building ipv6 (firewall & ipsec) aware applications mohit talwar com304 development lead...
TRANSCRIPT
Building IPv6 (Firewall & Building IPv6 (Firewall & IPSec) Aware ApplicationsIPSec) Aware Applications
Mohit TalwarMohit TalwarCOM304 COM304 Development LeadDevelopment LeadMicrosoft CorporationMicrosoft Corporation
2
OutlineOutline
MotivationMotivation
Simple ClientSimple Client
Simple ServerSimple Server
DemoDemo
Advanced TopicsAdvanced Topics
3
IPv6 is ReadyIPv6 is Ready
Optional on Windows XPOptional on Windows XP““netsh interface ipv6 install”netsh interface ipv6 install”
““netsh interface ipv6 set teredo client”netsh interface ipv6 set teredo client”
Enabled by default on Windows VistaEnabled by default on Windows VistaPervasive IPv6 support in OS Pervasive IPv6 support in OS componentscomponents
IPv6 connectivity preferred over IPv4IPv6 connectivity preferred over IPv4IPv6 is on by default in Windows IPv6 is on by default in Windows
Vista!Vista!
4
IPv6 is RealIPv6 is Real
No support required from the network No support required from the network Transition technologies tunnel IPv6 over Transition technologies tunnel IPv6 over IPv4IPv4
E.g. Teredo, 6to4, …E.g. Teredo, 6to4, …C:\>C:\>ipconfigipconfig
Windows IP ConfigurationWindows IP Configuration
Ethernet adapter Ethernet adapter Wireless Network ConnectionWireless Network Connection::
Connection-specific DNS Suffix . :Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : IP Address. . . . . . . . . . . . : 192.168.1.102192.168.1.102 Subnet Mask . . . . . . . . . . . : 255.255.255.0Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : IP Address. . . . . . . . . . . . : fe80::20c:f1ff:fe34:8106%5fe80::20c:f1ff:fe34:8106%5 Default Gateway . . . . . . . . . : 192.168.1.1Default Gateway . . . . . . . . . : 192.168.1.1
Tunnel adapter Tunnel adapter Teredo Tunneling Pseudo-InterfaceTeredo Tunneling Pseudo-Interface::
Connection-specific DNS Suffix . :Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : IP Address. . . . . . . . . . . . : 3ffe:831f:4004:1954:0:eebe:e7ec:10423ffe:831f:4004:1954:0:eebe:e7ec:1042 Default Gateway . . . . . . . . . : ::Default Gateway . . . . . . . . . : ::
5
IPv6 BenefitsIPv6 BenefitsNAT TraversalNAT Traversal
NATs a significant NATs a significant challenge to P2P challenge to P2P applicationsapplications
OptionsOptionsConsumers configure NATsConsumers configure NATsProviders host relaysProviders host relaysApplications do NAT Applications do NAT traversaltraversal
NATs break over 50% of NATs break over 50% of P2P scenariosP2P scenarios
IPv6 provides automatic IPv6 provides automatic NAT traversal (Teredo)NAT traversal (Teredo)
Simply write an IPv6 Simply write an IPv6 aware application!aware application!
IPv6 connects over 95% of IPv6 connects over 95% of the P2P scenariosthe P2P scenarios
IPv6 IPv6 IPv4 IPv4
IPv6 provides NAT traversal!IPv6 provides NAT traversal!
