IPv6 Blog

Cable Guy article on the IPv6 enhancements in Windows Server 2008 R2 and Windows 7 now available

The Cable Guy article in the July 2009 issue of TechNet Magazine online, titled “Support for IPv6 in Windows Server 2008 R2 and Windows 7,” describes HomeGroup, DirectAccess, and the enhancements for IPv6 transition technologies.

Joe Davies
Principal Technical Writer for the Windows Server Networking Documentation Team

Major carriers ramping up support for IPv6

Check out these recent articles in Network World that describe how major carriers for Internet traffic are now supporting IPv6 or developing support for IPv6:

·         Comcast open for IPv6 business

·         LTE devices must support IPv6, says Verizon

·         U.S. carriers quietly developing IPv6 services

The future is on its way…

Joe Davies
Principal Technical Writer for the Windows Server Networking Documentation Team

More New Technical Resources for DirectAccess

Check out these new technical resources for DirectAccess, the next-generation remote access feature in Windows 7 and Windows Server 2008 R2 that uses IPv6 for end-to-end connectivity and IPsec for traffic protection:

•  DirectAccess Datasheet

This 2-page datasheet provides a brief overview of DirectAccess, its benefits, system requirements, and features.

• Convergent Computing Case Study and Sporton International Case Study

These case studies describe how Convergent Computing and Sporton International are using DirectAccess and realizing its benefits.

• Next Generation Remote Access with DirectAccess and VPNs

This topic compares DirectAccess with traditional remote access VPNs and describes how most organizations will use the two remote access technologies side-by-side.

For additional technical resources on DirectAccess, see the DirectAccess TechNet Web page.

Joe Davies
Principal Technical Writer for the Windows Server Networking Documentation Team

New Technical Resources for DirectAccess

Check out these new technical resources for DirectAccess, the next-generation remote access feature in Windows 7 and Windows Server 2008 R2 that uses IPv6 for end-to-end connectivity and IPsec for traffic protection:

•  DirectAccess and the Thin Edge Network

The Cable Guy describes the technologies that make DirectAccess possible and how DirectAccess allows you to reduce the number of remote access-related servers in your edge network.

• Step By Step Guide: Demonstrate DirectAccess in a Test Lab

This white paper includes instructions for setting up a test lab to demonstrate DirectAccess with a simulated Internet, intranet, and home network.

• Using DirectAccess to Provide Secure Access to Corporate Resources from Anywhere

This Technical Case Study describes how Microsoft IT is using DirectAccess to make users more productive and reduce costs for Internet-connected offices.

For additional technical resources on DirectAccess, see the DirectAccess TechNet Web page.

Joe Davies
Principal Technical Writer for the Windows Server Networking Documentation Team

"The Seven Stages of IPv6 Adoption" audiocast from the Internet Society (ISOC) now available

Promoting IPv6 cited as one of the top five Internet emergencies for new U.S. Commerce Secretary

Network World Magazine recently reported on the top five Internet emergencies faced by the new U.S. Commerce Secretary. Of the five, number four was the promotion of IPv6. One of the methods to promote IPv6 is to continue the U.S. government’s deployment of IPv6, integrating IPv6-capability into processes such as procurement, and becoming the largest IPv6 deployment in the world.

See http://www.networkworld.com/news/2009/022609-commerce-secretary-internet-emergencies.html?page=6 and http://www.networkworld.com/news/2009/022609-commerce-secretary-internet-emergencies.html?page=7 for the details.

Joe Davies

Principal Technical Writer for the Windows Server Networking Documentation Team

Windows Server 2008 Earns IPv6 Ready Logo Phase 2

We recently announced that Windows Vista received its IPv6 Ready logo from the IPv6 Consortium and University of New Hampshire - InterOperability Lab (UNH-IOL). Today we are proud to announce that Windows Server 2008 has received its Phase 2 logo on Jan 18, 2008.  The Phase 2 logo is based on a rigorous examination which is focused on daily professional use of IPv6, and examines compliance to both MUST and SHOULD statements in a wide set of scenarios.

