NAT, firewalls and IPv6NAT, firewalls and IPv6

Christian HuitemaChristian HuitemaArchitect, Windows NetworkingArchitect, Windows NetworkingMicrosoft CorporationMicrosoft Corporation

What We Have Done So FarWhat We Have Done So Far

Progressed Progressed embedded embedded End-to-end platform End-to-end platform

Announced update Announced update PC-to-phone provider PC-to-phone provider

choice & new UIchoice & new UI

4255551212

Released Windows XPReleased Windows XP Windows Messenger Windows Messenger

and rich APIsand rich APIs

NAT, Firewalls and IPv6NAT, Firewalls and IPv6

IssueIssue RTC requires “peer-to-peer” UDP for “media”, RTC requires “peer-to-peer” UDP for “media”,

TCP for application sharing.TCP for application sharing. Firewalls and NAT block UDP, incoming TCP.Firewalls and NAT block UDP, incoming TCP.

Adopting RTC in the homeAdopting RTC in the home Requires a NAT solutionRequires a NAT solution

Adopting RTC in the enterpriseAdopting RTC in the enterprise Requires a firewall solutionRequires a firewall solution

IPv6 helps solving both problems!IPv6 helps solving both problems!

What Is Network Address What Is Network Address Translation (NAT)?Translation (NAT)? Multiplexes IPv4 address space behind NAT – Multiplexes IPv4 address space behind NAT –

Internet gatewayInternet gateway

Edits source address & ports in IP trafficEdits source address & ports in IP traffic All network traffic leaving public side of the NAT All network traffic leaving public side of the NAT

appears tp originate from one IP addressappears tp originate from one IP address

192.168.0.2192.168.0.2

192.168.0.3192.168.0.3 192.168.0.1192.168.0.1

157.55.0.1157.55.0.1

InternetInternet

Issue: breaks many Issue: breaks many services / appsservices / apps

Overcoming NAT: To-DateOvercoming NAT: To-Date

User: manual configurationUser: manual configuration Most users not comfortable with thisMost users not comfortable with this Leads to customer dissatisfactionLeads to customer dissatisfaction Drives support calls & increased support costDrives support calls & increased support cost Inhibits trying new thingsInhibits trying new things An issue for DSL & cable modem providers An issue for DSL & cable modem providers

and retailers and retailers

IG vendor: Application layer gatewaysIG vendor: Application layer gateways One-off developments by device vendorOne-off developments by device vendor Doesn’t scale well to many apps & updatesDoesn’t scale well to many apps & updates

UPnPUPnP™™ NAT Traversal: NAT Traversal: A Better WayA Better Way

Program NAT device via Universal Plug Program NAT device via Universal Plug and Play (UPnPand Play (UPnP™™))

Internet Gateway Device Working Internet Gateway Device Working Committee defined schema for gatewaysCommittee defined schema for gateways Includes method for automatically creating Includes method for automatically creating

and removing port mappingsand removing port mappings

Industry Adoption of UPnPIndustry Adoption of UPnP™™ NAT Support in GatewaysNAT Support in Gateways Leading vendors Leading vendors

announced supportannounced support Available 2H 2001Available 2H 2001

PC with Windows XPPC with Windows XP can be Internet gateway can be Internet gateway

device ORdevice OR can work with other IGcan work with other IG

UPnPUPnP™™ support to support to become market become market requirement for IGrequirement for IG categorycategory

Address Shortage Causes Address Shortage Causes More NAT DeploymentMore NAT Deployment

Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But in practice, the “H-ratio” of log10(addresses)/bits reaches 0.26 in 2002.

1

10

100

1000

10000

S-96

M-97

S-97

M-98

S-98

M-99

S-99

M-00

S-00

M-01

S-01

M-02

S-02

M-03

S-03

M-04

S-04

M-05

S-05

M-06

S-06

M-07

S-07

M-08

S-08

M-09

In the medium term, we In the medium term, we cannot program all NATscannot program all NATs

InternetNAT

PC

UPNP

?

By 2002, we will see ISP using layers of NAT.

In fact, we see it in Asia and Europe now…We need IPv6 before that!

homeISP

NAT

We need IPv6, to change We need IPv6, to change the Internetthe Internet

Addresses are the keyAddresses are the key Scarcity: the user is a “client”Scarcity: the user is a “client” Plethora: the user is a “peer”Plethora: the user is a “peer”

IPv6 provide enough addressingIPv6 provide enough addressing 64+64 format: 1.8E+19 networks, units64+64 format: 1.8E+19 networks, units assuming IPv4 efficiency: 1E+16 networks, assuming IPv4 efficiency: 1E+16 networks,

1 million networks per human1 million networks per human 2 networks per sqft of Earth (20 per m2 networks per sqft of Earth (20 per m22))

This enables peer-to-peer!This enables peer-to-peer!

Example: Multiparty Example: Multiparty Conference, using IPv6Conference, using IPv6

With a NAT:With a NAT: Brittle “workaround”.Brittle “workaround”.

With IPv6:With IPv6: Just use IPv6 addressesJust use IPv6 addresses

P1 P2

P3Home LAN InternetHome

Gateway Home LANHomeGateway

How to cope with Firewalls?How to cope with Firewalls?

IssueIssue RTC requires “peer-to-peer” UDP for “media”, RTC requires “peer-to-peer” UDP for “media”,

TCP for application sharing.TCP for application sharing. Firewalls block UDP, incoming TCP.Firewalls block UDP, incoming TCP.

