Title: NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation
1NAT, firewalls and IPv6Christian
HuitemaArchitect, Windows NetworkingMicrosoft
Corporation
2What We Have Done So Far
- Released Windows XP
- Windows Messenger and rich APIs
- Progressed embedded
- End-to-end platform
- Announced update
- PC-to-phone provider choice new UI
3NAT, Firewalls and IPv6
- Issue
- RTC requires peer-to-peer UDP for media, TCP
for application sharing. - Firewalls and NAT block UDP, incoming TCP.
- Adopting RTC in the home
- Requires a NAT solution
- Adopting RTC in the enterprise
- Requires a firewall solution
- IPv6 helps solving both problems!
4What Is Network Address Translation (NAT)?
- Multiplexes IPv4 address space behind NAT
Internet gateway - Edits source address ports in IP traffic
- All network traffic leaving public side of the
NAT appears tp originate from one IP address
192.168.0.2
157.55.0.1
192.168.0.3
192.168.0.1
Issue breaks many services / apps
5Overcoming NAT To-Date
- User manual configuration
- Most users not comfortable with this
- Leads to customer dissatisfaction
- Drives support calls increased support cost
- Inhibits trying new things
- An issue for DSL cable modem providers
and retailers - IG vendor Application layer gateways
- One-off developments by device vendor
- Doesnt scale well to many apps updates
6UPnP NAT Traversal A Better Way
- Program NAT device via Universal Plug and Play
(UPnP) - Internet Gateway Device Working Committee defined
schema for gateways - Includes method for automatically creating and
removing port mappings
7Industry Adoption of UPnP NAT Support in
Gateways
- Leading vendors announced support
- Available 2H 2001
- PC with Windows XP
- can be Internet gateway device OR
- can work with other IG
- UPnP support to become market requirement for IG
category
8Address Shortage Causes More NAT Deployment
Extrapolating the number of DNS registered
addresses shows total exhaustion in 2009. But in
practice, the H-ratio of log10(addresses)/bits
reaches 0.26 in 2002.
9In the medium term, we cannot program all NATs
Internet
?
PC
UPNP
NAT
NAT
home
ISP
By 2002, we will see ISP using layers of NAT. In
fact, we see it in Asia and Europe now We need
IPv6 before that!
10We need IPv6, to change the Internet
- Addresses are the key
- Scarcity the user is a client
- Plethora the user is a peer
- IPv6 provide enough addressing
- 6464 format 1.8E19 networks, units
- assuming IPv4 efficiency 1E16 networks, 1
million networks per human - 2 networks per sqft of Earth (20 per m2)
- This enables peer-to-peer!
11Example Multiparty Conference, using IPv6
P1
P2
Home LAN
Home LAN
Internet
Home Gateway
Home Gateway
P3
- With a NAT
- Brittle workaround.
- With IPv6
- Just use IPv6 addresses
12How to cope with Firewalls?
- Issue
- RTC requires peer-to-peer UDP for media, TCP
for application sharing. - Firewalls block UDP, incoming TCP.
- Classic solutions dont work well
- Proxies are costly to deploy, generate additional
latency and network complexity. - Application Layer Gateways prohibit encryption of
signalling, create dependencies, prevent
evolution.
13Preferred Solution Firewall Control Protocol
(FCP)
Enterprise network
Firewall
Internet
Media
Port 5060
SIP
SIP Proxy
Firewall Control Protocol
Work in progress IETF MIDCOM, industry
14Firewall traversal IPv6
- Simpler configuration
- Same view of addresses, inside and outside
- More robust
- Same view of addresses by multiple firewalls
- Better security
- Can use IP Security end to end
15If IPv6 is so great, how come it is not there yet?
- Applications
- Need upfront investment, stacks, etc.
- Similar to Y2K, 32 bit vs. clean address type
- Network
- Need to ramp-up investment
- No push-button transition
networks
?
applications
16IPv6 deployment tool-box
- IPv6 stateless address autoconfiguration
- Router announces a prefix, client configures an
address - 6to4 Automatic tunneling of IPv6 over IPv4
- Derives IPv6 /48 network prefix from IPv4 global
address - Shipworm Automatic tunneling of IPv6 over
UDP/IPv4 - Works through NAT, may be blocked by firewalls
- ISATAP Automatic tunneling of IPv6 over IPv4
- For use behind a firewall.
176to4 tunnel IPv6 over IPv4
1.2.3.4
192.88.99.1
2002102304b
3001234c
6to4-A
Relay
C
Native IPv6
A
IPv4 Internet
2002506708b
B
Relay
6to4-B
5.6.7.8
192.88.99.1
- 6to4 router derive IPv6 prefix from IPv4 address,
- 6to4 relays advertise reachability of prefix
2002/16 - Automatic tunneling from 6to4 routers or relays
- Single address (192.88.99.1) for all relays
18ISATAP IPv6 behind firewall
- ISATAP router provides IPv6 prefix
- Host complements prefix with IPv4 address
- Direct tunneling between ISATAP hosts
- Relay through ISATAP router to IPv6 local or
global
D
IPv6 Internet
IPv4 Internet
IPv4 FW
IPv6 FW
ISATAP
Firewalled IPv4 network
Local native IPv6 network
B
C
A
19Shipworm IPv6 through NAT
C
- Shipworm IPv6 / UDP
- IPv6 prefix IP address UDP port
- Shipworm servers
- Address discovery
- Default route
- Enable shortcut (A-B)
- Shipworm relays
- Send IPv6 packets directly to nodes
- Works for all NAT
IPv6 Internet
Relay
IPv4 Internet
Server
NAT
NAT
B
A
20When can we get IPv6?
Tech. Preview (W2K)
Developers (Windows XP)
Deployment
Now!
21More Information on IPv6
- Microsoft IPv6 web site
- http//www.microsoft.com/ipv6/
- IETF standards
- IPv6 specification,
- IPv6 transition tools.
22Call to Action
- Apply UPnP technology to NAT traversal
- www.upnp.org
- Work on the Firewall Traversal Protocol
- Start porting applications to IPv6
- Use IPv6 stack in Windows XP
- Start deploying IPv6 now!
23(No Transcript)