NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

Slides:

Advertisements

Similar presentations

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Advertisements

Implications and Realities of IPv6 Christian Huitema Architect, Windows ® Networking Microsoft ® Corporation.

1 IPv6 and IPv4 Interoperation and Transition Tony Hain co-chair IETF ngtrans WG

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

Implementing IPv6 Module B 8: Implementing IPv6

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.

Enabling IPv6 in Corporate Intranet Networks

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

Understanding Internet Protocol

The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.

Internet Gateway Device (IGD)

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Wi-Fi Structures.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

NATs & Firewalls The General SIP Proxy Firewall Prepared for:Spring VON 2003 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB.

Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)

WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

Agenda Network Architecture Setup and Configuration

Network LayerII-1 RSC Part II: Network Layer 3. IP addressing (2nd part) Redes y Servicios de Comunicaciones Universidad Carlos III de Madrid These slides.

CS 5565 Network Architecture and Protocols

CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

IPv4 TO IPv6 TRANSITION AND INTEROPERABILITY FOR TELECOM SERVICE PROVIDER Business Problem In today’s environment of growing connectivity where almost.

Guide to TCP/IP Fourth Edition

Peer-to-Peer and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

WWSMM 2000 Next Generation Networking Device Ecosystem Jawad Khaki Corporate Vice President Windows Networking & Communications.

Simple Multihoming Experiment draft-huitema-multi6-experiment-00.txt Christian Huitema, Microsoft David Kessens, Nokia.

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

CIS 3360: Internet: Network Layer Introduction Cliff Zou Spring 2012.

IPv6 – What You Need To Know Tom Hollingsworth CCNP,CCVP,CCSP, MCSE.

IPv6: Making The Dream Real Jawad Khaki Vice-President Windows Networking & Communications Microsoft Corporation.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.

Sharing a single IPv4 address among many broadband customers

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration IPv6.

1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)

IPv6 transition strategies IPv6 forum OSAKA 12/19/2000 1/29.

Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.

Page 1 Network Addressing CS.457 Network Design And Management.

1 NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. How would you prepare for the technology you need.

W&L Page 1 CCNA CCNA Training 3.4 Describe the technological requirements for running IPv6 in conjunction with IPv4 Jose Luis Flores /

Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.

IPv 邱文揚 Joseph 李家福 Frank. Introduction The scale of IPv4 Internet has become far larger than one could ever imagine when designing.

Once the was IPv4 Christian Huitema Architect, Windows ® Networking Microsoft ® Corporation.

IPv6 - The Way Ahead Christian Huitema Architect Windows Networking & Communications

17/10/031 Euronetlab – Implementation of Teredo

1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.

CCNA4-1 Chapter 7-1 IP Addressing Services Scaling Networks With Network Address Translation (NAT)

Windows Vista Configuration MCTS : Advanced Networking.

Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj

CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)

An Analysis on NAT Security

Supplementary Material

Network Address Translation

4/7/2019 7:12 AM Peer-to-Peer and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

Chapter 11: Network Address Translation for IPv4

DHCP: Dynamic Host Configuration Protocol

Presentation transcript:

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation

What We Have Done So Far Progressed embedded Progressed embedded  End-to-end platform Announced update Announced update  PC-to-phone provider choice & new UI Released Windows XP Released Windows XP  Windows Messenger and rich APIs

NAT, Firewalls and IPv6 Issue Issue  RTC requires “peer-to-peer” UDP for “media”, TCP for application sharing.  Firewalls and NAT block UDP, incoming TCP. Adopting RTC in the home Adopting RTC in the home  Requires a NAT solution Adopting RTC in the enterprise Adopting RTC in the enterprise  Requires a firewall solution IPv6 helps solving both problems! IPv6 helps solving both problems!

What Is Network Address Translation (NAT)? Multiplexes IPv4 address space behind NAT – Internet gateway Multiplexes IPv4 address space behind NAT – Internet gateway Edits source address & ports in IP traffic Edits source address & ports in IP traffic  All network traffic leaving public side of the NAT appears tp originate from one IP address Internet Issue: breaks many services / apps

Overcoming NAT: To-Date User: manual configuration User: manual configuration  Most users not comfortable with this  Leads to customer dissatisfaction  Drives support calls & increased support cost  Inhibits trying new things  An issue for DSL & cable modem providers and retailers IG vendor: Application layer gateways IG vendor: Application layer gateways  One-off developments by device vendor  Doesn’t scale well to many apps & updates

UPnP ™ NAT Traversal: A Better Way Program NAT device via Universal Plug and Play (UPnP ™ ) Program NAT device via Universal Plug and Play (UPnP ™ ) Internet Gateway Device Working Committee defined schema for gateways Internet Gateway Device Working Committee defined schema for gateways  Includes method for automatically creating and removing port mappings

Industry Adoption of UPnP ™ NAT Support in Gateways Leading vendors announced support Leading vendors announced support  Available 2H 2001 PC with Windows XP PC with Windows XP  can be Internet gateway device OR  can work with other IG UPnP ™ support to become market requirement for IG category UPnP ™ support to become market requirement for IG category

Address Shortage Causes More NAT Deployment Extrapolating the number of DNS registered addresses shows total exhaustion in But in practice, the “H-ratio” of log10(addresses)/bits reaches 0.26 in 2002.