6
IPv6 BenefitsIPv6 BenefitsAd-Hoc NetworksAd-Hoc Networks
May take 63s for autonet May take 63s for autonet address configurationaddress configuration
Can only have one Can only have one interface with autonet interface with autonet addressesaddresses
Few applications built for Few applications built for this configurationthis configuration
Instantaneous link-local Instantaneous link-local address configurationaddress configuration
No ambiguity when using No ambiguity when using multiple link-local multiple link-local addressesaddresses
Important Windows Vista Important Windows Vista scenario: People Near Mescenario: People Near Me
IPv6 IPv6 IPv4 IPv4
7
IPv6 BenefitsIPv6 BenefitsBetter BehaviorBetter Behavior
ARP takes upto 2 minutes ARP takes upto 2 minutes to detect failuresto detect failures
Gratuitous ARP can mess Gratuitous ARP can mess up address tables in up address tables in switchesswitches
ND detects failures in less ND detects failures in less than 30 secondsthan 30 seconds
DAD has no adverse DAD has no adverse impact on switchesimpact on switches
IPv6 IPv6 IPv4 IPv4
8
IPv6 BenefitsIPv6 Benefits
Secure Neighbor-DiscoverySecure Neighbor-DiscoverySecure extension of ARPSecure extension of ARP
MobilityMobilityRetain addresses across subnet movesRetain addresses across subnet moves
Increase support for P2P scenariosIncrease support for P2P scenariosAddressibility across FirewallsAddressibility across Firewalls
9
Supporting IPv6Supporting IPv6
Higher Layers (.Net, HTTP, P2P SDK Higher Layers (.Net, HTTP, P2P SDK etc)etc)
ZeroZero work! work!
Lower Layers (Winsock & .Net Lower Layers (Winsock & .Net Sockets)Sockets)
Client ApplicationsClient ApplicationsWindows Vista & Beyond: Windows Vista & Beyond: WSAConnectByNameWSAConnectByName
Windows XP & Beyond: Address agnosticWindows XP & Beyond: Address agnostic
Server ApplicationsServer ApplicationsWindows Vista & Beyond: Single socketWindows Vista & Beyond: Single socket
Windows XP & Beyond: Dual socketWindows XP & Beyond: Dual socket
10
Supporting IPv6Supporting IPv6WinsockWinsock
AddressesAddressesUse SOCKADDR_STORAGE and PSOCKADDRUse SOCKADDR_STORAGE and PSOCKADDRSOCKADDR_IN6 when using v4-mapped (Vista Only)SOCKADDR_IN6 when using v4-mapped (Vista Only)
Name ResolutionName ResolutionGetAddrInfoWGetAddrInfoWWSAConnectByName (Vista Only)WSAConnectByName (Vista Only)
Core Socket FunctionsCore Socket Functionssocket, bind, connect, sendto…socket, bind, connect, sendto…IPV6_V6ONLY (Vista Only)IPV6_V6ONLY (Vista Only)
IPHLPAPIsIPHLPAPIsGetAdaptersAddressesGetAdaptersAddressesAddress agnostic APIs (Vista Only)Address agnostic APIs (Vista Only)
MacrosMacrosINETADDR_ISLOOPBACK(PSOCKADDR …)INETADDR_ISLOOPBACK(PSOCKADDR …)
11
CHECKV4.EXECHECKV4.EXE
12
Simple ClientSimple Client
StartClient(PCSTR HostName, USHORT Port){ ClientSocket = socket(AF_INET, ...);
HostEntry = gethostbyname(HostName);
A.sin_addr = *(HostEntry->h_addr); A.sin_port = htons(Port);
connect(ClientSocket, &A, ...);}
Broken (IPv4 Only)!Broken (IPv4 Only)!
13
Simple Client – Windows Simple Client – Windows VistaVista
Fixed (ConnectByName)!Fixed (ConnectByName)!
StartClient(PCSTR HostName, USHORT Port){ ClientSocket = socket(AF_INET6, ...);
// // Reset IPV6_V6ONLY to FALSE. // setsockopt(ClientSocket, IPPROTO_IPV6, IPV6_V6ONLY, ...);
WSAConnectByName(ClientSocket, HostName, Port, ...);}
14
Simple Client – Windows Simple Client – Windows XPXP
StartClient(PCSTR HostName, USHORT Port){ // // First, Resolve HostName. // GetAddrInfoA(HostName, Port, ..., &AddressList);
// // Then, iterate over all addresses (in order). // for (A = AddressList; A != NULL; A = A->ai_next) {
ClientSocket = socket(A->ai_family, A->ai_socktype, 0);
connect(ClientSocket, A->ai_addr, A->ai_addrlen); }}
Fixed (Address Agnostic)!Fixed (Address Agnostic)!
