Presentation on theme: "NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation."— Presentation transcript:
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation
What We Have Done So Far Progressed embedded Progressed embedded End-to-end platform Announced update Announced update PC-to-phone provider choice & new UI 4255551212 Released Windows XP Released Windows XP Windows Messenger and rich APIs
NAT, Firewalls and IPv6 Issue Issue RTC requires “peer-to-peer” UDP for “media”, TCP for application sharing. Firewalls and NAT block UDP, incoming TCP. Adopting RTC in the home Adopting RTC in the home Requires a NAT solution Adopting RTC in the enterprise Adopting RTC in the enterprise Requires a firewall solution IPv6 helps solving both problems! IPv6 helps solving both problems!
What Is Network Address Translation (NAT)? Multiplexes IPv4 address space behind NAT – Internet gateway Multiplexes IPv4 address space behind NAT – Internet gateway Edits source address & ports in IP traffic Edits source address & ports in IP traffic All network traffic leaving public side of the NAT appears tp originate from one IP address 192.168.0.2 192.168.0.3 192.168.0.1 220.127.116.11 Internet Issue: breaks many services / apps
Overcoming NAT: To-Date User: manual configuration User: manual configuration Most users not comfortable with this Leads to customer dissatisfaction Drives support calls & increased support cost Inhibits trying new things An issue for DSL & cable modem providers and retailers IG vendor: Application layer gateways IG vendor: Application layer gateways One-off developments by device vendor Doesn’t scale well to many apps & updates
UPnP ™ NAT Traversal: A Better Way Program NAT device via Universal Plug and Play (UPnP ™ ) Program NAT device via Universal Plug and Play (UPnP ™ ) Internet Gateway Device Working Committee defined schema for gateways Internet Gateway Device Working Committee defined schema for gateways Includes method for automatically creating and removing port mappings
Industry Adoption of UPnP ™ NAT Support in Gateways Leading vendors announced support Leading vendors announced support Available 2H 2001 PC with Windows XP PC with Windows XP can be Internet gateway device OR can work with other IG UPnP ™ support to become market requirement for IG category UPnP ™ support to become market requirement for IG category
Address Shortage Causes More NAT Deployment Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But in practice, the “H-ratio” of log10(addresses)/bits reaches 0.26 in 2002.
In the medium term, we cannot program all NATs Internet NAT PC UPNP ? By 2002, we will see ISP using layers of NAT. In fact, we see it in Asia and Europe now… We need IPv6 before that! home ISP NAT
We need IPv6, to change the Internet Addresses are the key Addresses are the key Scarcity: the user is a “client” Plethora: the user is a “peer” IPv6 provide enough addressing IPv6 provide enough addressing 64+64 format: 1.8E+19 networks, units assuming IPv4 efficiency: 1E+16 networks, 1 million networks per human 2 networks per sqft of Earth (20 per m 2 ) This enables peer-to-peer! This enables peer-to-peer!
Example: Multiparty Conference, using IPv6 With a NAT: With a NAT: Brittle “workaround”. With IPv6: With IPv6: Just use IPv6 addresses P1P2 P3 Home LAN Internet Home Gateway Home LAN Home Gateway
How to cope with Firewalls? Issue Issue RTC requires “peer-to-peer” UDP for “media”, TCP for application sharing. Firewalls block UDP, incoming TCP. Classic solutions don’t work well: Classic solutions don’t work well: Proxies are costly to deploy, generate additional latency and network complexity. Application Layer Gateways prohibit encryption of signalling, create dependencies, prevent evolution.
Preferred Solution: Firewall Control Protocol (FCP) SIP Proxy Enterprise network Internet Firewall Control Protocol Firewall Media Port 5060SIP Work in progress: IETF “MIDCOM”, industry
Firewall traversal & IPv6 Simpler configuration Simpler configuration Same view of addresses, inside and outside More robust More robust Same view of addresses by multiple firewalls Better security Better security Can use IP Security “end to end”
If IPv6 is so great, how come it is not there yet? Applications Applications Need upfront investment, stacks, etc. Similar to Y2K, 32 bit vs. “clean address type” Network Network Need to ramp-up investment No “push-button” transition networks applications
IPv6 deployment tool-box IPv6 stateless address autoconfiguration IPv6 stateless address autoconfiguration Router announces a prefix, client configures an address 6to4: Automatic tunneling of IPv6 over IPv4 6to4: Automatic tunneling of IPv6 over IPv4 Derives IPv6 /48 network prefix from IPv4 global address Shipworm: Automatic tunneling of IPv6 over UDP/IPv4 Shipworm: Automatic tunneling of IPv6 over UDP/IPv4 Works through NAT, may be blocked by firewalls ISATAP: Automatic tunneling of IPv6 over IPv4 ISATAP: Automatic tunneling of IPv6 over IPv4 For use behind a firewall.
6to4: tunnel IPv6 over IPv4 6to4 router derive IPv6 prefix from IPv4 address, 6to4 router derive IPv6 prefix from IPv4 address, 6to4 relays advertise reachability of prefix 2002::/16 6to4 relays advertise reachability of prefix 2002::/16 Automatic tunneling from 6to4 routers or relays Automatic tunneling from 6to4 routers or relays Single address (18.104.22.168) for all relays Single address (22.214.171.124) for all relays IPv4 Internet 6to4-A 6to4-B Relay Native IPv6 Relay C B A 126.96.36.199 188.8.131.52 184.108.40.206 3001:2:3:4:c… 2002:506:708::b… 2002:102:304::b…
ISATAP: IPv6 behind firewall ISATAP router provides IPv6 prefix ISATAP router provides IPv6 prefix Host complements prefix with IPv4 address Host complements prefix with IPv4 address Direct tunneling between ISATAP hosts Direct tunneling between ISATAP hosts Relay through ISATAP router to IPv6 local or global Relay through ISATAP router to IPv6 local or global Firewalled IPv4 network IPv4 FW A Local “native” IPv6 network IPv6 FW ISATAP B IPv6 Internet C D IPv4 Internet
Shipworm: IPv6 through NAT Shipworm: IPv6 / UDP Shipworm: IPv6 / UDP IPv6 prefix: IP address & UDP port Shipworm servers Shipworm servers Address discovery Default “route” Enable “shortcut” (A-B) Shipworm relays Shipworm relays Send IPv6 packets directly to nodes Works for all NAT Works for all NAT NAT B Server IPv4 Internet IPv6 Internet Relay C A NAT
When can we get IPv6? 2000 2001 2002 Tech. Preview (W2K) Developers (Windows XP) Deployment
More Information on IPv6 Microsoft IPv6 web site: Microsoft IPv6 web site: http://www.microsoft.com/ipv6/ http://www.microsoft.com/ipv6/ IETF standards IETF standards IPv6 specification, IPv6 transition tools.
Call to Action Apply UPnP technology to NAT traversal Apply UPnP technology to NAT traversal www.upnp.org Work on the Firewall Traversal Protocol Work on the Firewall Traversal Protocol Start porting applications to IPv6 Start porting applications to IPv6 Use IPv6 stack in Windows XP Start deploying IPv6 now! Start deploying IPv6 now!