You can verify the IPv6 Phase 2 logo here (Newest entries are at the bottom of the page)

Understanding IPv6, Second Edition

Joe Davies, a.k.a. "The Cable Guy", has completed the update to his excellent "Understanding IPv6" book!  I highly recommend this book - it will help you understand IPv6 in general as well as some Microsoft-specific information.  Good stuff!

Understanding IPv6, Second Edition

By Joseph Davies

http://www.microsoft.com/MSPress/books/11607.aspx

Understanding IPv6, Version 2 is an update of the existing Understanding IPv6 title that delivers in-depth technical information on IPv6, from features and benefits to packet structure and protocol processes, and its implementation in Windows Vista and Windows Server 2008. This book also describes how to migrate to IPv6-based connectivity, with tips about coexistence with an IPv4-based network infrastructure. This is a key resource for Microsoft customers to ramp-up technically on IPv6 and begin deploying IPv6 connectivity on their intranets.

The companion CD-ROM contains an eBook version of the book, Network Monitor capture files, IPv6 RFCs and Internet drafts, and a set of training slide decks for each chapter.

You can order this title from the following online book sellers:

Amazon

Barnes and Noble

Quantum Books

Teredo in Windows Vista: Designed with security in mind

I am pleased to present Christian Huitema as a "guest blogger" today. Thanks for contributing, Christian!

-Sean

Hi, I am Christian Huitema, Distinguished Engineer in Windows, and the author of the Teredo protocol specification RFC 4380. For those who don’t know what Teredo is, Teredo provides IPv6 access in environments otherwise limited to IPv4 and NAT. It enables application developers to deal with NAT traversal by simply using IPv6, instead of relying on a variety of proxying and tunneling techniques. Recently I have seen and heard some commentary on the security implications of using Teredo and I would like to address some concerns being discussed. In Windows Vista, we implemented Teredo responsibly, using the principle of “least exposure”. Teredo connectivity is not turned on before an application has been specifically authorized to use it. When it is turned on, its connectivity services are limited to these authorized applications, and not usable by other applications that may be resident on the same PC. If Windows Vista detects that it is connected to an enterprise network, Teredo will not be turned on by default, even if some applications are authorized. With these precautions, I believe that Windows Vista is adopting the right security posture. In Windows Vista, Teredo provides controlled connectivity in unmanaged networks, without creating risks for enterprises networks.

First, some high-level background. More and more broadband users are deploying home networks and home routers. These routers incorporate a “network address translation” (NAT) function that allows a single IPv4 address to be shared by several computers in the home network. This works very well for some everyday tasks, like accessing web pages or mail servers. But the design of NAT does not naturally allow the incoming connections required for direct home to home transmissions, video or voice calls for example. To satisfy the users’ requests to use this technology, application developers had to come up with a way to “traverse the NAT.” They developed all kinds of solutions based on tunnels, proxies and other echo servers. All these solutions are different, costly to develop, and hard to maintain. They may also expose the enterprise networks to outside attacks, while being very difficult to control by firewalls. We designed Teredo with the IETF as a standard solution to this problem.

So, what actually happens? When two machines want to communicate using IPv6, they use the help of a Teredo server on the Internet to set up a direct UDP path between them. The UDP packets can be forwarded through the home routers, and inside these UDP packets, the hosts can exchange IP traffic. With Teredo, computers don’t have to remain isolated behind these routers. They obtain global IPv6 addresses and join the global IPv6 Internet. They can communicate with other computers that use Teredo, and also with other computers that obtain IPv6 connectivity through any other means. They can participate in peer-to-peer applications, or even act as servers.

