Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Sean SilerIPv6 Program ManagerMicrosoft Corporation
Why IPv6 isn’t nearly as screwed up in Windows as you
think it is.”
DNS Resolver
Teredo
Windows Firewall/IPsec
Disabling IPv6
DHCPv6
Application Compatibility
Roadmap
DNS Resolver
"It is going to be mud season onthe Internet, where things willjust be kind of slow and gooey."
–Dr. Paul Mockapetris
Inventor of DNS
http://www.kame.net
Does this interface have an
IPv6 address which is not a
Link-Local or Teredo address?
http://www.kame.net
http://www.kame.net
AAAA query is only performed if sending interface has an IPv6 address that is NOT Teredo or Link-Local
A record query sent FIRST, then AAAA
Prevents duplicate queries if timeouts or NACKs are returned
Ensure DNS Servers can support AAAA records
Ensure DNS Servers can support queries over IPv4 or IPv6
DNS Servers running near capacity with v4 may need to be upgraded once you start handing out IPv6 addresses
Teredo
Home users need the simplicity of NAT…Turn it on and it works
DHCP-PD – If ISP and home gateway are v6 capable, broadcasts RAs in the home
Teredo – tunnels IPv6 packets inside of IPv4 UDP so that they can pass through NAT and out the v4 Internet
IPv4 Internet
Restricted
NAT
Restricted
NAT
Teredo
Server
1. Both clients send packets to Teredo
Server upon Teredo’s first use
2. Bubble to Teredo Client B
3. Opens a Source-specific mapping on
the Client A’s NAT to Client B
4. Bubble to Teredo Server
5. Forwarded bubble to Teredo Client B
6. Bubble to Teredo Client A
7. Opens Source-specific mapping to
Client A from Client B
8. Initial packet to Teredo Client B
Teredo
Client A
Teredo
Client B
Loopback
Native IPv6
ISATAPIPv4 mapped IPv6
(Internal Stack Use Only)
Teredo
IPv6 is the preferred protocol, NOT TEREDO
Windows Firewall/IPsec
Windows Firewall provides full Stateful Packet Inspection for v4 and v6
IPsec fully integrated and IPv6 ready
Disabling IPv6
To Block IPv6, block Port 41
To Block Teredo, block UDP 3544
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\tcpip6\Parameters\DisabledComponents
Not present by default; create it as a DWORD
Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, (ISATAP, 6to4, and Teredo)
Bit 1 Set to 1 to disable all 6to4-based interfaces
Bit 2 Set to 1 to disable all ISATAP-based interfaces
Bit 3 Set to 1 to disable all Teredo-based interfaces
Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and PPP-based interfaces
Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections
Disable all tunnel interfaces 0x1
Disable 6to4 0x2
Disable ISATAP 0x4
Disable Teredo 0x8
Disable Teredo and 6to4 0xA
Disable all LAN and PPP
interfaces
0x10
Disable all LAN, PPP and
Tunnel interfaces
0x11
Prefer IPv4 over IPv6 0x20
Disable IPv6 on all
interfaces and prefer IPv4
0xFF
Perimeter protections
Host protections
Teredo doesn’t suck
DHCPv6
Available in Windows Server 2008
Supports Full Stateful or ‘Options Only’
DHCPv6 client built into Vista (and XP when v6 is installed)
Supports DNS integration for Dynamic DNS
Application Compatibility
Windows XP Windows Vista
Test for Vista Compatibility
Test for IPv6 Compatibility
Win
do
ws
Filte
ring
Pla
tform
A
PIIPv4
WSK
WSK Clients TDI Clients
NDIS
IPv6 Tunnel
IPv6
RAWUDPTCP
Next Generation TCP/IP Stack (tcpip.sys)
AFD
TDX
TDI
WinsockUser
Mode
Kernel
Mode
IPv4 Tunnel
Loop back
WLAN802.3
IPv6 Roadmap
• SQL 2005
• IE7
• Vista
• Mobile
• Exchange
2007 SP1
• SMS/MOM
• Most
everything
else…
• LCS/OCS
• Groove?
• ISA?
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.