Dec 21, 2009

ConnectedWorldXSmallIPv6 has been “the next generation of TCP/IP protocols” for so long that you can be forgiven for thinking that it will never be useful. However, with Windows 7, Microsoft has finally given network administrators a reason to consider using IPv6.

First, some background. The reason why IPv6, a.k.a. RFC 2460, was created back in 1998 was to give network administrators more network addresses than they could possibly use. It was widely predicted that the Internet would soon run out of IPv4 32-bit addresses. IPv6, with its 128-bit addresses and the resulting astronautical address range seemed the perfect answer.

It wasn’t. Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network. To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

While Internet administrators were working out this (and other) ways to deal with the shortage of IPv4 addresses, Microsoft was tinkering with IPv6 in Windows. The protocol was available as a little-used test protocol in Windows 2000. By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.

That didn’t mean, however, that IPv6 was used. Today, all modern operating systems make IPv6 available, but it’s still deployed in very few networks.

Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6: DirectAccess. In addition, small office/home office and small business users must use IPv6 to use HomeGroup for local file, media, and printer sharing.

The Basics of DirectAccess

DirectAccess combines IPv6 with Internet Protocol security (IPSec) to provide a high-speed and ultra-secure Virtual Private Network (VPN). To use DirectAccess, you need both Windows 7 on the client side and Server 2008 R2 on the server end.

DirectAccess brings two things to the corporate network table. The first is the usual goodies that come with VPN: a secure network connection that can authenticate remote users and give them access to intranet resources.

In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings. If need be, NAP can update the computer and reset its security. So, for example, with DirectAccess and NAP, you can not just block a non-compliant PC from your intranet; you can automatically patch it, add the corporate standard anti-virus client, and set it to your desired security settings.

Those are reasons enough for many network administrators to start using DirectAccess, but there’s more. With DirectAccess, you can also boost both the client and your data-center’s network performance. This works by separating corporate traffic from Internet traffic. With DirectAccess, only business network traffic actually starts from or goes to the corporate servers. Ordinary Internet traffic, say a Google search, is never routed through the corporate gateway.

The result is a net speed boost for both the Windows 7 client and for the data center’s network traffic. The client no longer need wait for run-of-the-mill Internet transactions to run through the data center. In return, the data center’s switches don’t need to waste their bandwidth on these transactions. With an ordinary VPN, all traffic is routed through the corporate gateway.

You don’t have to have native IPv6 running on your network to use DirectAccess. Windows 7 and Server 2008 R2 includes support for IP-HTTPS. This is a tunneling protocol that tunnel IPv6 packets to hide inside the traffic of an IPv4-based HTTPS session. It provides both the necessary IPv6 support and helps your company’s PCs make connections through a Web proxy server or a firewall that might block an ordinary VPN connection.

In the past, you may have used 6to4 and Teredo and other IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet. These are still available. Indeed, Windows 7 will try to connect first with these older technologies. But IP-HTTPS avoids the proxy and firewall setting problems that could sometimes stop these earlier technologies in their tracks.

You can also force Windows 7 to use IP-HTTPS with the Force Tunneling option. Personally, this is the way I’d set up my clients since it should ensure a faster initial connection.

What About HomeGroup?

HomeGroup, which isn’t meant to be used over the Internet, doesn’t have to deal with this kind of traffic management. Very small businesses that don’t require Active Directory (AD) services or management may find HomeGroup a useful alternative to the older domain or Workgroup peer-to-peer style networking.

However, before switching your small network to HomeGroup, there are several possible “gotchas” to keep in mind. First, generally speaking HomeGroup is a Windows 7 only technology. Without manually setting up a Windows 7 system as a mini-server in its own right, non-Windows 7 systems will be unable to access a HomeGroup PC’s resources.

While you can set up a HomeGroup PC to share its resources with Windows XP, Windows Vista, Mac OS X, and even Linux systems, it’s not easy to do. If you need to go to that much trouble to share resources, you’re better off using real servers, such as Windows 2003, Windows Server 2008 or Linux running Samba.

You should also keep in mind that while you can join a HomeGroup with any edition of Windows 7, you can only create one in Home Premium, Professional, Ultimate, or Enterprise. So, in short, you can’t use it as drop-in replacement for an existing Windows XP peer-to-peer Workgroup network in which every PC shares all its resources with the others.

Some users who’ve already been using IPv4 may also have trouble turning IPv6 on for their HomeGroup. Typically, this is what happens: they try to enable IPv6 by opening Network Connections in the Control Panel, right-clicking the adapter, and clicking properties. Under “Local Area Connection Status” they see:

IPv4 Connectivity: Internet
IPv6 Connectivity: No network access

If that happens to you, you probably need to manually set up IPv6. This is done, according to Microsoft, with the following steps:

  1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
  2. In the User Account Control dialog box, click Continue.
  3. In Registry Editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
  4. Double-click DisabledComponents to modify the DisabledComponents entry.
  5. Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:

    • In the Edit menu, point to New, and then click DWORD (32-bit) Value.
    • Type DisabledComponents, and then press ENTER.
    • Double-click DisabledComponents.
  6. Type 0 (Zero) to enable all IPv6 components, and then click OK.
  7. Reboot.

