NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation

1
NAT, firewalls and IPv6Christian
HuitemaArchitect, Windows NetworkingMicrosoft
Corporation
2
What We Have Done So Far

• Released Windows XP
• Windows Messenger and rich APIs

• Progressed embedded
• End-to-end platform

• Announced update
• PC-to-phone provider choice new UI

3
NAT, Firewalls and IPv6

• Issue
• RTC requires peer-to-peer UDP for media, TCP
  for application sharing.
• Firewalls and NAT block UDP, incoming TCP.
• Adopting RTC in the home
• Requires a NAT solution
• Adopting RTC in the enterprise
• Requires a firewall solution
• IPv6 helps solving both problems!

4
What Is Network Address Translation (NAT)?

• Multiplexes IPv4 address space behind NAT
  Internet gateway
• Edits source address ports in IP traffic
• All network traffic leaving public side of the
  NAT appears tp originate from one IP address

192.168.0.2

157.55.0.1
192.168.0.3

192.168.0.1


Issue breaks many services / apps

5
Overcoming NAT To-Date

• User manual configuration
• Most users not comfortable with this
• Leads to customer dissatisfaction
• Drives support calls increased support cost
• Inhibits trying new things
• An issue for DSL cable modem providers
  and retailers
• IG vendor Application layer gateways
• One-off developments by device vendor
• Doesnt scale well to many apps updates

6
UPnP NAT Traversal A Better Way

• Program NAT device via Universal Plug and Play
  (UPnP)
• Internet Gateway Device Working Committee defined
  schema for gateways
• Includes method for automatically creating and
  removing port mappings

7
Industry Adoption of UPnP NAT Support in
Gateways

• Leading vendors announced support
• Available 2H 2001
• PC with Windows XP
• can be Internet gateway device OR
• can work with other IG
• UPnP support to become market requirement for IG
  category

8
Address Shortage Causes More NAT Deployment
Extrapolating the number of DNS registered
addresses shows total exhaustion in 2009. But in
practice, the H-ratio of log10(addresses)/bits
reaches 0.26 in 2002.
9
In the medium term, we cannot program all NATs
Internet
?
PC
UPNP
NAT
NAT
home
ISP
By 2002, we will see ISP using layers of NAT. In
fact, we see it in Asia and Europe now We need
IPv6 before that!
10
We need IPv6, to change the Internet

• Addresses are the key
• Scarcity the user is a client
• Plethora the user is a peer
• IPv6 provide enough addressing
• 6464 format 1.8E19 networks, units
• assuming IPv4 efficiency 1E16 networks, 1
  million networks per human
• 2 networks per sqft of Earth (20 per m2)
• This enables peer-to-peer!

11
Example Multiparty Conference, using IPv6
P1
P2
Home LAN
Home LAN
Internet
Home Gateway
Home Gateway
P3

• With a NAT
• Brittle workaround.
• With IPv6
• Just use IPv6 addresses

12
How to cope with Firewalls?

• Issue
• RTC requires peer-to-peer UDP for media, TCP
  for application sharing.
• Firewalls block UDP, incoming TCP.
• Classic solutions dont work well
• Proxies are costly to deploy, generate additional
  latency and network complexity.
• Application Layer Gateways prohibit encryption of
  signalling, create dependencies, prevent
  evolution.

13
Preferred Solution Firewall Control Protocol
(FCP)
Enterprise network
Firewall
Internet
Media
Port 5060
SIP
SIP Proxy
Firewall Control Protocol
Work in progress IETF MIDCOM, industry
14
Firewall traversal IPv6

• Simpler configuration
• Same view of addresses, inside and outside
• More robust
• Same view of addresses by multiple firewalls
• Better security
• Can use IP Security end to end

15
If IPv6 is so great, how come it is not there yet?

• Applications
• Need upfront investment, stacks, etc.
• Similar to Y2K, 32 bit vs. clean address type
• Network
• Need to ramp-up investment
• No push-button transition

networks
?
applications
16
IPv6 deployment tool-box

• IPv6 stateless address autoconfiguration
• Router announces a prefix, client configures an
  address
• 6to4 Automatic tunneling of IPv6 over IPv4
• Derives IPv6 /48 network prefix from IPv4 global
  address
• Shipworm Automatic tunneling of IPv6 over
  UDP/IPv4
• Works through NAT, may be blocked by firewalls
• ISATAP Automatic tunneling of IPv6 over IPv4
• For use behind a firewall.

17
6to4 tunnel IPv6 over IPv4
1.2.3.4
192.88.99.1
2002102304b
3001234c
6to4-A
Relay
C
Native IPv6
A
IPv4 Internet
2002506708b
B
Relay
6to4-B
5.6.7.8
192.88.99.1

• 6to4 router derive IPv6 prefix from IPv4 address,
  
• 6to4 relays advertise reachability of prefix
  2002/16
• Automatic tunneling from 6to4 routers or relays
• Single address (192.88.99.1) for all relays

18
ISATAP IPv6 behind firewall

• ISATAP router provides IPv6 prefix
• Host complements prefix with IPv4 address
• Direct tunneling between ISATAP hosts
• Relay through ISATAP router to IPv6 local or
  global

D
IPv6 Internet
IPv4 Internet
IPv4 FW
IPv6 FW
ISATAP
Firewalled IPv4 network
Local native IPv6 network
B
C
A
19
Shipworm IPv6 through NAT
C

• Shipworm IPv6 / UDP
• IPv6 prefix IP address UDP port
• Shipworm servers
• Address discovery
• Default route
• Enable shortcut (A-B)
• Shipworm relays
• Send IPv6 packets directly to nodes
• Works for all NAT

IPv6 Internet
Relay
IPv4 Internet
Server
NAT
NAT
B
A
20
When can we get IPv6?
Tech. Preview (W2K)
Developers (Windows XP)
Deployment
Now!
21
More Information on IPv6

• Microsoft IPv6 web site
• http//www.microsoft.com/ipv6/
• IETF standards
• IPv6 specification,
• IPv6 transition tools.

22
Call to Action

• Apply UPnP technology to NAT traversal
• www.upnp.org
• Work on the Firewall Traversal Protocol
• Start porting applications to IPv6
• Use IPv6 stack in Windows XP
• Start deploying IPv6 now!

23
(No Transcript)