Enabling ipv6 in corporate intranet networks
Download
1 / 20

Enabling IPv6 in Corporate Intranet Networks - PowerPoint PPT Presentation


  • 517 Views
  • Uploaded on

Enabling IPv6 in Corporate Intranet Networks . Christian Huitema Architect Microsoft Corporation http://www.microsoft.com/ipv6. The Opportunity. Key Problems Address Shortage.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Enabling IPv6 in Corporate Intranet Networks' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Enabling ipv6 in corporate intranet networks l.jpg

Enabling IPv6 in Corporate Intranet Networks

Christian HuitemaArchitect

Microsoft Corporation

http://www.microsoft.com/ipv6



Key problems address shortage l.jpg
Key ProblemsAddress Shortage

Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But the practical maximum is about 240 M addresses, in 2002-2003.


Key problems address shortage4 l.jpg
Key ProblemsAddress Shortage

  • Peer to Peer applications require

    • Addressability of each end point

    • Unconstrained inbound and outbound traffic

    • Direct communication between end points using multiple concurrent protocols

  • NATs are a band-aid to address shortage

    • Block inbound traffic on listening ports

    • Constrain traffic to “understood” protocols

    • Create huge barrier to deployment of P2P applications


Key problems lack of mobility l.jpg
Key ProblemsLack of Mobility

  • Existing applications and networking protocols do not work with changing IP addresses

    • Applications do not “reconnect” when a new IP address appears

    • TCP drops session when IP address changes

    • IPSEC hashes across IP addresses, changing address breaks the Security Association

  • Mobile IPv4 solution is not deployable

    • Foreign agent reliance not realistic

    • NATs and Mobile IPv4? Just say NO


Key problems network security l.jpg
Key ProblemsNetwork Security

  • Always On == Always attacked!

    • Consumers deploying NATs and Personal Firewalls

    • Enterprises deploying Network Firewalls

  • NATs and Network Firewalls break end-to-end semantics

    • Barrier to deploying Peer to Peer applications

    • Barrier to deploying new protocols

    • Block end-to-end, authorized, tamper-proof, private communication

  • No mechanisms for privacy at the network layer

    • IP addresses expose information about the user

  • No transparent way to restrict communication within network boundaries


The promise of ipv6 l.jpg
The Promise of IPv6

  • Enough addresses

    • 64+64 format: 1.8E+19 networks, units

    • assuming IPv4 efficiency: 1E+16 networks, 1 million networks per human

    • 20 networks per m2 of Earth (2 per sqft )

    • Removes need to stretch addresses with NATs

  • True mobility

    • No reliance on Foreign Agents

  • Better network layer security

    • IPSec delivers end-to-end security

    • Link/Site Local addresses allow partitioning

    • Anonymous addresses provide privacy


The promise of ipv6 example multiparty conference using ipv6 l.jpg
The Promise of IPv6Example: Multiparty Conference, using IPv6

P1

P2

  • With a NAT:

    • Brittle “workaround”.

  • With IPv6:

    • Just use IPv6 addresses

Home LAN

Home LAN

Internet

Home

Gateway

Home

Gateway

P3


Ipv6 in the enterprise l.jpg
IPv6 in the enterprise ?

  • Why?

    • It is not a fad – there really are new scenarios

  • How?

    • It does not require extraordinary investments if you use the right tools!

    • Keeping it secure!

  • When?

    • As soon as the tools are ready,

    • That is, now!


Ipv6 enterprise scenarios l.jpg
IPv6 enterprise scenarios

  • Extranet applications

    • Replace “double NAT” scenarios by global addressing

    • Enables “station to station” encryption, meeting security requirements for demanding cooperations

  • Mobile users

    • Use Mobile IPv6 for a simpler “VPN” scenario

  • Intranet management

    • Unique addresses for all devices simplifies management, e.g. real-time inventories.