Other IPv6 Problems and Conclusions

If you are already using Window 7′s IPv6 on a network with other operating systems using the protocol you may run into some compatibility problems. The root of this is that Windows 7 handles IPv6 auto-configuration with the Neighbor Discovery Protocol (NDP) in a manner that’s not quite the same as how the RFC standards prescribes them. You can get around this by disabling Microsoft’s take on how IPv6 addresses are assigned with the command: netsh interface ipv6 set global randomizeidentifiers=disabled

Last, but not least, if you’re using older routers or switches, you may find some that can’t handle IPv6 traffic at all. For the most part, so long as you continue to use IPv4 as well as IPv6, your PCs shouldn’t have trouble getting to the Internet or other corporate subnets.

So, is it worth it? I think so. For larger companies, with an investment both in Windows 7 and Server 2008 R2, DirectAccess offers a trio of valuable virtues: improved speed, security, and manageability. Smaller businesses may not find the arguments for IPv6 to be all that convincing. As for micro-businesses: While HomeGroup is a useful way to share resources, its Windows 7 limitations — combined with the abundance of perfectly good, low-cost substitutes such as Linux/Samba servers, older Windows peer-to-peer networking, and Network Attached Storage devices — doesn’t give them a strong reason to move to IPv6.

Want more like this? Sign up for the weekly IT Expert Voice Newsletter so you don't miss a thing!

COMMENTS

  • [...] Schindler writes “According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we’ve had so many predictions that this will be ‘the year of IPv6′ that most of [...]

  • Dec 23, 2009 | Brian says:

    In the first paragraph ….128-bit addresses and the resulting astronautical address range… ? Astronomical maybee? Just makes the author look stupid. Have some one else proof read next time.

  • Dec 23, 2009 | lcw says:

    <pre>With an ordinary VPN, all traffic is routed through the corporate gateway.</pre>

    The routing of VPN traffic is a policy decision of the company. Many allow "split-tunneled" VPN's, where Internet traffic bypasses the VPN.

    There are several reasons organizations cite for not wanting this:
    * A split-tunnel could theoretically allow a VPN-attached PC to be pwned, providing an active path from Internet hacker to corporate network.
    * The organization wants to leverage its expensive head-end firewalls, URL filters, and log analyzers.
    * Social engineering. The organization wants the employee to clearly separate work from non-work activities.

  • [...] 2009-12-22 20:54:26 · Reply · View TMEubanks: Windows 7 and IPv6: Useful at Last? http://itexpertvoice.com/home/windows-7-and-ipv6-useful-at-last/ DirectAccess : an IPv6 IPSEC VPN #ietf 2009-12-22 20:54:17 · Reply · View [...]

  • Dec 23, 2009 | Justin says:

    So basically Windows DirectAccess and NAP = free version of Cisco VPN and Clean Access?

  • [...] Es geht um die Adhoc Verbindungen die via IPv6 und IPSEC aufgebaut werden können. Das klingt zwar interessant, ich kann mir aber nciht vorstellen des das Microsoft DirectAcces in großem Maße zur Ausbreitung von IPv6 Adressen beitragen kann. (->itexpertvoice) [...]

  • You raise good points regarding split tunneling concerns (and our policy currently prohibits this while VPN is active). The good news is that aApparently there are some capabilities to deny split tunneling –

    <snip> "IT Simplification and Cost Reduction. DirectAccess uses split-tunnel routing, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the enterprise network through the DirectAccess server. Optionally, IT can disable split-tunnel routing to send all traffic through the corporate network."

    Source: Windows 7 and Windows Server 2008 R2 DirectAccess Executive Overview
    http://audio.federalnewsradio.com/temp/DirectAcce…

  • Dec 28, 2009 | networker says:

    Check out Gbridge, you can get DirectAccess feature instantly while don't need worry about ipv6 or ipv4 or NAT.

  • [...] To counterbalance all that optimism, professional system administrators from LOPSA and Sophos’ Wisniewski share similar security concerns about DirectAccess. They’re also concerned about getting tangled in implementing IPv6 — technology that’s far from broadly understood, let alone adopted. IPv6 is designed as the next-generation replacement for Internet Protocol Version 4, which is still the predominant implementation but which eventually will run out of address space. For more on DirectAccess and IPv6, especially the IPv6 techie details, see Windows 7 and IPv6: Useful at Last? [...]

  • [...] the user wants to connect to his corporate office in a secure manner, and so has VPN.  With ‘Split Tunneling‘ enabled, the user can sit at his machine at home, and all [...]

  • [...] with Network Address Translation (NAT), Virtual Private Network (VPN), and a stateful firewall for both IPv4 and IPv6. It can also act as a router for both TCP/IP protocols. Vyatta Core also includes [...]

  • [...] us, it’s about to break. We can no longer afford to be either lazy or cheap. Like it or not, it’s time to upgrade your network infrastructure to IPv6 or you’ll face the daunting prospect of paying premium prices for an IPv4 [...]

DELL
FM IT Expert Voice is a partnership between Dell and Federated Media. Privacy Statement