In the medium term, we cannot program all NATs Internet NAT PC UPNP ? By 2002, we will see ISP using layers of NAT. In fact, we see it in Asia and Europe now… We need IPv6 before that! home ISP NAT

We need IPv6, to change the Internet Addresses are the key Addresses are the key  Scarcity: the user is a “client”  Plethora: the user is a “peer” IPv6 provide enough addressing IPv6 provide enough addressing  format: 1.8E+19 networks, units  assuming IPv4 efficiency: 1E+16 networks, 1 million networks per human  2 networks per sqft of Earth (20 per m 2 ) This enables peer-to-peer! This enables peer-to-peer!

Example: Multiparty Conference, using IPv6 With a NAT: With a NAT:  Brittle “workaround”. With IPv6: With IPv6:  Just use IPv6 addresses P1P2 P3 Home LAN Internet Home Gateway Home LAN Home Gateway

How to cope with Firewalls? Issue Issue  RTC requires “peer-to-peer” UDP for “media”, TCP for application sharing.  Firewalls block UDP, incoming TCP. Classic solutions don’t work well: Classic solutions don’t work well:  Proxies are costly to deploy, generate additional latency and network complexity.  Application Layer Gateways prohibit encryption of signalling, create dependencies, prevent evolution.

Preferred Solution: Firewall Control Protocol (FCP) SIP Proxy Enterprise network Internet Firewall Control Protocol Firewall Media Port 5060SIP Work in progress: IETF “MIDCOM”, industry

Firewall traversal & IPv6 Simpler configuration Simpler configuration  Same view of addresses, inside and outside More robust More robust  Same view of addresses by multiple firewalls Better security Better security  Can use IP Security “end to end”

If IPv6 is so great, how come it is not there yet? Applications Applications  Need upfront investment, stacks, etc.  Similar to Y2K, 32 bit vs. “clean address type” Network Network  Need to ramp-up investment  No “push-button” transition networks applications

IPv6 deployment tool-box IPv6 stateless address autoconfiguration IPv6 stateless address autoconfiguration  Router announces a prefix, client configures an address 6to4: Automatic tunneling of IPv6 over IPv4 6to4: Automatic tunneling of IPv6 over IPv4  Derives IPv6 /48 network prefix from IPv4 global address Shipworm: Automatic tunneling of IPv6 over UDP/IPv4 Shipworm: Automatic tunneling of IPv6 over UDP/IPv4  Works through NAT, may be blocked by firewalls ISATAP: Automatic tunneling of IPv6 over IPv4 ISATAP: Automatic tunneling of IPv6 over IPv4  For use behind a firewall.

6to4: tunnel IPv6 over IPv4 6to4 router derive IPv6 prefix from IPv4 address, 6to4 router derive IPv6 prefix from IPv4 address, 6to4 relays advertise reachability of prefix 2002::/16 6to4 relays advertise reachability of prefix 2002::/16 Automatic tunneling from 6to4 routers or relays Automatic tunneling from 6to4 routers or relays Single address ( ) for all relays Single address ( ) for all relays IPv4 Internet 6to4-A 6to4-B Relay Native IPv6 Relay C B A :2:3:4:c… 2002:506:708::b… 2002:102:304::b…

ISATAP: IPv6 behind firewall ISATAP router provides IPv6 prefix ISATAP router provides IPv6 prefix Host complements prefix with IPv4 address Host complements prefix with IPv4 address Direct tunneling between ISATAP hosts Direct tunneling between ISATAP hosts Relay through ISATAP router to IPv6 local or global Relay through ISATAP router to IPv6 local or global Firewalled IPv4 network IPv4 FW A Local “native” IPv6 network IPv6 FW ISATAP B IPv6 Internet C D IPv4 Internet

Shipworm: IPv6 through NAT Shipworm: IPv6 / UDP Shipworm: IPv6 / UDP  IPv6 prefix: IP address & UDP port Shipworm servers Shipworm servers  Address discovery  Default “route”  Enable “shortcut” (A-B) Shipworm relays Shipworm relays  Send IPv6 packets directly to nodes Works for all NAT Works for all NAT NAT B Server IPv4 Internet IPv6 Internet Relay C A NAT

When can we get IPv6? Tech. Preview (W2K) Developers (Windows XP) Deployment

More Information on IPv6 Microsoft IPv6 web site: Microsoft IPv6 web site:  IETF standards IETF standards  IPv6 specification,  IPv6 transition tools.

Call to Action Apply UPnP technology to NAT traversal Apply UPnP technology to NAT traversal  Work on the Firewall Traversal Protocol Work on the Firewall Traversal Protocol Start porting applications to IPv6 Start porting applications to IPv6  Use IPv6 stack in Windows XP Start deploying IPv6 now! Start deploying IPv6 now!