Windows 7 May Finally Get IPv6 Deployed

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

Re:Why?

[Anonymous Coward]

You don't need NAT to run a firewall that has the same security functionality as NAT

Exactly why we didn't deploy DirectAccess

[Bubba]

We looked at deploying DirectAccess, but after months of talks and discussions with Microsoft, they finally came out and told us that it wouldn't work unless we rolled out IPV6 (and pushed other MS services (CA, DC) externally). We passed. We decided to stick with SSL VPN for most and Cisco AnyConnect client for our Win7 64 bit rollouts. Maybe next time, Microsoft?

Re:Why?

[0racle]

IP6 (and DirectAccess) in no way require you to remove a firewall between you and the rest of the universe. NAT however, can go away.

IPV6 is fatally broke

[Anonymous Coward]

I'm not a big fan of djb but he hit this nail right on the head.

http://cr.yp.to/djbdns/ipv6mess.html

Re:IPv6 addresses are overly complex

[Chris Mattern]

Off-offtopic, but I'd much rather you typed in example.com. Don't refer to what might be a real URL as an example when you've got a name reserved by RFP for that purpose.

Article is so full of inaccuracies...

[A beautiful mind]

...that I barely know where to begin.

IPv6 has been "the next generation of TCP/IP protocols" for so long that you can be forgiven for thinking that it will never be useful.

IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.

This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.

Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6.

No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries [potaroo.net], they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.

Re:Another Genuine Advantage ?

[nielsm]

This is a server-checks-client-security thing, not a Microsoft-checks-customer-setup thing. Refusing to work with known-broken software.

Re:IPv6 addresses are overly complex

[Monkeedude1212]

In some games you even have to manually type in the address if you want to connect to your friends server.

Either you're playing some older games, which came out when TCP/IP Was just starting to Boom and didn't have any DNS functionality built in - or your friends aren't hosting their server on the web, and thus DNS wouldn't resolve it - or your friends aren't port forwarding properly for that games specific host-finding service to pick it up.

In any case - if you are willing to go through the trouble of communicating an IPv4 Address to join a game, making it an IPv6 address will either be the smallest most miniscule inconvenience that you'll forget after its deployed
OR
You'll learn to set up servers and DNS in such a way that they will work without you needing to memorize and jot down IP addresses.

Either way, its moving forward.

Re:IPV6 is fatally broke

[metamatic]

Websites with external consumers cannot stop using IPv4 until all potential consumers use IPv6. So until everyone uses IPv6, every host must continue to run IPv4 or both.

You make it sound like that's a difficult problem, rather than a matter of putting a few extra lines in a config file for the transition period.

Does this mean you cannot run IPv6 at home? No, it just means you must also run IPv4 to get to websites that haven't bothered to support both.

No, you're wrong there. While an IPv4 connection cannot reach IPv6 hosts, an IPv6 connection can reach any IPv4 host using tunneling. You talk pure IPv6 to your IPv6 ISP, and if there's a need to fall back to IPv4, they route the traffic via a tunnel broker.

Using similar technology, you can get IPv6 even if your ISP only supports IPv4. That's how I'm doing it.

Re:Or DirectAccess may just sink it for good...

[EndlessNameless]

//My problem, from your point of view, is that I'm not an elitist.//

Your problem, from my point of view, is that you're not competent. //In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world.//

It's called a firewall. Or a router with a proper ACL. You can google this stuff. NAT doesn't prevent routing to the outside world; it merely prevents the outside world from seeing your internal network structure. A properly-configured router or firewall will do that and more. //If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.//

Every firewall I've ever seen has a default-deny setting which can be enabled for ingress/egress independently for every IP address, by individual IPs, or by ranges. Your argument boils down to the fact that NAT must drop inbound packets without either an existing connection or a mapping by default. You're proposing security by virtue of laziness---and neglecting other security features, to boot. //So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing//

You're using NAT as a method of access control, which is not what it was designed for. In addition, it does so very poorly and leaves a number of gaps in your security that a real access control device would cover.

In short, the control NAT gives you is illusory and meaningless. You have a far greater degree of control with a real firewall---regardless of whether it uses NAT. Get a real security implementation going and quit QQing about this new-fangled intarweb.

Re:IPv6 addresses are overly complex

[Yaztromo]

They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.

The problem with breaking up a /8 is that you can't just spread around 16.7 million addresses to the individual machines around the globe that need them -- not unless we're ready to handle the massive explosion of routing table entries that would require (and we're not). CIDR still defines a routing hierarchy, where the huge swaths of free addresses exist within that hierarchy isn't necessarily geographically where they are needed, or where the systems that need them are going to be able to connect to them.

Not to say that some breaking up of largely unused /8's and /16's can't be done -- just that it's nowhere near as trivial a problem as most people seem to assume it is. It isn't like there is an abundance of resources in one area, so we can put them on a ship and send them to an area where the resource need exists.

Of course, all of this presumes that the holder of the /8 is using it in some sane manner where is it even possible to break the address space into routeable blocks...

Yaz.

Re:No, just typical Microsoft:

[bruce_the_loon]

FUD, glorious FUD.

You do not need Homegroups to make sharing work. It just makes it easier. The older technique of keeping the passwords synced across the machines is still operational.

And someone has already answered the IPv6 no internet connectivity FUD as well.

Re:IPv4 Forever!!!!

[dasmoo]

More addresses, not IPv6. They're just jamming the wrong technology down our throats, which is why everyone's ignoring it.