3Key Problems Address Shortage Extrapolating the number of DNS registered addresses shows total exhaustion in But the practical maximum is about 240 M addresses, in
4Key Problems Address Shortage Peer to Peer applications requireAddressability of each end pointUnconstrained inbound and outbound trafficDirect communication between end points using multiple concurrent protocolsNATs are a band-aid to address shortageBlock inbound traffic on listening portsConstrain traffic to “understood” protocolsCreate huge barrier to deployment of P2P applications
5Key Problems Lack of Mobility Existing applications and networking protocols do not work with changing IP addressesApplications do not “reconnect” when a new IP address appearsTCP drops session when IP address changesIPSEC hashes across IP addresses, changing address breaks the Security AssociationMobile IPv4 solution is not deployableForeign agent reliance not realisticNATs and Mobile IPv4? Just say NO
6Key Problems Network Security Always On == Always attacked!Consumers deploying NATs and Personal FirewallsEnterprises deploying Network FirewallsNATs and Network Firewalls break end-to-end semanticsBarrier to deploying Peer to Peer applicationsBarrier to deploying new protocolsBlock end-to-end, authorized, tamper-proof, private communicationNo mechanisms for privacy at the network layerIP addresses expose information about the userNo transparent way to restrict communication within network boundaries
7The Promise of IPv6 Enough addresses True mobility 64+64 format: 1.8E+19 networks, unitsassuming IPv4 efficiency: 1E+16 networks, 1 million networks per human20 networks per m2 of Earth (2 per sqft )Removes need to stretch addresses with NATsTrue mobilityNo reliance on Foreign AgentsBetter network layer securityIPSec delivers end-to-end securityLink/Site Local addresses allow partitioningAnonymous addresses provide privacy
8The Promise of IPv6 Example: Multiparty Conference, using IPv6 Home LANInternetHome LANHomeGatewayHomeGatewayP3With a NAT:Brittle “workaround”.With IPv6:Just use IPv6 addresses
9IPv6 in the enterprise ? Why? How? When? It is not a fad – there really are new scenariosHow?It does not require extraordinary investments if you use the right tools!Keeping it secure!When?As soon as the tools are ready,That is, now!
10IPv6 enterprise scenarios Extranet applicationsReplace “double NAT” scenarios by global addressingEnables “station to station” encryption, meeting security requirements for demanding cooperationsMobile usersUse Mobile IPv6 for a simpler “VPN” scenarioIntranet managementUnique addresses for all devices simplifies management, e.g. real-time inventories.
11IPv6 deployment tool-box IPv6 stateless address auto-configurationRouter announces a prefix, client configures an address6to4: Automatic tunneling of IPv6 over IPv4Derives IPv6 /48 network prefix from IPv4 global addressAutomatic tunneling of IPv6 over UDP/IPv4Works through NAT, may be blocked by firewallsISATAP: Automatic tunneling of IPv6 over IPv4For use behind a firewall.
12Security Toolbox IPSEC Privacy addresses Scoped addresses Enabled by global addressesPrivacy addressesProtect privacy of internal clientsScoped addressesContain “local” traffic locallyPerimeter firewall, Host firewallPer port policies: open, close, statefulIPSEC policyWithout breaking connectivity!
13Deployment in 3 phases Phase 1, experimentation Allow developers to port applicationsPhase 2, initial serviceEnable local serversOffer connectivityPhase 3, general availabilityOffer native IPv6 capability
14Enterprise IPv6, Phase 1 IPv6 Enabling server Hole in IPv4 firewall ISATAP router,Rudimentary v6 firewall6to4 connectivityHole in IPv4 firewallAllow protocol type 41 to 6to4 router (alone)Tunnel IPv6Locally: ISATAPConnectivity: 6to4Publish in DNS:AAAA records for IPv6 hosts, servers.Access over IPv4IPv4 Internet6to4V6 FirewallISATAPIPv4 FirewallIPv4 Network,UnchangedDNS (IPv4)NodeNode
16Enterprise IPv6, Phase 3 Connect to IPv6 Internet IPv6 capable network No need for 6to4 ?Renumber, or dual-homeIPv6 capable networkUpgrade subnets to IPv6Eventually, remove need for ISATAP.Dual mode DNS, servers:Access over IPv4 and IPv66to4IPv4/v6 FirewallServerDual IPv6, IPv4 NetworkISATAP?DNS (dual)NodeNode
17What is Microsoft doing Building a complete IPv6 stack in WindowsTechnology Preview stack in Win2000Developer stack in Windows XPDeployable stack in .NET Server & update for Windows XPWindows CE .NETSupporting IPv6 with key applications protocolsFile sharing, Web (IIS, IE), Games (DPlay), Peer to Peer platform, UPnPBuilding v4->v6 transition strategiesScenario focused tool-box
18In Summary … We Build Together Microsoft is moving quickly to enable Windows platforms for IPv6Up to date information on:Send us feedback and requirementsWe need your help to move the world to a simple ubiquitous network based on IPv6
19Call to Action Enterprise Start deployment now!Network Providers: Build it and they will comeDo not settle for NATs for new designsDemand IPv6 support on all equipmentOffer native IPv6 servicesDevice Vendors: Design for the simpler, ubiquitous IPv6 internetApplication Writers: Don’t wait on the aboveUse Windows XP and Windows .NET Server NOW!