Unleashing the Power of IPv6

Unleashing the Power of Unleashing the Power of Ubiquitous Connectivity with Ubiquitous Connectivity with IPv6IPv6Bram VeenhofMicrosoft [email protected]/bramveen

AgendaAgenda

The Connectivity Imperative

IPv6 Product Report Card

• The power of IPv6 andWindows networking

IPv6 now infra later and Direct Acccess

2

3

The Connectivity The Connectivity ImperativeImperative

Seamless Applications Seamless Applications ImpactImpact

The Future of Business ComputingThe Future of Business Computing• Dynamic DatacenterDynamic Datacenter• Focus on Security, Productivity, and ImpactFocus on Security, Productivity, and Impact• Providing a unique “customer experience”Providing a unique “customer experience”

The Future of Personal ComputingThe Future of Personal Computing• From personal computer to personal computingFrom personal computer to personal computing• Across multiple PCs and devicesAcross multiple PCs and devices• Blurring of digital workstyle and lifestyleBlurring of digital workstyle and lifestyle• Individual in control of their digital worldIndividual in control of their digital world

4

IPv6 is a Key Building IPv6 is a Key Building BlockBlock

Continued seamless connectivity demands a new paradigm

SecurityScalabilityFlexibility

5

IPv6 is required to support the new network and Internet

Windows Vista

Windows Server 2008

SQL Server 2008

SQL Server 2005

Exchange Server 2007 SP1

Host Integration Server 2007

Biztalk Server 2006

Office Sharepoint Server 2007

SMS/SCCM 2007

MOM/SCOM 2007 System Center Virtual Machine Manager

Office 2007

Active Directory/DNS/DHCPv6

Groove Coming Soon!

ISA Server Coming Soon!

IPv6 Report CardIPv6 Report Card

6

Windows Vista

Windows Server 2008

SQL Server 2008

SQL Server 2005

Exchange Server 2007 SP1

Host Integration Server 2007

Biztalk Server 2006

Office Sharepoint Server 2007

SMS/SCCM 2007

MOM/SCOM 2007 System Center Virtual Machine Manager

Office 2007

Active Directory/DNS/DHCPv6

Groove Coming Soon!

ISA Server Coming Soon!

IPv6 Report CardIPv6 Report Card

7

More Than the Stack…More Than the Stack…

All standard Windows Server 2008 components are IPv6 capableIPv6 is on by default, and preferredControllable via Group PolicyAll Enterprise-class products currently in production are IPv6 capableGUI-based configurationFull support for IPsec

8

• On by default• Server Roles plumb firewall

rules• Stateful IP filtering inbound

and outbound• Full support for IPv6/ICMPv6• Location-aware policy profiles

Domain, Public, Private• Service Hardening

• Prevent critical Windows services from being used for malicious activity

• Enabled by default, and applies to inbound and outbound traffic

Windows Firewall Windows Firewall FeaturesFeatures

10

IPv6 IPv6 DeploymeDeployment at nt at MicrosoftMicrosoft

ISATAP available in all buildings world-wide Native v6 connectivity in all development buildings world-wide

Where do we need native v6?•That is where we concentrate upgrades

Everywhere else gets ISATAP connections

IPv6 Now – Infrastructure IPv6 Now – Infrastructure LaterLater• Transition Technologies

let enterprises deploy IPv6 before infrastructure supports it

Phased deploymentsManaged rollout out native IPv6

Native IPv6ISATAP tunnel (IPv6 in IPv4)Native IPv4

IPv4

IPv6

ISATAPRouter

11

ISATAP (RFC 4214) works well inside the network

Single box can enable IPv6 in the enterpriseSecure tunneling of IPv6 over IPv4

IPv6 Now – Infrastructure IPv6 Now – Infrastructure LaterLater

IPv4 Internet

Restricted NAT

Restricted NAT

Teredo Server

Bubble Packets

Teredo works well for unmanaged/home users

Works through a NATProtocol of last resortAutomatically disables in a managed environment

• Transition Technologies let consumers deploy IPv6 before infrastructure supports it

Phased deploymentsTransition to managed infrastructure

Direct Access Direct Access OverviewOverview

Simultaneous corpnet and Internet Access

If user’s machine is connected to internet, it is connected to corporate network

Remote ManagementUser’s machine is maintainable whenever connected to corporate network over internet

Secure remote connectivityCommunication between user’s machine and corporate resources is secure

What is Direct Access?What is Direct Access?