Classic solutions don’t work well:Classic solutions don’t work well: Proxies are costly to deploy, generate Proxies are costly to deploy, generate

additional latency and network complexity.additional latency and network complexity. Application Layer Gateways prohibit Application Layer Gateways prohibit

encryption of signalling, create dependencies, encryption of signalling, create dependencies, prevent evolution.prevent evolution.

Preferred Solution: Firewall Preferred Solution: Firewall Control Protocol (FCP)Control Protocol (FCP)

SIPProxy

Enterprise network

Internet

FirewallControl Protocol

Firewall

Media

Port 5060SIPUser

Work in progress: Work in progress: IETF “MIDCOM”, IETF “MIDCOM”, industryindustry

Firewall traversal & IPv6Firewall traversal & IPv6

Simpler configurationSimpler configuration Same view of addresses, inside and outsideSame view of addresses, inside and outside

More robustMore robust Same view of addresses by multiple firewallsSame view of addresses by multiple firewalls

Better securityBetter security Can use IP Security “end to end”Can use IP Security “end to end”

If IPv6 is so great, how If IPv6 is so great, how come it is not there yet?come it is not there yet?

ApplicationsApplications Need upfront Need upfront

investment, stacks, investment, stacks, etc.etc.

Similar to Y2K, 32 Similar to Y2K, 32 bit vs. “clean bit vs. “clean address type”address type”

NetworkNetwork Need to ramp-up Need to ramp-up

investmentinvestment No “push-button” No “push-button”

transitiontransition

networksnetworks

applicationsapplications

IPv6 deployment tool-boxIPv6 deployment tool-box

IPv6 stateless address autoconfigurationIPv6 stateless address autoconfiguration Router announces a prefix, client configures an addressRouter announces a prefix, client configures an address

6to4: Automatic tunneling of IPv6 over IPv46to4: Automatic tunneling of IPv6 over IPv4 Derives IPv6 /48 network prefix from IPv4 global Derives IPv6 /48 network prefix from IPv4 global

address address

Shipworm: Automatic tunneling of IPv6 over Shipworm: Automatic tunneling of IPv6 over UDP/IPv4UDP/IPv4 Works through NAT, may be blocked by firewallsWorks through NAT, may be blocked by firewalls

ISATAP: Automatic tunneling of IPv6 over IPv4ISATAP: Automatic tunneling of IPv6 over IPv4 For use behind a firewall.For use behind a firewall.

6to4: tunnel IPv6 over IPv46to4: tunnel IPv6 over IPv4

6to4 router derive IPv6 prefix from IPv4 address, 6to4 router derive IPv6 prefix from IPv4 address,

6to4 relays advertise reachability of prefix 6to4 relays advertise reachability of prefix 2002::/16 2002::/16

Automatic tunneling from 6to4 routers or relaysAutomatic tunneling from 6to4 routers or relays

Single address (192.88.99.1) for all relaysSingle address (192.88.99.1) for all relays

IPv4 Internet

6to4-A

6to4-B

Relay

Native IPv6

Relay

C

B

A

1.2.3.4

5.6.7.8

192.88.99.1

192.88.99.1

3001:2:3:4:c…

2002:506:708::b…

2002:102:304::b…

ISATAP: IPv6 behind firewallISATAP: IPv6 behind firewall

ISATAP router ISATAP router provides IPv6 prefixprovides IPv6 prefix

Host complements Host complements prefix with IPv4 prefix with IPv4 addressaddress

Direct tunneling Direct tunneling between ISATAP between ISATAP hosts hosts

Relay through Relay through ISATAP router to ISATAP router to IPv6 local or globalIPv6 local or global

Firewalled IPv4

network

IPv4 FW

A

Local “native” IPv6

network

IPv6 FW

ISATAP

B

IPv6Internet

C

D

IPv4Internet

Shipworm: IPv6 through NATShipworm: IPv6 through NAT

Shipworm: IPv6 / UDPShipworm: IPv6 / UDP IPv6 prefix: IP address IPv6 prefix: IP address

& UDP port& UDP port

Shipworm serversShipworm servers Address discoveryAddress discovery Default “route”Default “route” Enable “shortcut” (A-B)Enable “shortcut” (A-B)

Shipworm relaysShipworm relays Send IPv6 packets Send IPv6 packets

directly to nodesdirectly to nodes

Works for Works for allall NAT NAT

NAT

B

Server

IPv4 Internet

IPv6 Internet

Relay

C

A

NAT

When can we get IPv6? When can we get IPv6?

20002000 20012001 20022002

Tech. Preview (W2K)Tech. Preview (W2K)

Developers (Windows XP)Developers (Windows XP)

DeploymentDeployment

More Information on IPv6More Information on IPv6

Microsoft IPv6 web site:Microsoft IPv6 web site: http://www.microsoft.com/ipv6/http://www.microsoft.com/ipv6/

IETF standardsIETF standards IPv6 specification,IPv6 specification, IPv6 transition tools.IPv6 transition tools.

Call to ActionCall to Action

Apply UPnP technology to NAT traversalApply UPnP technology to NAT traversal www.upnp.orgwww.upnp.org

Work on the Firewall Traversal ProtocolWork on the Firewall Traversal Protocol

Start porting applications to IPv6Start porting applications to IPv6 Use IPv6 stack in Windows XPUse IPv6 stack in Windows XP

Start deploying IPv6 now!Start deploying IPv6 now!