, including IP address reclamation.

Strengths: Deployed in minutes, Micetro is a non-disruptive overlay and orchestration solution for the entire DDI environment, working with existing DNS and DHCP services. Eliminating the need for proprietary DDI appliances, Micetro reduces costs and simplifies DDI operations, integrating and unifying heterogeneous environments instead of replacing them to minimize upheaval and maximize visibility. Micetro also provides workflows, reporting, and a robust API layer for automating IP operations. Men&Mice is developing the necessary functionality to observe and control DHCP services within Meraki access points.

Challenges: While Micetro supports cloud service management from the Micetro Central management console, the web UI does not yet provide the same capabilities. Full feature parity between the web UI and management console is expected to be achieved within the next three months, after which the management console will be deprecated. Additionally, while currently supporting the major on-premises and cloud providers, Men&Mice is developing Micetro Extensions to help simplify and accelerate integration with additional platforms.

Microsoft: Microsoft IPAM

Introduced with Windows Server 2012, Microsoft embeds its DDI capability free of charge within its Windows Server product. Microsoft IP Address Management (IPAM) is an integrated suite of tools for end-to-end planning, deploying, managing, and monitoring IP address infrastructures. Microsoft IPAM automatically discovers DNS and DHCP servers on the network, enabling network administrators to monitor, audit, and manage them from a central interface. Microsoft tightly integrates its DDI capabilities with Windows Server, Active Directory, and System Center Virtual Machine Manager (SCVMM).

Figure 11. Microsoft IPAM at-a-Glance

Microsoft IPAM offers a unified, centralized administrative experience for network administrators to manage IP address space in corporate and Microsoft-powered cloud networks, streamlining the IP address space administration of both physical (fabric) and virtual networks. The integration between IPAM and SCVMM provides end-to-end IP address space automation for Microsoft-powered cloud networks, and includes the ability of a single IPAM server to detect and prevent IP address space conflicts, duplicates, and overlaps across multiple instances of SCVMM deployed in large data centers.

Enabling new experiences and integrated lifecycle management operations, Microsoft IPAM provides support for visualizing all DNS resource records pertaining to an IP address, automating the inventory of IP addresses based on DNS resource records, and managing the IP address lifecycle for both DNS and DHCP operations. Microsoft IPAM supports DNS resource record, conditional forwarder, and DNS zone management for both domain-joined Active Directory-integrated and file-backed DNS servers. Administrators can use IPAM for centralized management of DNS properties, including zones and resource records, discovering and administering DNS and DHCP servers, and IP addressing across multiple federated Active Directory forests when there is a two-way trust relationship with the forest where the IPAM server is installed.

IPAM’s address space management (ASM) feature provides visibility into all aspects of the IP address infrastructure from a single console. Administrators can create a highly customized, multilevel hierarchy of address space on the network and use it to manage IPv6 addresses and IPv4 public and private addresses. The ASM feature includes a robust reporting capability that enables detailed tracking of IP address utilization trends with customized thresholds and alerts.

Granular RBAC policies allow administrators to specify access privileges at various levels—including the DNS server, DNS zone, and DNS resource record levels—over operations to create, edit, and delete different types of DNS resource records. Windows PowerShell commands can be used to automate access control configuration for DHCP and DNS by retrieving DNS and DHCP objects in IPAM and changing their access scopes.

Providing integration between IP address inventory, DNS Zones, and DNS resource records, Microsoft IPAM maintains a local database where it stores DNS data, dynamically collecting it every six hours after automatically building the IP address inventory and creating a mapping between IP address ranges and DNS Reverse Look-up Zones. Administrators can view DNS resource records for a specific DNS zone and filter the records based on type, IP address, resource record data, and other filtering options.

Actively tracking and reporting all administrative actions, IPAM’s audit feature provides a centralized repository for all configuration changes performed on DHCP servers and the IPAM server and for IP addresses issued on the network. Detailed IP address tracking data, including client IP addresses, client ID, hostname, and username, are also provided. In addition, advanced search capabilities allow administrators to selectively search for events and obtain results that associate user logins to specific devices and times.

Strengths: Microsoft IPAM provides a central and integrated experience for IP address management of Microsoft environments, replacing manual, work-intensive tools such as spreadsheets and home-grown scripts that can be cumbersome, unreliable, and difficult to scale. Microsoft IPAM is free with Windows Server and tightly integrated with AD. Microsoft continues to invest in DDI to support strategic areas, including cloud and virtualization.

Challenges: Customers are often unaware that Microsoft provides an integrated DDI capability beyond essential DNS and DHCP services. As a free product, Microsoft IPAM is not purpose-built to manage enterprise DNS and lacks the feature depth and breadth of leading competitors. Lacking support for non-Microsoft DNS/DHCP servers and non-Microsoft cloud environments, Microsoft IPAM does not provide end-to-end automation and visibility of on-premises, hybrid, and multicloud environments. IPAM is not enabled by default and must be installed as a server feature.

