Windows 7 May Finally Get IPv6 Deployed

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

Re:IPv6 addresses are overly complex

[Anonymous Coward]

It pains me to think it, but how long before we see "IPv6 shortening services"?

Re:IPv6 addresses are overly complex

[sopssa]

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Re:IPv6 addresses are overly complex

[Mr. DOS]

Offtopic, but I'd much rather you typed in whatever.com [no-www.org].

      --- Mr. DOS

IPv4 Forever!!!!

[waterlogged]

BGP filters are hard enough in v4 can you imagine doing this crap?

ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48
ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128

Forget it.

Re:Why?

[Monkeedude1212]

On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

If you've never had a problem with NAT, you don't have enough uses for the internet. I used to be a firm believer that NAT was a seemless solution to the problem of not having enough IP's.

Once you try implementing it in the professional world, where you have to worry about not just NAT but NAPT, because you've got Webservers, Print Servers, Email Servers, Backup Servers, File Servers, Application Servers - and then you've got to implement some service such as Remote Desktop from a WebApp (that has to get past the Proxy, no less), so that those who want to work from home can Remote into their PC without a VPN - lets just say that even a small handful of extra IP's would help, and if we COULD get each PC it's own individual IP, it'd be much appreciated.

It's not that it's impossible to do what you want, its just that as things grow, things get more convoluted, and doing such tasks take far more troubleshooting.

Or DirectAccess may just sink it for good...

[BobMcD]

From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:

Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:

. set specific policies (no split tunneling)
. force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
. ensure proper key and credential management, including two-factor or challenge/response
. audit activities while user is connected to the VPN.

The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.

What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.

As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.

Re:IPv6 addresses are overly complex

[Ephemeriis]

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

Pretty much every machine has a DNS name these days. They aren't usually authoritative... But for a LAN game it'll do.

For non-LAN games you've frequently got some kind of server listing service or match-making service out there that can help you find your buddy's server. Or you could always use DynDNS/No-IP/whatever to get yourself a DNS name.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Again, many (most?) devices have a DNS name of some sort.

If not... Yes, it can be a pain to write down an address. And the extra address space in IPv6 is going to make that more painful... Although there are shortcuts built into IPv6 that let you shorten the address...

But, seriously, is that a reason not to adopt IPv6? There's too many digits, it's too hard to write out by hand?

Re:Why?

[pdangel]

Yes NAT is a pain..and some cases breaks business apps. Hair Pin turns are the bane of my existence. But you are saying place thing either outside a firewall because its easier, or place your support staff on the Internet with out VPN?

I agree that ISP have a need for IPv6. But why would a Windows 7 user need it? Default out of the box? Or did I miss read that MS has that service on by default?

Re:Why?

[mark-t]

The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.

Notwithstanding, however, thanks to this quaint little notion of "extension headers" in ipv6, it is even entirely possible to route _THROUGH_ a NAT... directing packets to specific machines inside of the NAT as long as the NAT is configured to act like a router and to process the appropriate extension headers... an upshot of this is that it would effectively increasse the total number of usable IP's, because the effective IP address length would be extended by however many bits of address you put into the extension header. This process could even be chained through multiple levels of NAT's _theoretically_ indefinitely, but in practice would always be limited by the sizes of the routing tables involved, and whatever the minimum MTU for an IP packet is at the time (which is theoretically as small as 68 bytes today, but nobody uses them anywhere close to that small). Individual IPv6 packets have a maximum size of 64K each, so there's a hard limit in how big it can get regardless of how much the MTU goes up.

Re:Why?

[isomer1]

Along with the last vestiges of privacy in IP space. Every single connection you make traced directly to you instantly. Joy.

Re:Article is so full of inaccuracies...

[tlhIngan]

What really bothers me is that there *is* an IPv4 address famine. It's just that the IPv4 addresses are being rationed well enough that we haven't yet reached the point of outright crisis. If you really think that IPv4 addressed are plentiful, then riddle me this: why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a static IP.

And guess how much a single static IPv6 address will cost from your ISP? That's right, $200/month because you'll need a business account.

IPv6 gives you more addrss space. ISPs will still nickle and dime you. Even if your ISP is "wasteful" and gets you a /96, they'll just make sure that xxxx:...:xxxx::1 actually reaches you (and everyone else gets the same, too), dsepite giving you a whole IPv4 set of address spaces. Buy another IP address, and they'll also give you xxxx::1 to keep all the routing simple. (Side note: also makes the virus and worm's jobs simpler). Heck, if they need to double their address space, they just use another bit, so your /96 becomes a /97, not that you could've used those 2 billion addresses they "stole".

NAT won't die, unless ISPs are willing to give up the money they're making on extra IPs. At best, while NATv6 is being worked on, everyone has to buy extra IP addresses so everyone's home PC, roaming laptop, etc., can be connected simultaneously. Linksys, D-Link and Netgear will be happy as they get to sell everyone IPv6 firewalls, then IPv6 "IP Sharing" routers that can save everyone money by not having to buy extra IPs.

Re:Wah happen to ipv5?

[ksemlerK]

What happened to IPv1, IPv2, IPv3 and IPv4 [blogspot.com] The short answer is that they never existed.

Re:Why?

[Anonymous Coward]

The only thing that is exhausting is the manifest stupdity of the IETF. The world is running out of IPv4 addresses so lets direct the reserved class E block (1/16th of total IPv4 address space) to be released for use as private network space because god knows the current allocations for that purpose are not more than enough for even the worlds largest corporations.

We need a new IP protocol so lets forget the fact payload size of 50% of all Internet traffic is 40 bytes and invent a protocol with an absurdly unecessary 128-bit addressing scheme.

Then lets fuck up the deployment, not take interop seriously and change our minds WRT transition mechanisims so many times it hurts. Can someone please tell me WTF the difference between ffff::x.x.x.x and ::x.x.x.x are and then think about what you just said.

Then while we are at it lets break cardinal rules of decoupling ISO layers with %interface designations as if we didn't already learn our lessons on why breaking the network knowledge rule with IPSec and SIP tend to lead to extraordinary deployment disasters.

Now that we're on a stupid streak lets make it so IPv6 computers can't address themselves using their own frigging network facing address.

All of this while rejoicing the end of NAT without understanding people don't want to pay for OR expose knowledge of individual systems within their network..let alone this link-local IPv6 MAC mapping nonsense.

Sorry just blowing off steam... on the bright side at least slapper worm type propogation will no longer be feasable with such a massive address space.