Ideal VisionIdeal Vision

CorpnetServer Resources

Websites

Internet

End-user goalsSame experience accessing corporate resources anywhere (Intranet or Internet or any remote location)

IT-Administrator goalsLower TCO than VPNBetter management of remotely connected devicesEnd-to-end security

Microsoft goalsReduced need for classic thick edgeImprove customer (end-user and IT-admin) experience

• Be the industry leader in remote access and network security

Why are we doing it?Why are we doing it?

How does Direct Access How does Direct Access work?work?

The Direct Access Server

The network of the FutureThe network of the Future

DNSDAS Corpnet

Server Resources

IPv6 InternetIPv6

Corpnet

Client tries to access *.corpnet.comLooks in provisioned list for DNS server(s) associated with corpnet.com suffixConnects with DNS server (using IPsec)

IPv6 route is thru DASGet target address from DNS serverRegisters its own address with DNS

Client tries to connect to targetIPv6 route again thru DASIPsec is required

What happens at ClientWhat happens at Client

DAS lets thru AuthIP packets from client to DNSIPsec DOS Protection

After negotiation, DAS lets ESP packets thru between client and DNS

DNS returns target address information to clientDNS registers clients current address information

DAS lets thru AuthIP packets from client to targetAfter negotiation, DAS lets ESP packets thru between client and target

What happens at What happens at DAS/DNSDAS/DNS

ClientReceives configuration while directly connected to corpnet (provisioning) via Group PolicyNAP used to check configuration and health when remotely connected

ServerDirect Access wizard to set up Direct Access Server(s)Policies controlled via Group Policy

Configuring for Direct Configuring for Direct AccessAccess

Internet not yet IPv6Client behind NAT on IPv4 internetClient directly on IPv4 internet

• Client behind 3rd party firewall (and probably NAT)

Corpnet not yet IPv6 with IPsecIPv6 capable, but not all machines have IPsec enabledIPv4 network, machines are dual-stack (Vista+)IPv4 only machines may be on network

Now to the real worldNow to the real world

Client directly on IPv4 Client directly on IPv4 InternetInternet

DAS(6to4relay)

6to4 Tunnel BetweenClient and DAS

IPv4-only Internet

IPv4-only Internet

Client behind NAT on IPv4 Client behind NAT on IPv4 InternetInternet

DAS(Teredo Relay)

Teredo Server

Teredo Tunnel between clientand Teredo Server and DAS

Client behind 3Client behind 3rdrd party party firewall on IPv4 Internetfirewall on IPv4 Internet

IP-TLS tunnelBetween clientAnd DAS

IPv4-only Internet

DAS(IP-TLS relay)

IPv6+IPsec capable IPv6+IPsec capable resource, on IPv4 networkresource, on IPv4 network

CorpnetResource

SupportingIPv6+IPsec

DAS

To InternetIPv4-only Corpnet

ISATAP tunnel

IPv6 capable resource, but IPv6 capable resource, but no encryptionno encryption

Dynamic Tunnel Endpoint

DAS

To Internet IPv4-only Corpnet

ISATAP tunnel

CorpnetResourceSupportingIPv6 withNo encryption

IPv4-Only ResourceIPv4-Only Resource

NAT-PT

DAS

To Internet

DTE

IPv4-only Corpnet

IPv4-onlyCorpnetResource

Server and Domain Server and Domain IsolationIsolation

LabsLabsUnmanaged Unmanaged guestsguests

Protect managed computers from Protect managed computers from unmanaged unmanaged or rogue computers and usersor rogue computers and users

Protect specific high-value servers and Protect specific high-value servers and datadata

Server Server IsolationIsolation

Domain Domain IsolationIsolation

Dynamically Dynamically segment your segment your

Windows Windows environment into environment into more secure and more secure and isolated logical isolated logical

networksnetworksbased on policybased on policy

29

Policy-Based Network Policy-Based Network Access ProtectionAccess Protection

Network Access ProtectionNetwork Access ProtectionPolicy-based solution that• Validates whether computers meet

health policies• Limits access for noncompliant

computers• Automatically remediates

noncompliant computers • Continuously updates compliant

computers to maintain health state

Solution HighlightsSolution Highlights• Standards-based• Plug and Play• Works with most devices• Supports multiple antivirus solutions• Has become the standard for Network Access

Control

IntranetIntranet

IPv6 ISATAP Teredowww.microsoft.com/ipv6

Free e-book on ipv6 • http://csna01.libredigital.com/?urws8un4p7

More InformationMore Information

© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.