NAT, firewalls and IPv6Christian HuitemaArchitect, Windows NetworkingMicrosoft Corporation
4255551212 What We Have Done So Far • Released Windows XP • Windows Messenger and rich APIs • Progressed embedded • End-to-end platform • Announced update • PC-to-phone provider choice & new UI
NAT, Firewalls and IPv6 • Issue • RTC requires “peer-to-peer” UDP for “media”, TCP for application sharing. • Firewalls and NAT block UDP, incoming TCP. • Adopting RTC in the home • Requires a NAT solution • Adopting RTC in the enterprise • Requires a firewall solution • IPv6 helps solving both problems!
Internet What Is Network Address Translation (NAT)? • Multiplexes IPv4 address space behind NAT – Internet gateway • Edits source address & ports in IP traffic • All network traffic leaving public side of the NAT appears tp originate from one IP address 192.168.0.2 188.8.131.52 192.168.0.3 192.168.0.1 Issue: breaks many services / apps
Overcoming NAT: To-Date • User: manual configuration • Most users not comfortable with this • Leads to customer dissatisfaction • Drives support calls & increased support cost • Inhibits trying new things • An issue for DSL & cable modem providers and retailers • IG vendor: Application layer gateways • One-off developments by device vendor • Doesn’t scale well to many apps & updates
UPnP™ NAT Traversal: A Better Way • Program NAT device via Universal Plug and Play (UPnP™) • Internet Gateway Device Working Committee defined schema for gateways • Includes method for automatically creating and removing port mappings
Industry Adoption of UPnP™ NAT Support in Gateways • Leading vendors announced support • Available 2H 2001 • PC with Windows XP • can be Internet gateway device OR • can work with other IG • UPnP™ support to become market requirement for IGcategory
Address Shortage Causes More NAT Deployment Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But in practice, the “H-ratio” of log10(addresses)/bits reaches 0.26 in 2002.
In the medium term, we cannot program all NATs Internet ? PC UPNP NAT NAT home ISP By 2002, we will see ISP using layers of NAT. In fact, we see it in Asia and Europe now… We need IPv6 before that!
We need IPv6, to change the Internet • Addresses are the key • Scarcity: the user is a “client” • Plethora: the user is a “peer” • IPv6 provide enough addressing • 64+64 format: 1.8E+19 networks, units • assuming IPv4 efficiency: 1E+16 networks, 1 million networks per human • 2 networks per sqft of Earth (20 per m2) • This enables peer-to-peer!
Example: Multiparty Conference, using IPv6 P1 P2 • With a NAT: • Brittle “workaround”. • With IPv6: • Just use IPv6 addresses Home LAN Home LAN Internet Home Gateway Home Gateway P3
How to cope with Firewalls? • Issue • RTC requires “peer-to-peer” UDP for “media”, TCP for application sharing. • Firewalls block UDP, incoming TCP. • Classic solutions don’t work well: • Proxies are costly to deploy, generate additional latency and network complexity. • Application Layer Gateways prohibit encryption of signalling, create dependencies, prevent evolution.
Preferred Solution: Firewall Control Protocol (FCP) Enterprisenetwork Firewall Internet Media SIP Port 5060 SIP Proxy Firewall Control Protocol Work in progress: IETF “MIDCOM”, industry
Firewall traversal & IPv6 • Simpler configuration • Same view of addresses, inside and outside • More robust • Same view of addresses by multiple firewalls • Better security • Can use IP Security “end to end”
If IPv6 is so great, how come it is not there yet? • Applications • Need upfront investment, stacks, etc. • Similar to Y2K, 32 bit vs. “clean address type” • Network • Need to ramp-up investment • No “push-button” transition networks ? applications
IPv6 deployment tool-box • IPv6 stateless address autoconfiguration • Router announces a prefix, client configures an address • 6to4: Automatic tunneling of IPv6 over IPv4 • Derives IPv6 /48 network prefix from IPv4 global address • Shipworm: Automatic tunneling of IPv6 over UDP/IPv4 • Works through NAT, may be blocked by firewalls • ISATAP: Automatic tunneling of IPv6 over IPv4 • For use behind a firewall.
6to4: tunnel IPv6 over IPv4 184.108.40.206 220.127.116.11 2002:102:304::b… 3001:2:3:4:c… 6to4-A Relay C A Native IPv6 IPv4 Internet • 6to4 router derive IPv6 prefix from IPv4 address, • 6to4 relays advertise reachability of prefix 2002::/16 • Automatic tunneling from 6to4 routers or relays • Single address (18.104.22.168) for all relays 2002:506:708::b… B Relay 6to4-B 22.214.171.124 126.96.36.199
ISATAP router provides IPv6 prefix Host complements prefix with IPv4 address Direct tunneling between ISATAP hosts Relay through ISATAP router to IPv6 local or global ISATAP: IPv6 behind firewall D IPv4 Internet IPv6 Internet IPv4 FW IPv6 FW ISATAP Firewalled IPv4 network Local “native” IPv6 network B C A
Shipworm: IPv6 / UDP IPv6 prefix: IP address & UDP port Shipworm servers Address discovery Default “route” Enable “shortcut” (A-B) Shipworm relays Send IPv6 packets directly to nodes Works for all NAT Shipworm: IPv6 through NAT C IPv6 Internet Relay IPv4 Internet Server NAT NAT A B
2000 2001 2002 When can we get IPv6? Tech. Preview (W2K) Developers (Windows XP) Deployment Now!
More Information on IPv6 • Microsoft IPv6 web site: • http://www.microsoft.com/ipv6/ • IETF standards • IPv6 specification, • IPv6 transition tools.
Call to Action • Apply UPnP technology to NAT traversal • www.upnp.org • Work on the Firewall Traversal Protocol • Start porting applications to IPv6 • Use IPv6 stack in Windows XP • Start deploying IPv6 now!