15
Simple Client – .NETSimple Client – .NET
// // First, Resolve HostName. // HostEntries = Dns.GetHostEntry(HostName);
// // Then, iterate over all addresses (in order). // foreach (Address in HostEntries.AddressList) {
A = new IPEndPoint(Address, Port);
ClientSocket = new Socket(A.AddressFamily, ...);
ClientSocket.Connect(A); }
Fixed (Address Agnostic)!Fixed (Address Agnostic)!
16
Simple ServerSimple Server
Broken (IPv4 Only)!Broken (IPv4 Only)!
StartServer(USHORT Port){ ServerSocket = socket(AF_INET, ...);
A.sin_addr.s_addr = INADDR_ANY; A.sin_port = htons(Port);
bind(Socket, &A, ...); ...}
17
Simple Server – Windows Simple Server – Windows VistaVista
Fixed (IPV6_V6ONLY)!Fixed (IPV6_V6ONLY)!
StartServer(USHORT Port){ ServerSocket = socket(AF_INET6, ...);
// // Reset IPV6_ONLY to FALSE. // setsockopt(ServerSocket, IPPROTO_IPV6, IPV6_V6ONLY, ...);
IN6ADDR_SETANY(&A); A.sin6_port = htons(Port);
bind(ServerSocket, &A, ...); ...}
18
Simple Server – Windows Simple Server – Windows XPXP
Fixed (Dual Socket)!Fixed (Dual Socket)!
StartServer(USHORT Port){ ServerSocket4 = socket(AF_INET, ...); ServerSocket6 = socket(AF_INET6, ...);
IN4ADDR_SETANY(&A4); IN6ADDR_SETANY(&A6);
bind(ServerSocket4, &A4, ...); bind(ServerSocket6, &A6, ...); ...}
19
Simple Server – .NETSimple Server – .NET
ServerSocket = new Socket(AddressFamily.InterNetworkV6, ...);
ServerSocket.SetSockOption(..., IPV6_V6ONLY, ...);
A = new IPEndPoint(IPAddress.IPv6Any, Port);
ServerSocket.Bind(A); ...
Fixed (IPV6_V6ONLY)!Fixed (IPV6_V6ONLY)!
20
NAT Traversal Using TeredoNAT Traversal Using Teredo
Jay BeaversJay BeaversDeveloperDeveloperProject MaxProject Max
21
Advanced TopicsAdvanced Topics
Secure SocketsSecure Sockets
Address SelectionAddress Selection
Address PublicationAddress Publication
Network EventsNetwork Events
Firewall ConsiderationsFirewall Considerations
22
Secure SocketsSecure Sockets
IPv6 provides e2e connectivity (enabling IPv6 provides e2e connectivity (enabling IPSec)IPSec)
Secure sockets provide control over IPSec Secure sockets provide control over IPSec policiespolicies
WSASetSocketSecurityWSASetSocketSecuritySpecify security requirementsSpecify security requirements
Before WSAConnectBefore WSAConnect
E.g. Require IPSec encryption for a peerE.g. Require IPSec encryption for a peer
WSAQuerySocketSecurityWSAQuerySocketSecurityQuery applied security propertiesQuery applied security properties
After WSAConnectAfter WSAConnect
E.g. Use peer’s security token for authorizationE.g. Use peer’s security token for authorization
23
Address SelectionAddress Selection
IPv6 exposes multi-homing issuesIPv6 exposes multi-homing issuesMultiple interfaces & addressesMultiple interfaces & addresses
Problem involves choosing one of Problem involves choosing one of many…many…
Destinations: The address to connect to Destinations: The address to connect to Sources: The address to connect fromSources: The address to connect from
157.59.1.1157.59.1.13ffe:831f::8000:f227:62c4:fefe3ffe:831f::8000:f227:62c4:fefe3ffe:831f::baad:f00d:baad:f00d3ffe:831f::baad:f00d:baad:f00d
192.168.1.102192.168.1.102fe80::20c:f1ff:fe34:8106%5fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec:10423ffe:831f:4004:1954:0:eebe:e7ec:1042
24
Address SelectionAddress Selection
Destination Address SelectionDestination Address SelectionAutomatically performed by GetAddrInfo Automatically performed by GetAddrInfo SIO_ADDRESS_LIST_SORTSIO_ADDRESS_LIST_SORTCaveat: IPv6 preferred over IPv4Caveat: IPv6 preferred over IPv4
