Post on 22-Dec-2015
NAT, firewalls and IPv6NAT, firewalls and IPv6
Christian HuitemaChristian HuitemaArchitect, Windows NetworkingArchitect, Windows NetworkingMicrosoft CorporationMicrosoft Corporation
What We Have Done So FarWhat We Have Done So Far
Progressed Progressed embedded embedded End-to-end platform End-to-end platform
Announced update Announced update PC-to-phone provider PC-to-phone provider
choice & new UIchoice & new UI
4255551212
Released Windows XPReleased Windows XP Windows Messenger Windows Messenger
and rich APIsand rich APIs
NAT, Firewalls and IPv6NAT, Firewalls and IPv6
IssueIssue RTC requires “peer-to-peer” UDP for “media”, RTC requires “peer-to-peer” UDP for “media”,
TCP for application sharing.TCP for application sharing. Firewalls and NAT block UDP, incoming TCP.Firewalls and NAT block UDP, incoming TCP.
Adopting RTC in the homeAdopting RTC in the home Requires a NAT solutionRequires a NAT solution
Adopting RTC in the enterpriseAdopting RTC in the enterprise Requires a firewall solutionRequires a firewall solution
IPv6 helps solving both problems!IPv6 helps solving both problems!
What Is Network Address What Is Network Address Translation (NAT)?Translation (NAT)? Multiplexes IPv4 address space behind NAT – Multiplexes IPv4 address space behind NAT –
Internet gatewayInternet gateway
Edits source address & ports in IP trafficEdits source address & ports in IP traffic All network traffic leaving public side of the NAT All network traffic leaving public side of the NAT
appears tp originate from one IP addressappears tp originate from one IP address
192.168.0.2192.168.0.2
192.168.0.3192.168.0.3 192.168.0.1192.168.0.1
157.55.0.1157.55.0.1
InternetInternet
Issue: breaks many Issue: breaks many services / appsservices / apps
Overcoming NAT: To-DateOvercoming NAT: To-Date
User: manual configurationUser: manual configuration Most users not comfortable with thisMost users not comfortable with this Leads to customer dissatisfactionLeads to customer dissatisfaction Drives support calls & increased support costDrives support calls & increased support cost Inhibits trying new thingsInhibits trying new things An issue for DSL & cable modem providers An issue for DSL & cable modem providers
and retailers and retailers
IG vendor: Application layer gatewaysIG vendor: Application layer gateways One-off developments by device vendorOne-off developments by device vendor Doesn’t scale well to many apps & updatesDoesn’t scale well to many apps & updates
UPnPUPnP™™ NAT Traversal: NAT Traversal: A Better WayA Better Way
Program NAT device via Universal Plug Program NAT device via Universal Plug and Play (UPnPand Play (UPnP™™))
Internet Gateway Device Working Internet Gateway Device Working Committee defined schema for gatewaysCommittee defined schema for gateways Includes method for automatically creating Includes method for automatically creating
and removing port mappingsand removing port mappings
Industry Adoption of UPnPIndustry Adoption of UPnP™™ NAT Support in GatewaysNAT Support in Gateways Leading vendors Leading vendors
announced supportannounced support Available 2H 2001Available 2H 2001
PC with Windows XPPC with Windows XP can be Internet gateway can be Internet gateway
device ORdevice OR can work with other IGcan work with other IG
UPnPUPnP™™ support to support to become market become market requirement for IGrequirement for IG categorycategory
Address Shortage Causes Address Shortage Causes More NAT DeploymentMore NAT Deployment
Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But in practice, the “H-ratio” of log10(addresses)/bits reaches 0.26 in 2002.
1
10
100
1000
10000
S-96
M-97
S-97
M-98
S-98
M-99
S-99
M-00
S-00
M-01
S-01
M-02
S-02
M-03
S-03
M-04
S-04
M-05
S-05
M-06
S-06
M-07
S-07
M-08
S-08
M-09
In the medium term, we In the medium term, we cannot program all NATscannot program all NATs
InternetNAT
PC
UPNP
?
By 2002, we will see ISP using layers of NAT.
In fact, we see it in Asia and Europe now…We need IPv6 before that!
homeISP
NAT
We need IPv6, to change We need IPv6, to change the Internetthe Internet
Addresses are the keyAddresses are the key Scarcity: the user is a “client”Scarcity: the user is a “client” Plethora: the user is a “peer”Plethora: the user is a “peer”
IPv6 provide enough addressingIPv6 provide enough addressing 64+64 format: 1.8E+19 networks, units64+64 format: 1.8E+19 networks, units assuming IPv4 efficiency: 1E+16 networks, assuming IPv4 efficiency: 1E+16 networks,
1 million networks per human1 million networks per human 2 networks per sqft of Earth (20 per m2 networks per sqft of Earth (20 per m22))
This enables peer-to-peer!This enables peer-to-peer!
Example: Multiparty Example: Multiparty Conference, using IPv6Conference, using IPv6
With a NAT:With a NAT: Brittle “workaround”.Brittle “workaround”.
With IPv6:With IPv6: Just use IPv6 addressesJust use IPv6 addresses
P1 P2
P3Home LAN InternetHome
Gateway Home LANHomeGateway
How to cope with Firewalls?How to cope with Firewalls?
IssueIssue RTC requires “peer-to-peer” UDP for “media”, RTC requires “peer-to-peer” UDP for “media”,
TCP for application sharing.TCP for application sharing. Firewalls block UDP, incoming TCP.Firewalls block UDP, incoming TCP.