In Windows Vista, the user is safe by default because Teredo is subject to special rules in the Windows Firewall. An application will need special permission to use Teredo, different from just “listening on the local network” or even “listening on the regular Internet connections”. By default, no application is authorized, and Teredo does not start. Teredo will only start when the users “opt in” and decide to authorize specific applications. For example, users may authorize applications like Windows Live Messenger if they want to enable direct video conferences between homes. Further, on Windows Vista, enabling Teredo does not expose all applications to the Internet. For example, the file and print sharing services are not authorized to use Teredo – they are meant to be used in the home network, not over the Internet. If no authorized application is currently active, the Teredo service will be placed in a “dormant” state, and the computer will not be visible from the IPv6 Internet.

I don’t expect many people to use Teredo in corporate networks. There are other ways to deploy IPv6 in these networks, for example by using ISATAP. Placing the users in control of connectivity in their own homes is the right decision, but in corporate networks IT managers would rather not delegate security decisions to their users. In fact, Microsoft implemented two important precautions to minimize risk for corporate networks. First, the Teredo implementation in Windows Vista detects whether the network is “managed”, meaning Active Directory Domain Controllers are present, and to stay off if that is the case. Teredo can still be turned on, but only by users with administrative privileges. The second precaution is even more encompassing. To function, Teredo clients need to communicate with a Teredo server over UDP, using port 3544. IT managers can effectively prevent Teredo usage on their network by blocking UDP destination port 3544 at the network’s edge.

Managed laptops pose a special case. They roam between the office and the home, not to mention airports and hotels. They don’t need to use Teredo when connected to the corporate network, but they can certainly benefit from better connectivity when outside of work. For example, laptop users may want to use the “Windows Meeting” with remote collaborators when they are traveling. But these laptops are corporate properties, carrying valuable data, and the IT manager should decide how to arbitrate between security and connectivity. The implementation of Teredo in Windows Vista enables that. IT managers have a range of options to allow or disallow use of Teredo. For example, they can use Group Policy to control which applications get to use Teredo and which don’t when the laptop roams outside of the corporate network.

Recently, we heard another concern about the packet format in Teredo, which supposedly is not easily handled by corporate firewalls. To put it mildly, I found that surprising. To start with, this is really a “corporate firewall” scenario, and, as I explained above, Microsoft recommends other ways than Teredo to deploy IPv6 in corporate networks. But even for the edge cases where organizations would use Teredo, the traffic is not hard to inspect. The packet format is well documented as a public standard, and Teredo traffic can be easily recognized by checking for the presence of constant 32-bit prefixes at fixed location in the header. That is much simpler than a lot of the “deep packet inspection” algorithms implemented in various products. That is also a lot simpler than the alternative to Teredo, which is to have a varied set of NAT traversal protocols developed by various application providers, without relying on any documented standard.

I expect Teredo to provide great benefits to application developers and thus to users of the Internet. For application developers, Teredo provides a very simple solution to the NAT traversal problem, using IPv6. For users, Teredo allows deployment of these applications in a controlled manner. Teredo provides IPv6 connectivity without requiring changes to the home routers, home networks, or ISP services. The IPv6 connectivity is properly managed by the Windows Firewall, allowing users and IT managers to control the tradeoff between connectivity and security. This will enable IPv6 applications to be reliably deployed. These IPv6 applications, in turn, will motivate ISPs to offer native IPv6 service, moving to the next phase of the transition to IPv6. Over time, as IPv6 connectivity becomes widely available, Teredo will become unnecessary and might be turned off. But for now, it is a valuable tool for IPv6 transition and provides a lot of value for the home user.

Windows Vista Earns IPv6 Ready Logo Phase 2

On October 25, 2007, Windows Vista earned the IPv6 Forum’s IPv6 Ready Phase 2 Logo from the IPv6 Consortium and University of New Hampshire - InterOperability Lab (UNH-IOL). 

Vista earned its Phase 1 Logo, which focuses on interoperability of core protocols, and compliance to MUST statements in core RFCs back in March of 2007.  Phase 2 Logo is a more rigorous examination which is focused on daily professional use of IPv6, and examines compliance to both MUST and SHOULD statements in a wider set of scenarios.

