enabling ipv6 in corporate intranet networks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Enabling IPv6 in Corporate Intranet Networks PowerPoint Presentation
Download Presentation
Enabling IPv6 in Corporate Intranet Networks

Loading in 2 Seconds...

play fullscreen
1 / 20

Enabling IPv6 in Corporate Intranet Networks - PowerPoint PPT Presentation


  • 252 Views
  • Uploaded on

Enabling IPv6 in Corporate Intranet Networks . Christian Huitema Architect Microsoft Corporation http://www.microsoft.com/ipv6. The Opportunity. Key Problems Address Shortage.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Enabling IPv6 in Corporate Intranet Networks' - Patman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
enabling ipv6 in corporate intranet networks

Enabling IPv6 in Corporate Intranet Networks

Christian HuitemaArchitect

Microsoft Corporation

http://www.microsoft.com/ipv6

key problems address shortage
Key ProblemsAddress Shortage

Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But the practical maximum is about 240 M addresses, in 2002-2003.

key problems address shortage1
Key ProblemsAddress Shortage
  • Peer to Peer applications require
    • Addressability of each end point
    • Unconstrained inbound and outbound traffic
    • Direct communication between end points using multiple concurrent protocols
  • NATs are a band-aid to address shortage
    • Block inbound traffic on listening ports
    • Constrain traffic to “understood” protocols
    • Create huge barrier to deployment of P2P applications
key problems lack of mobility
Key ProblemsLack of Mobility
  • Existing applications and networking protocols do not work with changing IP addresses
    • Applications do not “reconnect” when a new IP address appears
    • TCP drops session when IP address changes
    • IPSEC hashes across IP addresses, changing address breaks the Security Association
  • Mobile IPv4 solution is not deployable
    • Foreign agent reliance not realistic
    • NATs and Mobile IPv4? Just say NO
key problems network security
Key ProblemsNetwork Security
  • Always On == Always attacked!
    • Consumers deploying NATs and Personal Firewalls
    • Enterprises deploying Network Firewalls
  • NATs and Network Firewalls break end-to-end semantics
    • Barrier to deploying Peer to Peer applications
    • Barrier to deploying new protocols
    • Block end-to-end, authorized, tamper-proof, private communication
  • No mechanisms for privacy at the network layer
    • IP addresses expose information about the user
  • No transparent way to restrict communication within network boundaries
the promise of ipv6
The Promise of IPv6
  • Enough addresses
    • 64+64 format: 1.8E+19 networks, units
    • assuming IPv4 efficiency: 1E+16 networks, 1 million networks per human
    • 20 networks per m2 of Earth (2 per sqft )
    • Removes need to stretch addresses with NATs
  • True mobility
    • No reliance on Foreign Agents
  • Better network layer security
    • IPSec delivers end-to-end security
    • Link/Site Local addresses allow partitioning
    • Anonymous addresses provide privacy
the promise of ipv6 example multiparty conference using ipv6
The Promise of IPv6Example: Multiparty Conference, using IPv6

P1

P2

  • With a NAT:
    • Brittle “workaround”.
  • With IPv6:
    • Just use IPv6 addresses