Classic solutions don’t work well:Classic solutions don’t work well: Proxies are costly to deploy, generate Proxies are costly to deploy, generate
additional latency and network complexity.additional latency and network complexity. Application Layer Gateways prohibit Application Layer Gateways prohibit
encryption of signalling, create dependencies, encryption of signalling, create dependencies, prevent evolution.prevent evolution.
Preferred Solution: Firewall Preferred Solution: Firewall Control Protocol (FCP)Control Protocol (FCP)
SIPProxy
Enterprise network
Internet
FirewallControl Protocol
Firewall
Media
Port 5060SIPUser
Work in progress: Work in progress: IETF “MIDCOM”, IETF “MIDCOM”, industryindustry
Firewall traversal & IPv6Firewall traversal & IPv6
Simpler configurationSimpler configuration Same view of addresses, inside and outsideSame view of addresses, inside and outside
More robustMore robust Same view of addresses by multiple firewallsSame view of addresses by multiple firewalls
Better securityBetter security Can use IP Security “end to end”Can use IP Security “end to end”
If IPv6 is so great, how If IPv6 is so great, how come it is not there yet?come it is not there yet?
ApplicationsApplications Need upfront Need upfront
investment, stacks, investment, stacks, etc.etc.
Similar to Y2K, 32 Similar to Y2K, 32 bit vs. “clean bit vs. “clean address type”address type”
NetworkNetwork Need to ramp-up Need to ramp-up
investmentinvestment No “push-button” No “push-button”
transitiontransition
networksnetworks
applicationsapplications
IPv6 deployment tool-boxIPv6 deployment tool-box
IPv6 stateless address autoconfigurationIPv6 stateless address autoconfiguration Router announces a prefix, client configures an addressRouter announces a prefix, client configures an address
6to4: Automatic tunneling of IPv6 over IPv46to4: Automatic tunneling of IPv6 over IPv4 Derives IPv6 /48 network prefix from IPv4 global Derives IPv6 /48 network prefix from IPv4 global
address address
Shipworm: Automatic tunneling of IPv6 over Shipworm: Automatic tunneling of IPv6 over UDP/IPv4UDP/IPv4 Works through NAT, may be blocked by firewallsWorks through NAT, may be blocked by firewalls
ISATAP: Automatic tunneling of IPv6 over IPv4ISATAP: Automatic tunneling of IPv6 over IPv4 For use behind a firewall.For use behind a firewall.
6to4: tunnel IPv6 over IPv46to4: tunnel IPv6 over IPv4
6to4 router derive IPv6 prefix from IPv4 address, 6to4 router derive IPv6 prefix from IPv4 address,
6to4 relays advertise reachability of prefix 6to4 relays advertise reachability of prefix 2002::/16 2002::/16
Automatic tunneling from 6to4 routers or relaysAutomatic tunneling from 6to4 routers or relays
Single address (192.88.99.1) for all relaysSingle address (192.88.99.1) for all relays
IPv4 Internet
6to4-A
6to4-B
Relay
Native IPv6
Relay
C
B
A
1.2.3.4
5.6.7.8
192.88.99.1
192.88.99.1
3001:2:3:4:c…
2002:506:708::b…
2002:102:304::b…
ISATAP: IPv6 behind firewallISATAP: IPv6 behind firewall
ISATAP router ISATAP router provides IPv6 prefixprovides IPv6 prefix
Host complements Host complements prefix with IPv4 prefix with IPv4 addressaddress
Direct tunneling Direct tunneling between ISATAP between ISATAP hosts hosts
Relay through Relay through ISATAP router to ISATAP router to IPv6 local or globalIPv6 local or global
Firewalled IPv4
network
IPv4 FW
A
Local “native” IPv6
network
IPv6 FW
ISATAP
B
IPv6Internet
C
D
IPv4Internet
Shipworm: IPv6 through NATShipworm: IPv6 through NAT
Shipworm: IPv6 / UDPShipworm: IPv6 / UDP IPv6 prefix: IP address IPv6 prefix: IP address
& UDP port& UDP port
Shipworm serversShipworm servers Address discoveryAddress discovery Default “route”Default “route” Enable “shortcut” (A-B)Enable “shortcut” (A-B)
Shipworm relaysShipworm relays Send IPv6 packets Send IPv6 packets
directly to nodesdirectly to nodes
Works for Works for allall NAT NAT
NAT
B
Server
IPv4 Internet
IPv6 Internet
Relay
C
A
NAT
When can we get IPv6? When can we get IPv6?
20002000 20012001 20022002
Tech. Preview (W2K)Tech. Preview (W2K)
Developers (Windows XP)Developers (Windows XP)
DeploymentDeployment
More Information on IPv6More Information on IPv6
Microsoft IPv6 web site:Microsoft IPv6 web site: http://www.microsoft.com/ipv6/http://www.microsoft.com/ipv6/
IETF standardsIETF standards IPv6 specification,IPv6 specification, IPv6 transition tools.IPv6 transition tools.
Call to ActionCall to Action
Apply UPnP technology to NAT traversalApply UPnP technology to NAT traversal www.upnp.orgwww.upnp.org
Work on the Firewall Traversal ProtocolWork on the Firewall Traversal Protocol
Start porting applications to IPv6Start porting applications to IPv6 Use IPv6 stack in Windows XPUse IPv6 stack in Windows XP
Start deploying IPv6 now!Start deploying IPv6 now!