You can verify the Phase 1 logo status here, and the Phase 2 logo status here.

This is a great win for the team and once again shows that IPv6 is ready. Are you?

Disabling IPv6 Doesn't Help

Hola. Bonjour. Speaking a second language can be very helpful – it allows you to communicate in situations where you otherwise wouldn’t be able to. Some skilled linguists are fluent in six or seven languages, really maximizing their communication possibilities.

Do you think that people who speak multiple languages start up each and every conversation by trying every language they speak until they hit on the right one? It wouldn’t be very optimal to start every conversation with your spouse or boss speaking in Farsi, then French, then Japanese, then English. This “try everything” method of communication could definitely slow down your daily communication, which is why multi-lingual speakers don’t use it.

Instead they look for clues in their environment and from the person they are speaking with to determine which language to speak – this allows communication without slowing them down by trying each language every time.

For some reason, people think that Vista isn’t smart enough to do this. Since Vista has IPv6 enabled by default, many people are recommending that IPv6 be disabled because they think it will speed up their web browsing since most web sites aren’t using IPv6 addresses yet. It turns out that it isn’t helping, though, because IPv6 isn’t the issue.

Take a look at some of these links for some of the reports I am talking about. Look for IPv6 on these pages and you will see what I mean.

http://www.vistax64.com/vista-general/65116-vista-network-performance-again.html

http://windows.edu.pl/vista-44219.html

http://channel9.msdn.com/ShowPost.aspx?PostID=295759

http://www.pcreview.co.uk/forums/thread-3016687.php

So how does Vista deal with multiple protocols?

When you first turn your computer on, Vista tries to get an IPv4 and IPv6 address by default. You are not providing it an IPv6 address, so it provisions an IPv4, an IPv6 link-local, and possibly a Teredo address.

Most everything on the Internet is still IPv4, so when you do your normal “stuff” on the Internet, you are always using IPv4. It isn’t trying to use IPv6 first, nor is it trying to use Teredo. This means that you aren’t doubling the amount of packets going out, and IPv6 is basically just sitting there quietly.

If you happen to go to a website that has both IPv4 and IPv6 records registered in DNS, your Vista machine would still use IPv4 to go to the website with no double traffic. Why? Because the TCP/IP stack knows that is can’t use IPv6 (since it doesn’t have a globally routable IPv6 address) so the DNS resolver never even asks for the AAAA (which is the IPv6) record. In other words, if your Vista machine can’t use IPv6, it doesn’t LOOK for IPv6 on the Internet! (Pretty neat, huh?)

At no point in this exercise has your machine ‘doubled the traffic” or brought down unnecessary data. In other words, IPv6 doesn’t slow down your Internet browsing.

2. Accessing local network devices

So you have a network printer that you are having problems accessing, and you think IPv6 is getting in the way? It's not.  When you want to talk to a network device that is on-link, your Vista machine will see that the printer is connected to the network using an IPv4 address, perform a quick subnet comparison of its IPv4 address and the printer’s to determine that they are on the same subnet, and then use the MAC address of the printer for all future communication.

IP addresses (whether v4 or v6) are just used to help packets get from one network to another; the MAC addresses do all of the local communication once on-link. In this case, the IPv6 address of the Vista machine is ignored since the printer only supports IPv4.

3. Other Stuff

IPv6 just doesn't cause stop errors (a.k.a Blue Screens of Death), program crashes, global warming, bad hair days, or that annoying talking lizard on the commercials.  That is all just OBSNDRTIPV6 (Other Bad Stuff Not Directly Relatable to IPv6).

IPv6 was subjected to a rigorous testing process and security review before we allowed Windows Vista and Windows Server 2008 to ship with it enabled and preferred.  We believe this is the safest, most expedient method of gaining widespread IPv6 adoption in the marketplace, but we ensured that in doing so we would not impact your end user experience.

Exchange Server 2007 and IPv6

Exchange 2007 and IPv6 compliance; this is a topic that comes up quite often.  People want to know what they need to install to make this work.