157.59.1.1157.59.1.13ffe:831f::8000:f227:62c4:fefe3ffe:831f::8000:f227:62c4:fefe3ffe:831f::baad:f00d:baad:f00d3ffe:831f::baad:f00d:baad:f00d
192.168.1.102192.168.1.102fe80::20c:f1ff:fe34:8106%5fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec:10423ffe:831f:4004:1954:0:eebe:e7ec:1042
25
Address SelectionAddress Selection
Source Address SelectionSource Address SelectionAutomatically performed by Automatically performed by ConnectByName ConnectByName SIO_ROUTING_INTERFACE_QUERYSIO_ROUTING_INTERFACE_QUERY
192.168.1.102192.168.1.102fe80::20c:f1ff:fe34:8106%5fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec:10423ffe:831f:4004:1954:0:eebe:e7ec:1042
157.59.1.1157.59.1.13ffe:831f::8000:f227:62c4:fefe3ffe:831f::8000:f227:62c4:fefe3ffe:831f::baad:f00d:baad:f00d3ffe:831f::baad:f00d:baad:f00d
26
Address PublicationAddress Publication
PublisherPublisherPublish(PIP_ADAPTER_UNICAST_ADDRESS AddressList){ // // Iterate over *all* addresses. // for (A = AddressList; A != NULL; A = A->Next) {
// // Publish if *eligible*. // if (A->Flags & IP_ADAPTER_ADDRESS_DNS_ELIGIBLE) { ... } }}
27
Address PublicationAddress Publication
ResolverResolver
Sort(PSOCKET_ADDRESS_LIST AddressList){ // // Combine resolved IPv6 and IPv4 addresses in single list. // (represent IPv4 addresses as v4-mapped IPv6 addresses). //
Socket = socket(AF_INET6, SOCK_DGRAM, 0);
WSAIoctl(Socket, SIO_ADDRESS_LIST_SORT, AddressList, ...);
closesocket(Socket);}
28
Network EventsNetwork Events
Address NotificationsAddress NotificationsSIO_ADDRESS_LIST_CHANGESIO_ADDRESS_LIST_CHANGE
Applications that retry on address changeApplications that retry on address change
E.g. IM client registering addresses with IM serverE.g. IM client registering addresses with IM server
Route NotificationsRoute NotificationsSIO_ROUTING_INTERFACE_CHANGESIO_ROUTING_INTERFACE_CHANGE
Applications that bind to the preferred source addressApplications that bind to the preferred source address
E.g. Video conferencing client switching from wireless to E.g. Video conferencing client switching from wireless to wiredwired
Requires an overlapped socketRequires an overlapped socketVista: Can use a single socket for both IPv4 and IPv6 Vista: Can use a single socket for both IPv4 and IPv6 notificationsnotifications
29
Network EventsNetwork Events
Notification HandlerNotification Handler
NotificationHandler(VOID){ // // Sleep before processing event. // Address & Route changes usually occur in quick succession. // Sleep(1000);
// // Register for the next event before processing the current. // Ensures that no events are missed. // WSAIoctl(Socket, SIO_ADDRESS_LIST_CHANGE, ...); ...}
30
FirewallFirewall
Host Firewall is on by default (as in XP/SP2)Host Firewall is on by default (as in XP/SP2)
Application requirementsApplication requirementsApplication exceptions (Application exceptions (during installduring install))
ORORPort exceptionsPort exceptions (during run-time (during run-time))
Exceptions stored as filters in a central Exceptions stored as filters in a central databasedatabase
Can be used by 3Can be used by 3rdrd party firewalls party firewalls
31
FirewallFirewall
192.168.1.102192.168.1.102fe80::20c:f1ff:fe34:8106%5fe80::20c:f1ff:fe34:8106%53ffe:831f:4004:1954:0:eebe:e7ec:13ffe:831f:4004:1954:0:eebe:e7ec:1042042
157.59.1.1157.59.1.1 3ffe:831f::8000:f227:62c4:fefe3ffe:831f::8000:f227:62c4:fefe 3ffe:831f::baad:f00d:baad:f00d3ffe:831f::baad:f00d:baad:f00d
UDP echo server bound to in6addr_anyUDP echo server bound to in6addr_anyReceive request on address Receive request on address
May reply from address May reply from address !!
