IPv6 has been “the next generation of TCP/IP protocols” for so long that you can be forgiven for thinking that it will never be useful. However, with Windows 7, Microsoft has finally given network administrators a reason to consider using IPv6.
First, some background. The reason why IPv6, a.k.a. RFC 2460, was created back in 1998 was to give network administrators more network addresses than they could possibly use. It was widely predicted that the Internet would soon run out of IPv4 32-bit addresses. IPv6, with its 128-bit addresses and the resulting astronautical address range seemed the perfect answer.
It wasn’t. Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network. To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.
While Internet administrators were working out this (and other) ways to deal with the shortage of IPv4 addresses, Microsoft was tinkering with IPv6 in Windows. The protocol was available as a little-used test protocol in Windows 2000. By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.
That didn’t mean, however, that IPv6 was used. Today, all modern operating systems make IPv6 available, but it’s still deployed in very few networks.
Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6: DirectAccess. In addition, small office/home office and small business users must use IPv6 to use HomeGroup for local file, media, and printer sharing.
The Basics of DirectAccess
DirectAccess combines IPv6 with Internet Protocol security (IPSec) to provide a high-speed and ultra-secure Virtual Private Network (VPN). To use DirectAccess, you need both Windows 7 on the client side and Server 2008 R2 on the server end.
DirectAccess brings two things to the corporate network table. The first is the usual goodies that come with VPN: a secure network connection that can authenticate remote users and give them access to intranet resources.
In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings. If need be, NAP can update the computer and reset its security. So, for example, with DirectAccess and NAP, you can not just block a non-compliant PC from your intranet; you can automatically patch it, add the corporate standard anti-virus client, and set it to your desired security settings.
Those are reasons enough for many network administrators to start using DirectAccess, but there’s more. With DirectAccess, you can also boost both the client and your data-center’s network performance. This works by separating corporate traffic from Internet traffic. With DirectAccess, only business network traffic actually starts from or goes to the corporate servers. Ordinary Internet traffic, say a Google search, is never routed through the corporate gateway.
The result is a net speed boost for both the Windows 7 client and for the data center’s network traffic. The client no longer need wait for run-of-the-mill Internet transactions to run through the data center. In return, the data center’s switches don’t need to waste their bandwidth on these transactions. With an ordinary VPN, all traffic is routed through the corporate gateway.
You don’t have to have native IPv6 running on your network to use DirectAccess. Windows 7 and Server 2008 R2 includes support for IP-HTTPS. This is a tunneling protocol that tunnel IPv6 packets to hide inside the traffic of an IPv4-based HTTPS session. It provides both the necessary IPv6 support and helps your company’s PCs make connections through a Web proxy server or a firewall that might block an ordinary VPN connection.
In the past, you may have used 6to4 and Teredo and other IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet. These are still available. Indeed, Windows 7 will try to connect first with these older technologies. But IP-HTTPS avoids the proxy and firewall setting problems that could sometimes stop these earlier technologies in their tracks.
You can also force Windows 7 to use IP-HTTPS with the Force Tunneling option. Personally, this is the way I’d set up my clients since it should ensure a faster initial connection.
What About HomeGroup?
HomeGroup, which isn’t meant to be used over the Internet, doesn’t have to deal with this kind of traffic management. Very small businesses that don’t require Active Directory (AD) services or management may find HomeGroup a useful alternative to the older domain or Workgroup peer-to-peer style networking.
However, before switching your small network to HomeGroup, there are several possible “gotchas” to keep in mind. First, generally speaking HomeGroup is a Windows 7 only technology. Without manually setting up a Windows 7 system as a mini-server in its own right, non-Windows 7 systems will be unable to access a HomeGroup PC’s resources.
While you can set up a HomeGroup PC to share its resources with Windows XP, Windows Vista, Mac OS X, and even Linux systems, it’s not easy to do. If you need to go to that much trouble to share resources, you’re better off using real servers, such as Windows 2003, Windows Server 2008 or Linux running Samba.
You should also keep in mind that while you can join a HomeGroup with any edition of Windows 7, you can only create one in Home Premium, Professional, Ultimate, or Enterprise. So, in short, you can’t use it as drop-in replacement for an existing Windows XP peer-to-peer Workgroup network in which every PC shares all its resources with the others.
Some users who’ve already been using IPv4 may also have trouble turning IPv6 on for their HomeGroup. Typically, this is what happens: they try to enable IPv6 by opening Network Connections in the Control Panel, right-clicking the adapter, and clicking properties. Under “Local Area Connection Status” they see:
IPv4 Connectivity: Internet
IPv6 Connectivity: No network access
If that happens to you, you probably need to manually set up IPv6. This is done, according to Microsoft, with the following steps:
- Click Start, type
regeditin the Start Search box, and then click
regedit.exein the Programs list.
- In the User Account Control dialog box, click Continue.
- In Registry Editor, locate and then click the following registry subkey:
- Double-click DisabledComponents to modify the
- In the Edit menu, point to New, and then click DWORD (32-bit) Value.
DisabledComponents, and then press ENTER.
0(Zero) to enable all IPv6 components, and then click OK.
Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:
Other IPv6 Problems and Conclusions
If you are already using Window 7′s IPv6 on a network with other operating systems using the protocol you may run into some compatibility problems. The root of this is that Windows 7 handles IPv6 auto-configuration with the Neighbor Discovery Protocol (NDP) in a manner that’s not quite the same as how the RFC standards prescribes them. You can get around this by disabling Microsoft’s take on how IPv6 addresses are assigned with the command:
netsh interface ipv6 set global randomizeidentifiers=disabled
Last, but not least, if you’re using older routers or switches, you may find some that can’t handle IPv6 traffic at all. For the most part, so long as you continue to use IPv4 as well as IPv6, your PCs shouldn’t have trouble getting to the Internet or other corporate subnets.
So, is it worth it? I think so. For larger companies, with an investment both in Windows 7 and Server 2008 R2, DirectAccess offers a trio of valuable virtues: improved speed, security, and manageability. Smaller businesses may not find the arguments for IPv6 to be all that convincing. As for micro-businesses: While HomeGroup is a useful way to share resources, its Windows 7 limitations — combined with the abundance of perfectly good, low-cost substitutes such as Linux/Samba servers, older Windows peer-to-peer networking, and Network Attached Storage devices — doesn’t give them a strong reason to move to IPv6.