In order to get IPv6 running on Exchange Server 2007, you will need to meet a few requirements.  First of all, you need Service Pack 1 for Exchange. Secondly, Exchange needs to be installed on Windows Server 2008.  Although Exchange Server 2007 can be installed on Windows Server 2003, it will not have IPv6 support unless it is installed on Windows Server 2008.  Finally, Exchange Server 2007 requires a 64-bit server.  In other words, to get Exchange running with IPv6, you will need:

Exchange Server 2007 Service Pack 1 running on Windows Server 2008 (64-bit)

Update: see http://technet.microsoft.com/en-us/library/bb629624.aspx for more detailed information from the Exchange team!

Vista and IPv6 = Problems?

I have been asked a lot recently if Vista works okay with IPv6. Apparently some people are hearing that Vista doesn't implement IPv6 correctly and it breaks your network, or something to that effect. The short answer is: YES! Everything in Vista works great with IPv6! We run thousands of tests per week during development to make sure that the stack works well with the rest of the OS, and that doesn't even count the huge number of partners and beta testers that are testing our code externally, as well.

We are also putting our technology to the test internally: we are running IPv6 almost everywhere on the MS corpnet.  A significant number of our employees run Windows Vista (What a concept, huh?) and while all of those are in dual stack mode (v4 and v6), we haven't seen any significant issues.  We are also testing an IPv6-only deployment internally, as well.  We also have partners that are deploying IPv6, and they have had no major issues getting IPv6 rolled out on their networks.

This success isn't my own; it is the result of literally hundreds of people working hundreds of thousands of manhours to re-engineer the TCP/IP stack to ensure that IPv6 was fully and completely integrated, and of the entire Windows Development team working to make sure IPv6 was properly integrated across the entire OS.  This was not a trivial process.

This is a great segue: its worth remember that deploying IPv6 is not trivial.  Just having IPv6 enabled isn't a big deal because most of the other devices on your network aren't going to be using v6 (except for other Windows Vista and Windows Server 2008 machines) so if you are talking to a printer or something, your machine will just use IPv4 by default.  Once you start trying to roll out IPv6 though, there is a lot to consider. There are a lot of variables, and not all of the skills you used in IPv4 transfer to IPv6.  You need to plan it out and be ready to troubleshoot some things during rollout. Maybe some of your applications are just not IPv6 capable, or your older hardware doesn’t understand what an IPv6 address is. Maybe it is a configuration error on a host or router.  There could be any number of issues that might cause problems, which is why I strongly recommend setting up an IPv6 test lab now - TODAY! - and testing your devices and applications to determine how they will work in an IPv6 network while building your v6 skills.

It can be really hard trying to pinpoint a root cause when IPv6 problems arise, particularly without being “hands-on” for troubleshooting. The Microsoft Networking Team is always talking to customers, though, and if you think you have an IPv6-specific issue, let us know! We’ll do what we can to help you figure it out.

I can tell you that a lot of people are running IPv6 with Windows Vista and a wide array of "stuff" and making it work. We are working on a set of IPv6 Best Practices that have been culled from our own lessons learned and from our partners deployments so that our customers don't have to repeat our mistakes.  Those Best Practices will be available soon.

We also provide tools like checkv4.exe to help you figure out if your code has any IPv4 calls hardcoded into it, as well as whitepapers like Manageable Transition to IPv6 using ISATAP, which is a joint whitepaper with Cisco describing how to ease the deployment of IPv6, and Enabling the Next Generation of Networking with End-to-End IPv6 which is another joint whitepaper with Juniper discussing IPv6 deployment and benefits. All of these are available from www.microsoft.com/ipv6. In short, we are working with lots of industry partners to simplify IPv6 deployment and make sure that all of our customers can gain the maximum value from IPv6.

Moral to the story? Get cracking on your IPv6 testing today! And, as always, let me know what you have to say. Now get back to work.