Nokia: Nokia VitalQIP

Added to Nokia’s portfolio following the acquisition of Alcatel-Lucent in 2015, Nokia VitalQIP is an open, scalable DDI solution offering feature-rich, high-performance capabilities for enterprises and service providers. Offering easy integration with company initiatives such as BYOD, IoT, IIoT, private clouds, and virtualization, VitalQIP enables unified planning and administration of IPv4 and IPv6 address spaces, improving the accuracy of an organization’s IP address inventory while reducing infrastructure support costs and maximizing DNS and DHCP service availability.

Figure 12. Nokia VitalQIP at-a-Glance

VitalQIP’s advanced capabilities include fully integrated support of IPv4 and IPv6 address plans, host discovery, IP infrastructure inventory capabilities with extensible metadata, extensive CLIs, an intuitive web-based GUI, a standards-based SOAP/XML API for tight integration, enhanced audit and report functions, and carrier-grade high-performance DNS and DHCP services.

The Nokia DNS service is based on the open-source BIND DNS reference implementation with enhancements to meet today’s organizational demands. Nokia DHCPv4 and DHCPv6 services are multithreaded, carrier-grade DHCP implementations with resilient DHCP failover technology and extensible functionality with API access. Every DHCP IP address lease provided by Nokia DHCP servers is centrally stored and historically auditable within VitalQIP’s web-based GUI.

The optional VitalQIP appliance manager portfolio provides a seamless, cost-effective way to deploy and maintain VitalQIP on an integrated appliance platform for increased reliability, manageability, scalability, and security, and is the only appliance solution on the market that seamlessly integrates with VitalQIP. In addition to physical appliances, Nokia also offers software and virtual appliances, allowing customers to install the same software that runs on VitalQIP appliances on their choice of hardware.

The VitalQIP Appliance Manager includes the Enterprise Server Module (ESM), the Appliance Management Software (AMS), and the Appliance Management Module (AMM). The ESM provides VitalQIP Enterprise Services, such as the IPAM functions, a centralized UI, and database support; the AMS is used to manage appliances in the network; and the AMM provides VitalQIP remote services, including DNS, DHCP, SNMP, and other services. The AMM and AMS functions can run on any Nokia QIP appliance.

The Nokia QIP appliance portfolio runs on the latest multicore Intel-based architecture with the hardened Red Hat Enterprise Linux OS. Leveraging a token-based appliance authentication process for security, the centralized VitalQIP AMS maintains an inventory of software packages and appliances and is launched via the VitalQIP web-based GUI, allowing users to seamlessly manage deployment, apply patches and upgrades, and monitor IPAM, DNS, DHCP, and other services. In addition, the platform supports customized physical and virtual remote appliances with automated software patching, including AWS Route 53 and Microsoft Azure.

The VitalQIP portfolio also includes high availability and disaster recovery options. Located in the same data center or across the globe, the AMS facilitates VitalQIP Enterprise replication services between a pair of ESM appliances. Database updates are automatically replicated between the appliances to prevent lost updates and mitigate disasters. In case of an outage or disaster, failover is initiated from the active to the warm standby machine with zero data loss. The DNS/DHCP servers remain operational throughout the failover process and retain connectivity with the ESM in the active state.

Strengths: Supporting both physical and virtual appliances, Nokia VitalQIP software allows network administrators to centrally establish rules and policies that leverage REST APIs to automate the definition of IP networks and subnets and define administrators’ visibility into everything from IP networks and subnets to individual IP objects, domains, and DNS and DHCP servers. VitalQIP also allows its entire IP infrastructure to be extended with company-specific metadata via its extensive user-defined attributes functionality.

Challenges: Designed primarily for on-premises data centers and remote branch offices, Nokia VitalQIP lacks end-to-end on-premises and private, public, edge, and hybrid cloud discovery and observability capabilities. Designed and priced for enterprises and service providers, Nokia VitalQIP is not focused on the SMB market. In addition, pricing and pricing models are not publicly available. Prospective customers must contact the Nokia sales team for configurations and quotes.


Initially founded in 2011, TCPWave is a core network development company delivering a full suite of DNS, DHCP, and IPAM solutions leveraging hybrid cloud network automation techniques while simplifying the complexity of the hybrid cloud network. Built from the ground up using Java, jQuery, and secure messaging frameworks, TCPWave IPAM is an intelligent DDI solution for managing DNS, DHCP, and NTP protocols across physical and hybrid cloud resources. Offering full multitenancy, TCPWave IPAM provides out-of-the-box installation for Hyper-V, KVM, and VMware environments. In addition, the DDI solution seamlessly integrates with existing network management infrastructure using RESTful APIs and SNMP.

Figure 13. TCPWave at-a-Glance

In addition to supporting on-premises Hyper-V, KVM, and VMware deployments, TCPWave integrates with Akamai, AWS Route 53, Azure DNS, Cloudflare, Google Cloud DNS, Neustar UltraDNS, NS1, and Oracle DynDNS. TCPWave also interfaces with orchestrators such as Kubernetes, OpenStack, and VMware vRA. Plugins are available for various automation tools, including Ansible, AppViewX, ServiceNow, and Terraform. A full-featured REST API allows administrators to automate everything they can manage from the system’s simple and well-integrated GUI, including assigning IP addresses, creating DNS zones, and managing networks.

