Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building IPv6 (Firewall & IPSec) Aware Applications Mohit Talwar COM304 Development Lead Microsoft Corporation.

Similar presentations


Presentation on theme: "Building IPv6 (Firewall & IPSec) Aware Applications Mohit Talwar COM304 Development Lead Microsoft Corporation."— Presentation transcript:

1 Building IPv6 (Firewall & IPSec) Aware Applications Mohit Talwar COM304 Development Lead Microsoft Corporation

2 2 Outline Motivation Simple Client Simple Server Demo Advanced Topics

3 3 IPv6 is Ready Optional on Windows XP “netsh interface ipv6 install” “netsh interface ipv6 set teredo client” Enabled by default on Windows Vista Pervasive IPv6 support in OS components IPv6 connectivity preferred over IPv4 IPv6 is on by default in Windows Vista!

4 4 IPv6 is Real No support required from the network Transition technologies tunnel IPv6 over IPv4 E.g. Teredo, 6to4, … C:\> ipconfig Windows IP Configuration Ethernet adapter Wireless Network Connection : Connection-specific DNS Suffix. : Connection-specific DNS Suffix. : IP Address : IP Address : Subnet Mask : Subnet Mask : IP Address : fe80::20c:f1ff:fe34:8106%5 IP Address : fe80::20c:f1ff:fe34:8106%5 Default Gateway : Default Gateway : Tunnel adapter Teredo Tunneling Pseudo-Interface : Connection-specific DNS Suffix. : Connection-specific DNS Suffix. : IP Address : 3ffe:831f:4004:1954:0:eebe:e7ec:1042 IP Address : 3ffe:831f:4004:1954:0:eebe:e7ec:1042 Default Gateway : :: Default Gateway : ::

5 5 IPv6 Benefits NAT Traversal NATs a significant challenge to P2P applications Options Consumers configure NATs Providers host relays Applications do NAT traversal NATs break over 50% of P2P scenarios IPv6 provides automatic NAT traversal (Teredo) Simply write an IPv6 aware application! IPv6 connects over 95% of the P2P scenarios IPv6 IPv6 IPv4  IPv6 provides NAT traversal!

6 6 IPv6 Benefits Ad-Hoc Networks May take 63s for autonet address configuration Can only have one interface with autonet addresses Few applications built for this configuration Instantaneous link-local address configuration No ambiguity when using multiple link-local addresses Important Windows Vista scenario: People Near Me IPv6 IPv6 IPv4 

7 7 IPv6 Benefits Better Behavior ARP takes upto 2 minutes to detect failures Gratuitous ARP can mess up address tables in switches ND detects failures in less than 30 seconds DAD has no adverse impact on switches IPv6 IPv6 IPv4 

8 8 IPv6 Benefits Secure Neighbor-Discovery Secure extension of ARP Mobility Retain addresses across subnet moves Increase support for P2P scenarios Addressibility across Firewalls

9 9 Supporting IPv6 Higher Layers (.Net, HTTP, P2P SDK etc) Zero work! Lower Layers (Winsock &.Net Sockets) Client Applications Client Applications Windows Vista & Beyond: WSAConnectByName Windows XP & Beyond: Address agnostic Windows XP & Beyond: Address agnostic Server Applications Windows Vista & Beyond: Single socket Windows XP & Beyond: Dual socket

10 10 Supporting IPv6 Winsock Addresses Use SOCKADDR_STORAGE and PSOCKADDR SOCKADDR_IN6 when using v4-mapped (Vista Only) Name Resolution GetAddrInfoW WSAConnectByName (Vista Only) Core Socket Functions socket, bind, connect, sendto… IPV6_V6ONLY (Vista Only) IPHLPAPIsGetAdaptersAddresses Address agnostic APIs (Vista Only) Macros INETADDR_ISLOOPBACK(PSOCKADDR …)

11 11 CHECKV4.EXE

12 12 Simple Client StartClient(PCSTR HostName, USHORT Port) { ClientSocket = socket(AF_INET,...); HostEntry = gethostbyname(HostName); A.sin_addr = *(HostEntry->h_addr); A.sin_port = htons(Port); connect(ClientSocket, &A,...); } Broken (IPv4 Only)!

