Enabling IPv6 in Corporate Intranet Networks Christian HuitemaArchitect Microsoft Corporation http://www.microsoft.com/ipv6
Key ProblemsAddress Shortage Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But the practical maximum is about 240 M addresses, in 2002-2003.
Key ProblemsAddress Shortage • Peer to Peer applications require • Addressability of each end point • Unconstrained inbound and outbound traffic • Direct communication between end points using multiple concurrent protocols • NATs are a band-aid to address shortage • Block inbound traffic on listening ports • Constrain traffic to “understood” protocols • Create huge barrier to deployment of P2P applications
Key ProblemsLack of Mobility • Existing applications and networking protocols do not work with changing IP addresses • Applications do not “reconnect” when a new IP address appears • TCP drops session when IP address changes • IPSEC hashes across IP addresses, changing address breaks the Security Association • Mobile IPv4 solution is not deployable • Foreign agent reliance not realistic • NATs and Mobile IPv4? Just say NO
Key ProblemsNetwork Security • Always On == Always attacked! • Consumers deploying NATs and Personal Firewalls • Enterprises deploying Network Firewalls • NATs and Network Firewalls break end-to-end semantics • Barrier to deploying Peer to Peer applications • Barrier to deploying new protocols • Block end-to-end, authorized, tamper-proof, private communication • No mechanisms for privacy at the network layer • IP addresses expose information about the user • No transparent way to restrict communication within network boundaries
The Promise of IPv6 • Enough addresses • 64+64 format: 1.8E+19 networks, units • assuming IPv4 efficiency: 1E+16 networks, 1 million networks per human • 20 networks per m2 of Earth (2 per sqft ) • Removes need to stretch addresses with NATs • True mobility • No reliance on Foreign Agents • Better network layer security • IPSec delivers end-to-end security • Link/Site Local addresses allow partitioning • Anonymous addresses provide privacy
The Promise of IPv6Example: Multiparty Conference, using IPv6 P1 P2 • With a NAT: • Brittle “workaround”. • With IPv6: • Just use IPv6 addresses Home LAN Home LAN Internet Home Gateway Home Gateway P3
IPv6 in the enterprise ? • Why? • It is not a fad – there really are new scenarios • How? • It does not require extraordinary investments if you use the right tools! • Keeping it secure! • When? • As soon as the tools are ready, • That is, now!
IPv6 enterprise scenarios • Extranet applications • Replace “double NAT” scenarios by global addressing • Enables “station to station” encryption, meeting security requirements for demanding cooperations • Mobile users • Use Mobile IPv6 for a simpler “VPN” scenario • Intranet management • Unique addresses for all devices simplifies management, e.g. real-time inventories.
IPv6 deployment tool-box • IPv6 stateless address auto-configuration • Router announces a prefix, client configures an address • 6to4: Automatic tunneling of IPv6 over IPv4 • Derives IPv6 /48 network prefix from IPv4 global address • Automatic tunneling of IPv6 over UDP/IPv4 • Works through NAT, may be blocked by firewalls • ISATAP: Automatic tunneling of IPv6 over IPv4 • For use behind a firewall.
Security Toolbox • IPSEC • Enabled by global addresses • Privacy addresses • Protect privacy of internal clients • Scoped addresses • Contain “local” traffic locally • Perimeter firewall, Host firewall • Per port policies: open, close, stateful • IPSEC policy • Without breaking connectivity!
Deployment in 3 phases • Phase 1, experimentation • Allow developers to port applications • Phase 2, initial service • Enable local servers • Offer connectivity • Phase 3, general availability • Offer native IPv6 capability
Enabling server ISATAP router, Rudimentary v6 firewall 6to4 connectivity Hole in IPv4 firewall Allow protocol type 41 to 6to4 router (alone) Tunnel IPv6 Locally: ISATAP Connectivity: 6to4 Publish in DNS: AAAA records for IPv6 hosts, servers. Access over IPv4 6to4 V6 Firewall ISATAP Enterprise IPv6, Phase 1 IPv6 IPv4 Internet IPv4 Firewall IPv4 Network, Unchanged DNS (IPv4) Node Node
Upgrade IPv4 firewall Control both v4 & v6 Incorporate “6to4” function IPv6 capable subnet Connect servers, ISATAP, DNS Grows over time Tunnel IPv6 outside subnet Locally: ISATAP Connectivity: 6to4 Dual mode DNS: Access over IPv4 & IPv6 6to4 IPv4/v6 Firewall Enterprise IPv6, Phase 2 IPv6 IPv4 Internet Server IPv6 + IPv4 ISATAP IPv4 Network, Unchanged DNS (dual) Node Node
Connect to IPv6 Internet No need for 6to4 ? Renumber, or dual-home IPv6 capable network Upgrade subnets to IPv6 Eventually, remove need for ISATAP. Dual mode DNS, servers: Access over IPv4 and IPv6 Enterprise IPv6, Phase 3 IPv6 IPv4 Internet 6to4 IPv4/v6 Firewall Server Dual IPv6, IPv4 Network ISATAP? DNS (dual) Node Node
What is Microsoft doing • Building a complete IPv6 stack in Windows • Technology Preview stack in Win2000 • Developer stack in Windows XP • Deployable stack in .NET Server & update for Windows XP • Windows CE .NET • Supporting IPv6 with key applications protocols • File sharing, Web (IIS, IE), Games (DPlay), Peer to Peer platform, UPnP • Building v4->v6 transition strategies • Scenario focused tool-box
In Summary… We Build Together • Microsoft is moving quickly to enable Windows platforms for IPv6 • Up to date information on: http://www.microsoft.com/ipv6/ • Send us feedback and requirements mailto:email@example.com • We need your help to move the world to a simple ubiquitous network based on IPv6
Call to Action • Enterprise • Start deployment now! • Network Providers: Build it and they will come • Do not settle for NATs for new designs • Demand IPv6 support on all equipment • Offer native IPv6 services • Device Vendors: Design for the simpler, ubiquitous IPv6 internet • Application Writers: Don’t wait on the above • Use Windows XP and Windows .NET Server NOW!