TCPWave comprises two modules: TCPWave IPAM and TCPWave Remote.

  • TCPWave IPAM: Transforming network services with intelligent automation, TCPWave includes encrypted messaging, a responsive consumer-grade UX, machine learning, and advanced analytics. Deployed on-premises in a private or public cloud or a hybrid deployment model, TCPWave IPAM stores all IP address configuration information, audit data, alarms, and security and baseline data. Changes performed in TCPWave IPAM are reflected immediately on the TCPWave Remote appliances.
  • TCPWave Remote: Providing highly available DNS, DHCP, NTP, and TFTP services, TCPWave DNS and DHCP services can be run on either the same remote server or separately. In addition to providing ISC DNS for primary usage, TCPWave also offers NSD and Unbound DNS as two additional code bases for increased security—such as mitigating ISC code breaches. TCPWave uses proprietary tools for each platform for discovery.

TCPWave has a fully integrated DNS management platform that allows configuration and management of all DNS operations. In addition to ISC BIND, TCPWave also offers NSD and Unbound for caching, and support for Microsoft DNS managed as either a TCPWave appliance or a traditional Microsoft server. TCPWave manages DNS routing rules, provides complete visibility into cloud DNS, and consistently applies security policies across cloud and data center environments. In addition to TCPWave’s fully integrated DHCP capabilities, TCPWave IPAM supports ISC DHCP and Microsoft DHCP managed via a unified UI irrespective of cloud, physical, or virtual environments. Automation of the DHCP functions—including DHCP fingerprinting—is enabled via TCPWave’s CLI and REST API interfaces.

TCPWave utilizes the MariaDB database product on the IPAM appliances and Galera Clustering for high availability. The IPAM-HA configuration combines two or more IPAM appliances in an all-active cluster. Updates made on one IPAM will replicate to all other IPAMs in near real-time without data loss. If an IPAM instance experiences an outage due to maintenance or a device failure, the other IPAM instances isolate the outage and queue any updates to be applied once the appliance returns to operation.

In addition to providing an ISO image deployed on Red Hat Enterprise Linux, TCPWave has an OEM partnership with Dell for reselling TCPWave on Dell hardware as an appliance.

Strengths: Built from the ground up using modern programming languages and secure messaging frameworks, TCPWave IPAM is an intelligent DDI solution for managing DNS, DHCP, and NTP protocols. Preloaded with TCPWave Remote at no additional cost, TCPWave offers increased availability and security with ISC BIND, Unbound for caching, and NSD for authoritative. Offering full multitenancy and high availability configurations, TCPWave IPAM supports a range of on-premises, virtualized, and cloud environments managed via a unified UI and robust REST API.

Challenges: TCPWave IPAM has a fully integrated DNS management platform that allows configuration and management of all DNS operations. However, while TCPWave IPAM manages the subnet and zone’s properties, it does not prevent changes from being made on remote Microsoft DNS servers via AD. All features and functions are included with the TCPWave appliances, except for DNS Titan End-User Security, which includes a threat protection feed from a leading third-party provider charging a nominal fee.

6. Analyst’s Take

Delivering a single interface for end-to-end visibility and policy-based automation across the entire stack, DDI solutions help ensure error-free configurations, maintain secure and dynamic connectivity between components, and decommission unused IP addresses. In addition, with the application landscape shifting to microservices-based architectures comprising hundreds—or thousands—of distributed nodes, DDI solutions help increase availability and performance while reducing network vulnerabilities.

As an established sector with several mature solutions, the primary focus for innovation is supporting end-to-end networks spanning on-premises and private, public, edge, hybrid, and multicloud environments through zero-trust integrated, overlay and DDIaaS delivery models. With Microsoft DHCP and DNS servers deployed across most enterprise and service provider environments, we expect the overlay model to dominate the market for the foreseeable future. In addition, vendors will focus on developing robust DDIaaS services catering to distributed enterprises and the SMB market.

While Infoblox is the established market leader, we expect some smaller, more agile vendors to increase their market share with adaptive networking strategies using modern programming languages and frameworks, enabling increased automation via infrastructure-as-code workflows. Moreover, we foresee Cygna Labs leveraging its acquisition of Diamond IP to aggressively target Infoblox’s installed base, along with several other vendors—such as EfficientIP—offering robust, lower-cost DDI solutions.

Whether you are replacing home-grown tools and spreadsheets or an existing DDI solution, our advice is to explore all your options before making a final decision. Focus on the underlying technology and roadmap rather than market presence or go-to-market strategies. If a vendor tries to persuade you to swap out your existing DHCP and DNS servers as part of an integrated solution deployment (rather than an overlay), make sure you fully understand the potential benefits, risks, and trade-offs. Talk to other customers, including those who migrated and those that didn’t.

At the same time, however, choose a vendor with the geographic presence, support, and service capabilities required in the context of your current network, expansion plans, IPv6 implementation, possible mergers and acquisitions, and in-house resources and skills.

7. About Ivan McPhee

Ivan McPhee

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2022 "GigaOm Radar for DDI" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact