Ask the Experts: How Windows Vista Delivers IPv6
Preparing for the next generation in networking
The networking world has been buzzing on and off about Internet Protocol version 6 (IPv6) since the mid-1990s. In Asia, massive IPv6 deployments are underway in several countries, such as Japan, Korea and China. Not only will this alleviate the severe IPv4 address shortage, but it will also serve to leverage the end-to-end capabilities of the new protocol in delivering direct computer-to-computer communications without interruption from intermediary network address translations during these massive broadband and wireless deployments.
Japanese service providers and users are utilizing IPv6's increased address space and mobility for everything from streaming video to portable consumer devices and advanced building controls to more efficient dispatching of taxicabs based on readings from rain sensors.
In the U.S., the Federal Government has begun a massive transition process to IPv6 in order to meet new network requirements, and several carriers now offer IPv6 as a standard service offering. Still, there has been limited exposure to IPv6 for most companies and consumers. Microsoft is about to change all of that with the new release of Windows Vista and Windows Server code name "Longhorn," which will make using IPv6 practically as simple as turning on your computer.
On This Page
A Brief History of IPv6
The Internet has revolutionized the way the world shares information and has radically impacted the way we do business and live our lives. Unfortunately, the original designers of the Internet never envisioned the extent to which the Internet would be used. The current protocol that forms the basis of the Internet (IPv4) was not designed to support the massive number of people and devices connected today, nor the increased functionality being demanded from it to enable advanced applications such as video, voice, mobility, and other new requirements that are likely to emerge in the next five to ten years.
In the early 1990s, the Internet Engineering Task Force (IETF), which sets the standards for the Internet, understood the problems associated with the limited address space in IPv4 and began work to develop a newer version of IP. During this process, the IETF decided not to stop at fixing the issue with the address space, but also expanded the functionality of IP. The solution that was agreed upon was IPv6 and the core protocols were adopted as the new Internet protocol in 1995.
Adoption of IPv6 has been slow over the past decade but has recently accelerated, particularly in Europe and Asia. Reports1 based on information from the Number Resource Organization (NRO) indicate that IPv4 address space available from the Regional Internet Registries (RIRs) could be depleted within 2 years; furthermore, many developing nations can not obtain the massive numbers of IP addresses necessary to support their user community. The US Department of Defense and Federal Government have implemented major programs for adopting IPv6 and plan to begin using it in their operational networks by 2008. With several carriers and Internet Service Providers (ISPs) implementing IPv6 in their networks and companies such as Microsoft including operating system and application support for IPv6, the IPv6 adoption rate will greatly accelerate in the U.S. over the next 24 months.
New Features/Functionality of IPv6
Expanding the available IP address space was critical, but was not the only driver in developing IPv6. Many new requirements were taken into account, based on the limitations of IPv4 and how the future of packet networking was perceived to be progressing. IPv6 was created with the goal of supporting convergence, which will provide ubiquitous support for voice, video and data services over a single IP infrastructure. In order to achieve this goal, many new or advanced features and functions were incorporated into IPv6, including:
- Increased Address Space: One of the major advantages of IPv6 is the massive increase in address space. The address space available in IPv6 is so great it is difficult to even provide a comparison on how much more address space there is in IPv6 versus IPv4. IPv4 has 4,294,967,296 IP addresses where IPv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456 (or 3.4x1038) IP addresses. The increase in the globally routable address space will allow organizations to move away from using non-routable IP addresses with Network Address Translation (NAT) and start again utilizing applications in a true end-to-end environment. It will also allow the explosion of IP-enabled wireless devices to continue, where every user will have multiple IP addresses, and will increase the flexibility businesses and service providers have with developing and rolling out new services and applications.
- Stateless Autoconfiguration: Automatic IP configuration has been available in IPv4 in the form of DHCP and is also available in IPv6 in DHCPv6. However, the real step forward in IPv6 is with stateless autoconfiguration. Stateless autoconfiguration allows the devices to configure their own IPv6 addresses by communicating with a neighboring router. While stateless autoconfiguration will be beneficial for most environments, the concept is critical in networks that are mobile, ad-hoc and/or have a significant number of devices with limited management capability. An example is sensor-based networks that could include millions of remote, wireless devices that are accessible only on the network. Autoconfiguration will help companies lower their network administration costs and the resources required to maintain and move network devices. Although Automatic Private IP Addressing (APIPA) has some similar characteristics to autoconfiguration, it is very different. APIPA allocates an address from a specific range of IPv4 address space (169.254.0.1–169.254.255.254) when a DHCP server is not available. Address Resolution Protocol (ARP) is used to verify IP addresses are unique on the Local Area Network (LAN). Once a DHCP server is available, the IP addresses of the clients are updated automatically. APIPA addresses are only usable for the local subnet. Routing information is not provided to the host and APIPA addresses are not routed off the local subnet.
- Extension Headers: While the IPv6 header has been greatly simplified when compared to IPv4, extension headers are used to provide advanced functionality required at the header level in the IP packet. As the name suggests, they are simply incremental headers added to the base IPv6 header that provides tremendous flexibility for future capabilities. This method for adding functionality at the header level allows the base header to remain constant and deterministic, while allowing new capabilities to be phased in over time. These "extensions" to the protocol can determine behavioral characteristics at the infrastructure and routing level, or at the application level, providing dynamic, policy-based networking and user-defined end-to-end services. Extension headers provide enormous flexibility in the future development of services and applications by providing a standard framework to add new capabilities into IPv6. Business and service providers will be able to utilize extension headers in the future to leverage capabilities not already existing in IPv6.
- Mandatory Security: Although Internet Protocol security (IPsec) is available for IPv4, it is an add-on that has been primarily used for tunneling and network encryption for remote access Virtual Private Networks (VPNs) and connecting sites. Many organizations have begun exploring the use of IPsec on a wider basis, but obstacles, such as NAT, can make IPsec hard to deploy. With IPv6, IPsec is a mandatory part of the implementation and will provide for a common network layer security infrastructure as well as security services such as authentication, integrity, and confidentiality to be used as needed. The inclusion of IPsec will allow businesses to improve their security model and extend their security policies down to the host level and not just maintain an enclave mentality.
Significant work and diligence has extended the IPv4 address life through various policies and the use of NATs; however, recent reports show that IPv4 address exhaustion is imminent. A report prepared by the NRO2 in conjunction with the regional Internet registries including African Network Information Center (AFRINIC), Asia Pacific Network Information Centre (APNIC), American Registry for Internet Numbers (ARIN), Latin American and Caribbean Internet Address Registry (LACNIC) and RIPE Network Coordination Centre (RIPE NCC) shows approximately 25% of IPv4 addresses remain for allocation. Although many organizations and carriers within the US and Europe may not have a short-term concern based on their current IPv4 address allocation pool, the exponential growth of IP-enabled devices coupled with the lack of available IPv4 address space will drive the migration to IPv6.
The way that IP addresses are represented has also changed. Under IPv4, IP addresses were represented by four octets or 8 bit fields (0–255 for each field written in standard decimal notation) separated by decimal points. Examples of IPv4 addresses include:
With IPv6, IP addresses are typically represented by 16-bit fields (0–FFFF for each field written in hexadecimal notation) separated by colons. Examples of IPv6 addresses include:
In cases where multiple 0 blocks are part of the IPv6 address, "::" can be used once in an IPv6 address to shorten the notation. For example, fe80:0:0:0:0:70:77:26 is shortened as fe80::70:77:26.
The primary driver behind IP address allocation policies in IPv6 is not conservation of IP addresses, but more hierarchical and efficient routing. Internet routing tables are exceedingly large today under IPv4 and they could become excessively large if not tightly managed under IPv6. Using the concept of aggregation, the IPv6 address is thought of as two separate pieces brought together. The first 64 bits of the IPv6 address typically identifies your network or "where you are" and the second 64 bits identifies the device or "who you are." This not only supports the concept of hierarchical routing, but also plays a very large role in the ability for IPv6 devices to use autoconfiguration. But the implications of this type of allocation are enormous. This means that every LAN segment could potentially have 264 devices saying "who they are." Remember, the current Internet has a total of 232 addresses, so each subnet on the "New Internet of IPv6" would have several orders of magnitude more IP addresses available than the current Internet has today.
In addition to the technical changes in addressing, major IP allocation policy changes have occurred as well. Under IPv4, the RIRs, such ARIN, have many policies in place to strictly limit and conserve the IPv4 address space. Under IPv6, the story is different. While the registries will manage the IPv6 address space efficiently, current guidelines from ARIN recommend Internet Service Providers (ISP) allocate 48-bit public address prefixes (with 216 subnets) for every site (home and business users) as the standard initial allocation. This would mean that every home user would be able to establish 65,536 subnets each with the potential for 264 devices on each subnet.
Implementing and Using IPv6 in Windows Vista
One of the major issues with transitioning is that IPv6 is not backwards compatible with IPv4. Thus, a computer on the network operating with only IPv6 addresses can not directly communicate with a computer on the network operating in IPv4 mode only; however, Microsoft's implementation of Windows Vista will solve a significant problem for agencies, businesses, educational institutions, ISPs, and consumers that want to transition to IPv6. Windows will be both IPv4- and IPv6-capable out of the box. This means that every computer running Windows Vista will be able to communicate across IPv4 and IPv6 networks at the same time. Windows Vista runs a single-stack, dual-IP layer architecture for easier deployment and manageability. This dual-IP layer approach will allow organizations to save money and resources by transitioning their organization's infrastructure to IPv6 over time without worrying about interoperability issues with their workstations.
If you want to access IPv6 resources and your network infrastructure does not support IPv6, don't worry, Windows Vista also builds in support for automated tunnels such as ISATAP and Teredo. If Windows Vista does not detect IPv6 within the network it will try well known IPv6 tunneling mechanisms. This means that anyone who installs Windows Vista or turns on a new computer with Windows Vista could have automatic access to IPv6-based Web sites and resources over an existing Internet or intranet connection, if their network administrators allow it—even if the enterprise's ISP does not support IPv6.
IPv6 will be dominant in Windows Vista. What does this mean? If you have the option of using either IPv4 or IPv6 for a particular application, then Windows Vista will default to using IPv6. Again, this allows organizations to transition to IPv6 at their own pace, without costly reconfiguration of every workstation. When applications are upgraded to IPv6, users will be able to automatically access those new features with IPv6 without having to do anything, since Windows Vista will utilize IPv6 by default. Of course, this can be configured by the administrator.
Microsoft has a strong focus on security, too. Windows Vista includes IPsec and a built-in host-based firewall that works for both IPv4 and IPv6. IPsec can be used to protect traffic sent over the network as well as to authenticate connections coming into the workstation. Microsoft has introduced a concept called Domain Isolation, which will allow organizations to develop “zones of trust,” where only trusted computers can communicate with each other. All other connections attempted will be dropped and will not be visible to un-trusted users. Microsoft has also introduced the concept of Server Isolation that allows only trusted domains or subsets of domains to connect to specific servers.
Business Drivers for Using IPv6 and Windows Vista
IPv6 has already been deployed as a common approach in many countries in Asia to solve a variety of problems, but most notably the shortage of IPv4 addresses. The deployment of IPv6 is taking off in conjunction with the extensive deployment of broadband and wireless technologies in countries such as Japan and Korea. A recent report from NIST3 estimates that IPv6 could provide a US$10 billion per year benefit to the U.S. and the Japanese government estimates that IPv6 could generate a value of US$1.55 trillion. The future business drivers for moving to IPv6 are substantial, with the ability to cost-effectively support tens of billions of Internet-based devices to enable the explosion of new peer-to-peer multimedia services. Some of the short term business drivers for using IPv6 and Windows Vista include:
- Application Development: A great improvement in the overall support for IPv6 is the new WinFX API developed by Microsoft. The API includes many additional features that make developing peer-to-peer and other types of end-to-end applications that support IPv6 environments easier. Creating and deploying applications that utilize the functionality and structure of the WinFX API will be critical for both application developers and companies to stay in touch with the latest capabilities offered in Windows Vista.
- Security: One of the most significant security issues organizations face today is the lack of protection on their internal networks. Most organizations establish security at network boundary locations and utilize tools such as firewalls and intrusion detections systems to implement their security policy. Unfortunately, this leaves a majority of their internal network open to malicious or accidental attacks from users or compromised devices from within their enterprise. Since IPsec is a mandatory part of IPv6, it provides developers, service providers and enterprises with a ubiquitous security infrastructure to leverage in implementing their overall security solutions. The use of IPsec, in conjunction with the Server and Domain Isolation techniques deployed in Windows Vista, will allow organizations to increase their security posture and provide a greater degree of protection for their critical IT resources. This will result in greater protection and reduce the overall IT costs by limiting the number of security incidents the IT staff will need to recover from.
- Simplified Network: IPv6 allows the network architecture to become more simplified and will eventually reduce the overall cost of management and support in the enterprise. The use of NATs and other devices within IPv4 to work around the limited address space have become a significant cost to enterprise network administrators, application developers and service providers. A recent report released by NIST4 estimates that 30% of all IT costs are directly or indirectly related to the use of NATs. Moving to IPv6 with enough globally routed addresses would simplify and significantly reduce the cost of deploying end-to-end applications such as Voice over IP (VoIP) and open the potential for leveraging other applications to improve customer service, employee communications, video conferencing and entertainment.
- Easier Network Management: The use of IPv6 functionality such as autoconfiguration and neighbor discovery removes the need for manual configuration or the use of DHCP. This not only reduces the staffing required to manage the network, it also limits the opportunity for misconfigurations.
The need to transition to IPv6 is becoming more urgent with the depletion of the IPv4 address space, and the massive number of new Internet-enabled devices supporting voice, video and data. Major IPv6 transition efforts are underway in Asia, Europe and North America. Windows Vista provides significant advances necessary to support the transition to IPv6. The new capabilities provided under Windows Vista will allow for more advanced applications, and will support the movement forward with the tools necessary to make networks more secure during the transition to IPv6.
About the Author
Dale Geesey is VP of Consulting at v6 Transition. He has written several articles on IPv6 for the 6Sense newsletter (available at www.usipv6.com), hosted multiple Federal CIO IPv6 Transition Workshops, been a speaker at the U.S. IPv6 Summit and recently published a report entitled The IPv6 Best Practices World Report: A Guide for Federal Agencies Transitioning to IPv6. For more information about Dale or IPv6, go to www.v6transition.com or contact him at Dale@v6transition.com.