Forgot your password?
typodupeerror
Networking Security Windows Technology

Windows 7 May Finally Get IPv6 Deployed 283

Posted by kdawson
from the whatever-it-takes dept.
Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."
This discussion has been archived. No new comments can be posted.

Windows 7 May Finally Get IPv6 Deployed

Comments Filter:
  • by mbone (558574) on Tuesday December 22, 2009 @05:03PM (#30528916)

    I have to say that this is what struck my eye :

    In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings.

    OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

    By the way, this sets up an IPSEC VPN, so I am not sure why the OP says it doesn't require a VPN.

    • Re: (Score:2, Informative)

      by nielsm (1616577)
      This is a server-checks-client-security thing, not a Microsoft-checks-customer-setup thing. Refusing to work with known-broken software.
    • by mystik (38627)

      I read about this feature a few weeks ago.

      MS Is touting "this is not a VPN" (even in their marketing for this feature) -- but the parent is right, it's just an ipsec VPN that's initialized early in the boot up process.

      I guess it's handy, most vpn clients I've seen are klunky things that have to run after login.

  • .... right now they're a necessary evil. There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access. Though of course that's of limited benefit unless you can configure every application that needs to be accessed remotely to do this, regardless of server or client OS (...or you don't need to care because you only run applications which can be configured like this).

    Knowing Microsoft, this is only useful if all y

    • by vlm (69642)

      There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access.

      And add two factor authentication (pretty much required for a SERIOUS vpn)

      • by jimicus (737525)

        Client and server verifying each others certificates gives you the first factor (something you both have).

        Stick a password in front of your applications and there's your second.

    • by Sancho (17056)

      The key is that with VPN, you can set up those client certs and two factor auth for a single server on your LAN--the VPN server--and all the rest can be used with lower security. Compare to configuring every host on your network in this way. Furthermore, a firewall helps guard against error. Did you accidentally set up a server incorrectly? Well the firewall still prevents everyone from accessing it unless they're using VPN.

      VPN/Firewall is still a good portion of the layered security approach, and it wo

    • With your solution, you have to expose every device to the internet at large, and then filter. With VPN, you do not even know what is behind it. So they are not the same.
      • by jimicus (737525)

        This is just it - my solution is only really workable if you have a very narrow range of "things it is desirable to have available from outside the corporate network".

        In other words, fairly useless for most practical purposes. By hypothetically doable...

    • by gad_zuki! (70830)

      So instead of managing one or two cert/keys youre managing dozens all running with the quirks of the implementation of the application - and you lose two factor authentication, centralized management, site to site, and about a few other features.

      Something tells me VPN is going to be here as long as tcp/ip is. At least for serious applications. Heck, Joe Blow can remotedesktop/ssh to his computer and get some level of encryption by default now. No need for ipv6 and direct connect.

      On top of it, if adding SS

  • We looked at deploying DirectAccess, but after months of talks and discussions with Microsoft, they finally came out and told us that it wouldn't work unless we rolled out IPV6 (and pushed other MS services (CA, DC) externally). We passed. We decided to stick with SSL VPN for most and Cisco AnyConnect client for our Win7 64 bit rollouts. Maybe next time, Microsoft?

  • by Chris Mattern (191822) on Tuesday December 22, 2009 @05:26PM (#30529310)

    Except that it doesn't work with the networking you have.

  • IPv4 Forever!!!! (Score:2, Interesting)

    by waterlogged (210759)

    BGP filters are hard enough in v4 can you imagine doing this crap?

    ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32
    ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48
    ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32
    ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128

    Forget it.

    • Hate to break this to you, but the necessity of IPv6 is based on somewhat larger issues than that...

  • IPv6 is only required for the VPN side. The Internet connection on both sides may still be IPv4 however. Read TFA for more details. I have a feeling Time Warner will be in no rush to upgrade my neighborhood to IPv6 no matter how many companies start using DirectAccess.
    • This. In particular, it's worth remembering about IP-HTTPS, which tunnels an IPv6 connection over a single exposed port, which pretends to be handling HTTP CONNECT, on the DirectAccess server that is the gateway between Internet and the intranet in question. So, while client has to be IPv6-aware, and so has to be the intranet, all the networking infrastructure between them has no such requirement.

  • by A beautiful mind (821714) on Tuesday December 22, 2009 @05:32PM (#30529380)
    ...that I barely know where to begin.

    IPv6 has been "the next generation of TCP/IP protocols" for so long that you can be forgiven for thinking that it will never be useful.

    IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

    Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

    Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

    To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

    Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

    By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.

    This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.

    Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6.

    No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries [potaroo.net], they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.

    • by lymond01 (314120)

      IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

      Yep, like electric whip cream.

      Wait, what?

    • Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

      Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

      Right. Most users don't know what IPv6 is and are simply using whatever they've been set up to use. In the case of home users, users have been set up to use whatever their ISP has told them to use. In the case of both businesses and individuals, it's hard to say anyone opted for anything since IPv6 usually isn't even a real option. ISPs aren't supporting it. It's possible to do some kind of tunneling to use IPv6, but since it's basically not in use, there isn't a lot of payoff.

      To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

      Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

      Well NAT can accomplish a

      • by whoever57 (658626)

        why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a static IP.

        just because your isp wants $200 for a business connection does not mean that static ip addresses actually cost $200. for example, linode charges somwhat less

      • Re: (Score:3, Interesting)

        by tlhIngan (30335)

        What really bothers me is that there *is* an IPv4 address famine. It's just that the IPv4 addresses are being rationed well enough that we haven't yet reached the point of outright crisis. If you really think that IPv4 addressed are plentiful, then riddle me this: why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a

  • by BobMcD (601576) on Tuesday December 22, 2009 @05:39PM (#30529482)

    From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:

    Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:

    . set specific policies (no split tunneling)
    . force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
    . ensure proper key and credential management, including two-factor or challenge/response
    . audit activities while user is connected to the VPN.

    The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.

    What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.

    As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.

    • by Spad (470073)

      DirectAccess is actually much more VPNy than Microsoft like to claim, it's just more transparent to the user. Authentication can be simply an AD username/password if you want or two-factor authentication like any other VPN and it's not like users can just connect into your network without any control on your part (unless you're an incompetent admin, ditto on the auditing). I'm not sure about the split tunnelling aspect; I would be very surprised if you *can't* disable it when authenticated, but I haven't du

      • by Spad (470073)

        To answer my own questions:

        Although split-tunnel routing is the default configuration for DirectAccess, IT professionals can disable the feature to send all traffic through the enterprise network.

        DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. You can use any IPsec encryption method, including DES, which uses a 56-bit key, and 3DES, which uses three 56-bit keys...IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES

    • by Daltorak (122403)

      From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit

      Oh come on. You're a professional (right?), you should know better than to say this kind of crap. You know what your problem is? You think NAT is a security mechanism -- it's not. Just because we have spent the last ten-plus years having the Firewall also perform network address translation, doesn't mean the two roles have anything to do with eachother -- they don't. NAT is a workaround for the problem of limited IP address spaces; it says so right in the freakin' abstract of the original NAT RFC (1631

      • by BobMcD (601576)

        You know what your problem is? You think NAT is a security mechanism -- it's not.

        In fact that's not my problem. My problem, from your point of view, is that I'm not an elitist. That would be the best definition of your pejorative of my point of view.

        I'm not specifically advocating NAT as a security mechanism. The actual use for NAT (working around limited space) doesn't actually present itself to the argument. Imagine instead a firewall that did one-to-one address mapping if it makes you feel better. It doesn't really matter. In the end the current setup means I use network addres

        • by EndlessNameless (673105) on Tuesday December 22, 2009 @07:20PM (#30530746)

          //My problem, from your point of view, is that I'm not an elitist.//

          Your problem, from my point of view, is that you're not competent. //In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world.//

          It's called a firewall. Or a router with a proper ACL. You can google this stuff. NAT doesn't prevent routing to the outside world; it merely prevents the outside world from seeing your internal network structure. A properly-configured router or firewall will do that and more. //If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.//

          Every firewall I've ever seen has a default-deny setting which can be enabled for ingress/egress independently for every IP address, by individual IPs, or by ranges. Your argument boils down to the fact that NAT must drop inbound packets without either an existing connection or a mapping by default. You're proposing security by virtue of laziness---and neglecting other security features, to boot. //So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing//

          You're using NAT as a method of access control, which is not what it was designed for. In addition, it does so very poorly and leaves a number of gaps in your security that a real access control device would cover.

          In short, the control NAT gives you is illusory and meaningless. You have a far greater degree of control with a real firewall---regardless of whether it uses NAT. Get a real security implementation going and quit QQing about this new-fangled intarweb.

          • by raddan (519638) *

            In short, the control NAT gives you is illusory and meaningless.

            Then it is as illusory and meaningless as paging [wikipedia.org]. After all, you can accomplish the same thing with segmented memory. But as time has shown, the properties inherent in paging make using a computer (for a programmer) much easier. You don't have to worry about bounds-checking; the bounds are built-in by virtue of addresses not being meaningful outside of a particular process, and your addressing model is simple.

            NAT gives you the same thing: addresses that are non-routable outside of your network. Using

          • by tftp (111690)

            You have a far greater degree of control with a real firewall---regardless of whether it uses NAT

            He does have a real firewall, regardless of whether it feeds a NAT. I don't even know if there is a NAT product on the market that doesn't come with a firewall.

            He has no reason to drop the NAT, unless some of his needs (like a poorly done VoIP or videoconferencing) require that.

            It is true that a NAT is not a security device. But we still have safeties on our guns, even though they are "mechanical devices

        • by growse (928427)

          You could, you know, use a firewall?

          If not-letting-people-route-to-your-ip is your security mechanism, you've got the wrong tool for that particular job.

        • If you're any kind of network administrator, you can figure out how to control access to your network. IPv4 was designed to connect, not separate, hosts and you managed to make it do what you wanted.

          If want people to connect to services in your network, don't deploy this service behind your firewall. And if you can't stop others from deploying it, well, then there were already a lot of things you couldn't stop anyway, this isn't the first one.

  • Will ISP give more then one IPv6 IP? or will they make you pay? comcast may want $5 per pc.

    also how many DSL and cable modems even can do IPv6? how many rented ones? routers? cable phone and HSI modems (that are forced rented?)

  • Either that... (Score:4, Insightful)

    by roc97007 (608802) on Tuesday December 22, 2009 @06:07PM (#30529848) Journal

    ...or DirectAccess will be a dead feature because it requires a protocol that few want to support.

  • -- three Microsoft related stories out of four.

    I hereby dub Slashdot "Microdot!"

    Oh, wait....

  • IPv6, with its 128-bit addresses and the resulting astronautical address range seemed the perfect answer.

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees

Working...