Reply may be dropped by client’s host Reply may be dropped by client’s host firewall firewall Root Cause: Asymmetry in address Root Cause: Asymmetry in address selectionselection
32
FirewallFirewall
Fixed (WSASendMsg)!Fixed (WSASendMsg)!
UdpServer(USHORT Port){ WSAMSG WsaMsg = {..., &Data, ..., &Control, ...);
setsockopt(..., IPV6_PKTINFO, ...);
WSARecvMsg(Socket, &WsaMsg, ...);
WSASendMsg(Socket, &WsaMsg, ...);}
33
SummarySummary
IPv6 provides NAT traversal!IPv6 provides NAT traversal!Excellent platform for P2P applicationsExcellent platform for P2P applications
IPv6 is on by default in Windows Vista!IPv6 is on by default in Windows Vista!Ready for primetimeReady for primetime
Porting to IPv6 is easy!Porting to IPv6 is easy!
Call to action: Make your applications IPv6 Call to action: Make your applications IPv6 aware!aware!
34
Community ResourcesCommunity ResourcesAt PDCAt PDC
COM Track Lounge (I’ll be there Wed, 9am - 5pm)COM Track Lounge (I’ll be there Wed, 9am - 5pm)Ask The Experts (Thu, 6:30pm)Ask The Experts (Thu, 6:30pm)COM 319 – Windows Vista: Integrating with the People Near COM 319 – Windows Vista: Integrating with the People Near Me… Me… PRS L05 – Case Study: What We Learned Building Project Max…PRS L05 – Case Study: What We Learned Building Project Max…
After PDCAfter PDCCatch this session on DVD in case you missed itCatch this session on DVD in case you missed it
COM 311: Developing P2P Applications using Windows Vista…COM 311: Developing P2P Applications using Windows Vista…News GroupsNews Groups
microsoft.public.platformsdk.networking.ipv6microsoft.public.platformsdk.networking.ipv6microsoft.beta.longhorn.networking.homemicrosoft.beta.longhorn.networking.home
MSDN ForumMSDN ForumCommunications and Networking in Windows VistaCommunications and Networking in Windows Vista
MSDN Technology Center MSDN Technology Center http://www.microsoft.com/windowsserver2003/technologies/ipv6/defaulthttp://www.microsoft.com/windowsserver2003/technologies/ipv6/default.mspx.mspxTeredo overview Teredo overview http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspxo.mspxWindows Firewall APIsWindows Firewall APIshttp://msdn.microsoft.com/library/en-us/ics/ics/windows_firewall_start_phttp://msdn.microsoft.com/library/en-us/ics/ics/windows_firewall_start_page.aspage.asp
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
36
Appendix: Teredo Appendix: Teredo IntroductionIntroduction
Provides IPv6 connectivity behind IPv4 Provides IPv6 connectivity behind IPv4 NATNAT
Last resort connectivity mechanismLast resort connectivity mechanism
Tunnels IPv6 traffic over UDP/IPv4Tunnels IPv6 traffic over UDP/IPv4
Uses public Teredo (echo) serversUses public Teredo (echo) serversTo determine NAT port-mappingTo determine NAT port-mapping
To initiate communication with a peerTo initiate communication with a peer
37
Appendix: Teredo in a Appendix: Teredo in a SlideSlide
1.1. Client: Echo-RequestClient: Echo-RequestCreates Port-MappingCreates Port-Mapping
2.2. Server: Echo-ResponseServer: Echo-ResponseContains Port-Mapping (A, P)Contains Port-Mapping (A, P)GG
3.3. Client forms IPv6 Client forms IPv6 addressaddress
Elements: Server, (A,P)Elements: Server, (A,P)GG
4.4. Peer parses IPv6 Peer parses IPv6 addressaddress
Determines Port-Mapping, Determines Port-Mapping, ServerServer
Encapsulates packet over UDPEncapsulates packet over UDP
Teredo Server
Peer
Client