13 13 Simple Client – Windows Vista Fixed (ConnectByName)! StartClient(PCSTR HostName, USHORT Port) { ClientSocket = socket(AF_INET6,...); // // Reset IPV6_V6ONLY to FALSE. // setsockopt(ClientSocket, IPPROTO_IPV6, IPV6_V6ONLY,...); WSAConnectByName(ClientSocket, HostName, Port,...); }

14 14 Simple Client – Windows XP StartClient(PCSTR HostName, USHORT Port) { // // First, Resolve HostName. // GetAddrInfoA(HostName, Port,..., &AddressList); // // Then, iterate over all addresses (in order). // for (A = AddressList; A != NULL; A = A->ai_next) { ClientSocket = socket(A->ai_family, A->ai_socktype, 0); connect(ClientSocket, A->ai_addr, A->ai_addrlen); } } Fixed (Address Agnostic)!

15 15 Simple Client –.NET // // First, Resolve HostName. // HostEntries = Dns.GetHostEntry(HostName); // // Then, iterate over all addresses (in order). // foreach (Address in HostEntries.AddressList) { A = new IPEndPoint(Address, Port); ClientSocket = new Socket(A.AddressFamily,...); ClientSocket.Connect(A); } Fixed (Address Agnostic)!

16 16 Simple Server Broken (IPv4 Only)! StartServer(USHORT Port) { ServerSocket = socket(AF_INET,...); A.sin_addr.s_addr = INADDR_ANY; A.sin_port = htons(Port); bind(Socket, &A,...);... }

17 17 Simple Server – Windows Vista Fixed (IPV6_V6ONLY)! StartServer(USHORT Port) { ServerSocket = socket(AF_INET6,...); // // Reset IPV6_ONLY to FALSE. // setsockopt(ServerSocket, IPPROTO_IPV6, IPV6_V6ONLY,...); IN6ADDR_SETANY(&A); A.sin6_port = htons(Port); bind(ServerSocket, &A,...);... }

18 18 Simple Server – Windows XP Fixed (Dual Socket)! StartServer(USHORT Port) { ServerSocket4 = socket(AF_INET,...); ServerSocket6 = socket(AF_INET6,...); IN4ADDR_SETANY(&A4); IN6ADDR_SETANY(&A6); bind(ServerSocket4, &A4,...); bind(ServerSocket6, &A6,...);... }

19 19 Simple Server –.NET ServerSocket = new Socket(AddressFamily.InterNetworkV6,...); ServerSocket.SetSockOption(..., IPV6_V6ONLY,...); A = new IPEndPoint(IPAddress.IPv6Any, Port); ServerSocket.Bind(A);... Fixed (IPV6_V6ONLY)!

20 20 NAT Traversal Using Teredo Jay Beavers Developer Project Max

21 21 Advanced Topics Secure Sockets Address Selection Address Publication Network Events Firewall Considerations

22 22 Secure Sockets IPv6 provides e2e connectivity (enabling IPSec) Secure sockets provide control over IPSec policies WSASetSocketSecurity Specify security requirements Before WSAConnect E.g. Require IPSec encryption for a peer WSAQuerySocketSecurity Query applied security properties After WSAConnect E.g. Use peer’s security token for authorization

23 23 Address Selection IPv6 exposes multi-homing issues Multiple interfaces & addresses Problem involves choosing one of many… Destinations: The address to connect to Sources: The address to connect from ffe:831f::8000:f227:62c4:fefe3ffe:831f::baad:f00d:baad:f00d fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec:1042

24 24 Address Selection Destination Address Selection Automatically performed by GetAddrInfo SIO_ADDRESS_LIST_SORT Caveat: IPv6 preferred over IPv ffe:831f::8000:f227:62c4:fefe3ffe:831f::baad:f00d:baad:f00d fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec:1042

25 25 Address Selection Source Address Selection Automatically performed by ConnectByName SIO_ROUTING_INTERFACE_QUERY fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec: ffe:831f::8000:f227:62c4:fefe3ffe:831f::baad:f00d:baad:f00d

