Transcript NAT, firewalls and IPv6 Christian Huitema Architect

NAT, firewalls and IPv6
Christian Huitema
Architect, Windows Networking
Microsoft Corporation
What We Have Done So Far

Released Windows XP


Progressed
embedded


Windows Messenger
and rich APIs
End-to-end platform
Announced update

PC-to-phone provider
choice & new UI
4255551212
NAT, Firewalls and IPv6

Issue



Adopting RTC in the home


Requires a NAT solution
Adopting RTC in the enterprise


RTC requires “peer-to-peer” UDP for “media”,
TCP for application sharing.
Firewalls and NAT block UDP, incoming TCP.
Requires a firewall solution
IPv6 helps solving both problems!
What Is Network Address
Translation (NAT)?

Multiplexes IPv4 address space behind NAT –
Internet gateway

Edits source address & ports in IP traffic

All network traffic leaving public side of the NAT
appears tp originate from one IP address
192.168.0.2
157.55.0.1
192.168.0.3
Internet
192.168.0.1
Issue: breaks many
services / apps
Overcoming NAT: To-Date

User: manual configuration
Most users not comfortable with this
 Leads to customer dissatisfaction
 Drives support calls & increased support cost
 Inhibits trying new things
 An issue for DSL & cable modem providers
and retailers


IG vendor: Application layer gateways
One-off developments by device vendor
 Doesn’t scale well to many apps & updates

UPnP NAT Traversal:
A Better Way
™

Program NAT device via Universal Plug
and Play (UPnP™)

Internet Gateway Device Working
Committee defined schema for gateways

Includes method for automatically creating
and removing port mappings
Industry Adoption of UPnP™
NAT Support in Gateways

Leading vendors
announced support


PC with Windows XP



Available 2H 2001
can be Internet gateway
device OR
can work with other IG
UPnP™ support to
become market
requirement for IG
category
Address Shortage Causes
More NAT Deployment
10000
1000
100
10
1
S- M- S- M- S- M- S- M- S- M- S- M- S- M- S- M- S- M- S- M- S- M- S- M- S- M96 97 97 98 98 99 99 00 00 01 01 02 02 03 03 04 04 05 05 06 06 07 07 08 08 09
Extrapolating the number of DNS registered addresses shows
total exhaustion in 2009. But in practice, the “H-ratio” of
log10(addresses)/bits reaches 0.26 in 2002.
In the medium term, we
cannot program all NATs
?
PC
UPNP
home
NAT
NAT
Internet
ISP
By 2002, we will see ISP using layers of NAT.
In fact, we see it in Asia and Europe now…
We need IPv6 before that!
We need IPv6, to change
the Internet

Addresses are the key
Scarcity: the user is a “client”
 Plethora: the user is a “peer”


IPv6 provide enough addressing
64+64 format: 1.8E+19 networks, units
 assuming IPv4 efficiency: 1E+16 networks,
1 million networks per human
 2 networks per sqft of Earth (20 per m2)


This enables peer-to-peer!
Example: Multiparty
Conference, using IPv6
P1
P2
Home LAN
P3

Internet
With a NAT:


Home
Gateway
Brittle “workaround”.
With IPv6:

Just use IPv6 addresses
Home
Gateway
Home LAN
How to cope with Firewalls?

Issue



RTC requires “peer-to-peer” UDP for “media”,
TCP for application sharing.
Firewalls block UDP, incoming TCP.
Classic solutions don’t work well:


Proxies are costly to deploy, generate
additional latency and network complexity.
Application Layer Gateways prohibit
encryption of signalling, create dependencies,
prevent evolution.
Preferred Solution: Firewall
Control Protocol (FCP)
Enterprise network
Firewall
Internet
Media
SIP
SIP
Proxy
Firewall
Control
Protocol
Port 5060
Work in progress:
IETF “MIDCOM”,
industry
Firewall traversal & IPv6

Simpler configuration


More robust


Same view of addresses, inside and outside
Same view of addresses by multiple firewalls
Better security

Can use IP Security “end to end”
If IPv6 is so great, how
come it is not there yet?

networks
Applications



Network

applications
Need upfront
investment, stacks,
etc.
Similar to Y2K, 32
bit vs. “clean
address type”

Need to ramp-up
investment
No “push-button”
transition
IPv6 deployment tool-box

IPv6 stateless address autoconfiguration


6to4: Automatic tunneling of IPv6 over IPv4


Derives IPv6 /48 network prefix from IPv4 global
address
Shipworm: Automatic tunneling of IPv6 over
UDP/IPv4


Router announces a prefix, client configures an address
Works through NAT, may be blocked by firewalls
ISATAP: Automatic tunneling of IPv6 over IPv4

For use behind a firewall.
6to4: tunnel IPv6 over IPv4
2002:102:304::b…
A
1.2.3.4
6to4-A
3001:2:3:4:c…
Relay
6to4-B
5.6.7.8
C
Native IPv6
IPv4 Internet
2002:506:708::b…
B
192.88.99.1
Relay
192.88.99.1

6to4 router derive IPv6 prefix from IPv4 address,

6to4 relays advertise reachability of prefix
2002::/16

Automatic tunneling from 6to4 routers or relays

Single address (192.88.99.1) for all relays
ISATAP: IPv6 behind firewall




ISATAP router
provides IPv6 prefix
D
IPv4
Internet
Host complements
prefix with IPv4
address
IPv6
Internet
IPv4 FW
Direct tunneling
between ISATAP
hosts
B
Relay through
ISATAP router to IPv6
local or global
A
IPv6 FW
ISATAP
Firewalled
IPv4
network
Local
“native”
IPv6
network
C
Shipworm: IPv6 through NAT
C

IPv6 Internet
Shipworm: IPv6 / UDP

Relay
IPv4 Internet

Server
Shipworm servers


NAT

NAT

B

Address discovery
Default “route”
Enable “shortcut” (A-B)
Shipworm relays

A
IPv6 prefix: IP address
& UDP port
Send IPv6 packets
directly to nodes
Works for all NAT
When can we get IPv6?
Tech. Preview (W2K)
Developers (Windows XP)
Deployment
2000
2001
2002
More Information on IPv6

Microsoft IPv6 web site:


http://www.microsoft.com/ipv6/
IETF standards


IPv6 specification,
IPv6 transition tools.
Call to Action

Apply UPnP technology to NAT traversal

www.upnp.org

Work on the Firewall Traversal Protocol

Start porting applications to IPv6


Use IPv6 stack in Windows XP
Start deploying IPv6 now!