P.S. Sorry for the long break in blog posts. Thanks for all the emails of encouragement.  No, the NAT mafia didn't put out a contract on me. (That I know of) 

Mythbusters #2: Stanford has more IP addresses than China

Let's tackle our second myth.  There is a factoid on the Internet that some American universities (normally listed as either Stanford or MIT) have more IP addresses than the entire country of China.  This has been repeated in the mainstream press so often (To the edge of cyberspace, United Nations ponders Net's future, etc), it has to be true, right?

If we take a look at the statistics located at http://ftp.apnic.net/stats/apnic/assigned-apnic-latest (Warning: non-user friendly; heavy befuddlement factor; do not operate heavy machinery while deciphering) we will find that China currently has nine IPv4 /8 address blocks assigned to it.  I'm sure you can all do CIDR notation off the top of your head, but for those who can't, a single /8 address block contains about 16,777,216 addresses.  Since China has about nine of these, it means that they have roughly 151 million (9*16,777,216) IP addresses.

Looking at http://ws.arin.net/whois/, we can see that Stanford has been assigned five/16s, each of which contains about 65,536 addresses.  Multiplying this out (5*65,536) gives us about 327,680 total addresses.  (There are some additional suballocations assigned, but they are all pretty small, and all appear to add up to less than 500 addresses, so for simplicity sake, I am ignoring them)

Now, I was not a math major, but even I can figure out that 151 million is a LOT bigger than 327,680.

Also, if we look at http://ws.arin.net/whois we can see that MIT still has their /8 allocation along with several /24 blocks and a couple of /16 blocks, but even all of these added together still fall well short of nine /8s that China possesses.  

The moral to this story is that China has a LOT of IP addresses - far more than Stanford and MIT combined! This myth is definitely BUSTED.

But before we move on, how did this myth come to life? Why would anyone say this?

This is a factoid that became untrue with age. It was true when the Internet was in its infancy, around 1995-1998. At that point, Stanford was assigned a Class A address (what we call a /8 using CIDR notation) which gave them about 16 million addresses, while China only had a few Class Bs (/16s).  That all changed around 2000, though, when (a) Stanford turned their /8 address block back in, and (b) China began requesting more addresses. At that point (2000-2001) China received the equivalent of a /8 address and has been increasing their web presence ever since.  Today, China is one of the fastest growing sectors of the APNIC (the organization that assigns IP addresses in the Asia-Pacific region)

For more information see:

IP Addressing Changes at Stanford

I can do that in IPv4!

One of the comments that I hear a lot (and I am sure to receive on this site) is "But I don't need IPv6 for that! I can do that in IPv4!"

It is true that a lot of what we can do in v6 we can do in v4 as well.  That's because v6 is based on v4 and needs to accomplish all the same tasks; they are both just Layer 3 routed protocols at their heart.  In terms of basic functionality, there isn't a lot that IPv6 can change/introduce that wouldn't break existing networks.

Instead, what v6 offers is the ability to simplify and standardize a lot of the things that were difficult in v4. It makes hosts easier to configure (but v4 can do that!), it makes security easier to setup (but v4 has security!), it makes end-to-end connectivity easier to establish (but v4 can kind of do end to end if the specific application is designed to work around NAT!)

For example, using IPv4, write an application that allows my machine to connect to your machine through a NAT on each end so that we can play head to head games.  Um, well, that's......hard. In v6, it's easy.  It just works. 

How about this: using v4, write an application that allows my Windows machine to setup a session to your Linux machine so that we can perform host authentication and encrypt data.  Oh, and no, I don't have SSH on my box.  Umm...well, you could...yeah. With v6, it just works.

Anytime an enterprise can simplify operations, anytime device setup can be simplifed, anytime we can remove complexity from the most number of users, IT finds benefit from that. That is what IPv6 is all about.

So, can you do that with IPv4? Quite possibly. But with IPv6 I can do it for less money, in less time, while using standardized, proven security.