Ipv6 deployment tool box l.jpg
IPv6 deployment tool-box

  • IPv6 stateless address auto-configuration

    • Router announces a prefix, client configures an address

  • 6to4: Automatic tunneling of IPv6 over IPv4

    • Derives IPv6 /48 network prefix from IPv4 global address

  • Automatic tunneling of IPv6 over UDP/IPv4

    • Works through NAT, may be blocked by firewalls

  • ISATAP: Automatic tunneling of IPv6 over IPv4

    • For use behind a firewall.


Security toolbox l.jpg
Security Toolbox

  • IPSEC

    • Enabled by global addresses

  • Privacy addresses

    • Protect privacy of internal clients

  • Scoped addresses

    • Contain “local” traffic locally

  • Perimeter firewall, Host firewall

    • Per port policies: open, close, stateful

    • IPSEC policy

    • Without breaking connectivity!


Deployment in 3 phases l.jpg
Deployment in 3 phases

  • Phase 1, experimentation

    • Allow developers to port applications

  • Phase 2, initial service

    • Enable local servers

    • Offer connectivity

  • Phase 3, general availability

    • Offer native IPv6 capability


Enterprise ipv6 phase 1 l.jpg

Enabling server

ISATAP router,

Rudimentary v6 firewall

6to4 connectivity

Hole in IPv4 firewall

Allow protocol type 41 to 6to4 router (alone)

Tunnel IPv6

Locally: ISATAP

Connectivity: 6to4

Publish in DNS:

AAAA records for IPv6 hosts, servers.

Access over IPv4

6to4

V6 Firewall

ISATAP

Enterprise IPv6, Phase 1

IPv6

IPv4 Internet

IPv4 Firewall

IPv4 Network,

Unchanged

DNS (IPv4)

Node

Node


Enterprise ipv6 phase 2 l.jpg

Upgrade IPv4 firewall

Control both v4 & v6

Incorporate “6to4” function

IPv6 capable subnet

Connect servers, ISATAP, DNS

Grows over time

Tunnel IPv6 outside subnet

Locally: ISATAP

Connectivity: 6to4

Dual mode DNS:

Access over IPv4 & IPv6

6to4

IPv4/v6 Firewall

Enterprise IPv6, Phase 2

IPv6

IPv4 Internet

Server

IPv6 +

IPv4

ISATAP

IPv4 Network,

Unchanged

DNS (dual)

Node

Node


Enterprise ipv6 phase 3 l.jpg

Connect to IPv6 Internet

No need for 6to4 ?

Renumber, or dual-home

IPv6 capable network

Upgrade subnets to IPv6

Eventually, remove need for ISATAP.

Dual mode DNS, servers:

Access over IPv4 and IPv6

Enterprise IPv6, Phase 3

IPv6

IPv4 Internet

6to4

IPv4/v6 Firewall

Server

Dual IPv6, IPv4 Network

ISATAP?

DNS (dual)

Node

Node


What is microsoft doing l.jpg
What is Microsoft doing

  • Building a complete IPv6 stack in Windows

    • Technology Preview stack in Win2000

    • Developer stack in Windows XP

    • Deployable stack in .NET Server & update for Windows XP

    • Windows CE .NET

  • Supporting IPv6 with key applications protocols

    • File sharing, Web (IIS, IE), Games (DPlay), Peer to Peer platform, UPnP

  • Building v4->v6 transition strategies

    • Scenario focused tool-box


In summary we build together l.jpg
In Summary… We Build Together

  • Microsoft is moving quickly to enable Windows platforms for IPv6

    • Up to date information on:

      http://www.microsoft.com/ipv6/

    • Send us feedback and requirements

      mailto:[email protected]

  • We need your help to move the world to a simple ubiquitous network based on IPv6


Call to action l.jpg
Call to Action

  • Enterprise

    • Start deployment now!

  • Network Providers: Build it and they will come

    • Do not settle for NATs for new designs

    • Demand IPv6 support on all equipment

    • Offer native IPv6 services

  • Device Vendors: Design for the simpler, ubiquitous IPv6 internet

  • Application Writers: Don’t wait on the above

    • Use Windows XP and Windows .NET Server NOW!


ad