Home LAN

Home LAN

Internet

Home

Gateway

Home

Gateway

P3

ipv6 in the enterprise
IPv6 in the enterprise ?
  • Why?
    • It is not a fad – there really are new scenarios
  • How?
    • It does not require extraordinary investments if you use the right tools!
    • Keeping it secure!
  • When?
    • As soon as the tools are ready,
    • That is, now!
ipv6 enterprise scenarios
IPv6 enterprise scenarios
  • Extranet applications
    • Replace “double NAT” scenarios by global addressing
    • Enables “station to station” encryption, meeting security requirements for demanding cooperations
  • Mobile users
    • Use Mobile IPv6 for a simpler “VPN” scenario
  • Intranet management
    • Unique addresses for all devices simplifies management, e.g. real-time inventories.
ipv6 deployment tool box
IPv6 deployment tool-box
  • IPv6 stateless address auto-configuration
    • Router announces a prefix, client configures an address
  • 6to4: Automatic tunneling of IPv6 over IPv4
    • Derives IPv6 /48 network prefix from IPv4 global address
  • Automatic tunneling of IPv6 over UDP/IPv4
    • Works through NAT, may be blocked by firewalls
  • ISATAP: Automatic tunneling of IPv6 over IPv4
    • For use behind a firewall.
security toolbox
Security Toolbox
  • IPSEC
    • Enabled by global addresses
  • Privacy addresses
    • Protect privacy of internal clients
  • Scoped addresses
    • Contain “local” traffic locally
  • Perimeter firewall, Host firewall
    • Per port policies: open, close, stateful
    • IPSEC policy
    • Without breaking connectivity!
deployment in 3 phases
Deployment in 3 phases
  • Phase 1, experimentation
    • Allow developers to port applications
  • Phase 2, initial service
    • Enable local servers
    • Offer connectivity
  • Phase 3, general availability
    • Offer native IPv6 capability
enterprise ipv6 phase 1
Enabling server

ISATAP router,

Rudimentary v6 firewall

6to4 connectivity

Hole in IPv4 firewall

Allow protocol type 41 to 6to4 router (alone)

Tunnel IPv6

Locally: ISATAP

Connectivity: 6to4

Publish in DNS:

AAAA records for IPv6 hosts, servers.

Access over IPv4

6to4

V6 Firewall

ISATAP

Enterprise IPv6, Phase 1

IPv6

IPv4 Internet

IPv4 Firewall

IPv4 Network,

Unchanged

DNS (IPv4)

Node

Node

enterprise ipv6 phase 2
Upgrade IPv4 firewall

Control both v4 & v6

Incorporate “6to4” function

IPv6 capable subnet

Connect servers, ISATAP, DNS

Grows over time

Tunnel IPv6 outside subnet

Locally: ISATAP

Connectivity: 6to4

Dual mode DNS:

Access over IPv4 & IPv6

6to4

IPv4/v6 Firewall

Enterprise IPv6, Phase 2

IPv6

IPv4 Internet

Server

IPv6 +

IPv4

ISATAP

IPv4 Network,

Unchanged

DNS (dual)

Node

Node

enterprise ipv6 phase 3
Connect to IPv6 Internet

No need for 6to4 ?

Renumber, or dual-home

IPv6 capable network

Upgrade subnets to IPv6

Eventually, remove need for ISATAP.

Dual mode DNS, servers:

Access over IPv4 and IPv6

Enterprise IPv6, Phase 3

IPv6

IPv4 Internet

6to4

IPv4/v6 Firewall

Server

Dual IPv6, IPv4 Network

ISATAP?

DNS (dual)

Node

Node

what is microsoft doing
What is Microsoft doing
  • Building a complete IPv6 stack in Windows
    • Technology Preview stack in Win2000
    • Developer stack in Windows XP
    • Deployable stack in .NET Server & update for Windows XP
    • Windows CE .NET
  • Supporting IPv6 with key applications protocols
    • File sharing, Web (IIS, IE), Games (DPlay), Peer to Peer platform, UPnP
  • Building v4->v6 transition strategies
    • Scenario focused tool-box
in summary we build together
In Summary… We Build Together
  • Microsoft is moving quickly to enable Windows platforms for IPv6
    • Up to date information on:

http://www.microsoft.com/ipv6/

    • Send us feedback and requirements

mailto:ipv6-fb@microsoft.com

  • We need your help to move the world to a simple ubiquitous network based on IPv6
call to action
Call to Action
  • Enterprise
    • Start deployment now!
  • Network Providers: Build it and they will come
    • Do not settle for NATs for new designs
    • Demand IPv6 support on all equipment
    • Offer native IPv6 services
  • Device Vendors: Design for the simpler, ubiquitous IPv6 internet
  • Application Writers: Don’t wait on the above
    • Use Windows XP and Windows .NET Server NOW!