26 26 Address Publication Publisher Publish(PIP_ADAPTER_UNICAST_ADDRESS AddressList) { // // Iterate over *all* addresses. // for (A = AddressList; A != NULL; A = A->Next) { // // Publish if *eligible*. // if (A->Flags & IP_ADAPTER_ADDRESS_DNS_ELIGIBLE) {... } } }

27 27 Address Publication Resolver Sort(PSOCKET_ADDRESS_LIST AddressList) { // // Combine resolved IPv6 and IPv4 addresses in single list. // (represent IPv4 addresses as v4-mapped IPv6 addresses). // Socket = socket(AF_INET6, SOCK_DGRAM, 0); WSAIoctl(Socket, SIO_ADDRESS_LIST_SORT, AddressList,...); closesocket(Socket); }

28 28 Network Events Address Notifications SIO_ADDRESS_LIST_CHANGE Applications that retry on address change E.g. IM client registering addresses with IM server Route Notifications SIO_ROUTING_INTERFACE_CHANGE Applications that bind to the preferred source address E.g. Video conferencing client switching from wireless to wired Requires an overlapped socket Vista: Can use a single socket for both IPv4 and IPv6 notifications

29 29 Network Events Notification Handler NotificationHandler(VOID) { // // Sleep before processing event. // Address & Route changes usually occur in quick succession. // Sleep(1000); // // Register for the next event before processing the current. // Ensures that no events are missed. // WSAIoctl(Socket, SIO_ADDRESS_LIST_CHANGE,...);... }

30 30 Firewall Host Firewall is on by default (as in XP/SP2) Application requirements Application exceptions (during install) OR Port exceptions (during run-time) Exceptions stored as filters in a central database Can be used by 3 rd party firewalls

31 31 Firewall fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec:  3ffe:831f::8000:f227:62c4:fefe  3ffe:831f::baad:f00d:baad:f00d UDP echo server bound to in6addr_any Receive request on address  May reply from address  ! Reply may be dropped by client’s host firewall  Root Cause: Asymmetry in address selection

32 32 Firewall Fixed (WSASendMsg)! UdpServer(USHORT Port) { WSAMSG WsaMsg = {..., &Data,..., &Control,...); setsockopt(..., IPV6_PKTINFO,...); WSARecvMsg(Socket, &WsaMsg,...); WSASendMsg(Socket, &WsaMsg,...); }

33 33 Summary IPv6 provides NAT traversal! Excellent platform for P2P applications IPv6 is on by default in Windows Vista! Ready for primetime Porting to IPv6 is easy! Call to action: Make your applications IPv6 aware!

34 34 Community Resources At PDC COM Track Lounge (I’ll be there Wed, 9am - 5pm) Ask The Experts (Thu, 6:30pm) COM 319 – Windows Vista: Integrating with the People Near Me… PRS L05 – Case Study: What We Learned Building Project Max… After PDC Catch this session on DVD in case you missed it COM 311: Developing P2P Applications using Windows Vista… News Groups microsoft.public.platformsdk.networking.ipv6microsoft.beta.longhorn.networking.home MSDN Forum Communications and Networking in Windows Vista MSDN Technology Center Teredo overview Windows Firewall APIs

35 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

36 36 Appendix: Teredo Introduction Provides IPv6 connectivity behind IPv4 NAT Last resort connectivity mechanism Tunnels IPv6 traffic over UDP/IPv4 Uses public Teredo (echo) servers To determine NAT port-mapping To initiate communication with a peer

37 37 Appendix: Teredo in a Slide  Client: Echo-Request Creates Port-Mapping  Server: Echo-Response Contains Port-Mapping (A, P) G  Client forms IPv6 address Elements: Server, (A,P) G  Peer parses IPv6 address Determines Port-Mapping, Server Encapsulates packet over UDP Teredo Server Peer Client


Download ppt "Building IPv6 (Firewall & IPSec) Aware Applications Mohit Talwar COM304 Development Lead Microsoft Corporation."

Similar presentations


Ads by Google