Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 7 May Finally Get IPv6 Deployed

Posted by kdawson on from the whatever-it-takes dept.

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

17 of 283 comments (clear)

  1. Re:IPv6 addresses are overly complex by kennedy · · Score: 5, Insightful

    Uhh... 3 letters for you. D.N.S.

  2. Re:IPv6 addresses are overly complex by johnw · · Score: 4, Funny

    Why type either? You should look at getting DNS up and running on your systems. It's a bit cutting edge, but well worth it.

  3. Re:Why? by Anonymous Coward · · Score: 5, Informative

    You don't need NAT to run a firewall that has the same security functionality as NAT

  4. Another Genuine Advantage ? by mbone · · Score: 3, Insightful

    I have to say that this is what struck my eye :

    In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings.

    OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

    By the way, this sets up an IPSEC VPN, so I am not sure why the OP says it doesn't require a VPN.

  5. Re:Why? by FooAtWFU · · Score: 3, Insightful

    Mod parent up. If you can map between the "inside" and the "outside" of your organization you can drop packets coming from the outside just as readily.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  6. Re:IPv6 addresses are overly complex by sunderland56 · · Score: 5, Funny

    Yeah, typing in IP addresses is a pain in those situations. Maybe in future Microsoft will add a "cut" and "paste" feature to Windows 7, like they have in OSX - that should make life easier.

  7. Re:IPv6 addresses are overly complex by Nimey · · Score: 3, Insightful

    Dynamic DNS, then. I use that for remoting into my computer and router from other places.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  8. Re:Why? by 0racle · · Score: 4, Informative

    IP6 (and DirectAccess) in no way require you to remove a firewall between you and the rest of the universe. NAT however, can go away.

    --
    "I use a Mac because I'm just better than you are."
  9. Re:IPv6 addresses are overly complex by Chris+Mattern · · Score: 5, Informative

    Off-offtopic, but I'd much rather you typed in example.com. Don't refer to what might be a real URL as an example when you've got a name reserved by RFP for that purpose.

  10. Re:IPv6 addresses are overly complex by OnlineAlias · · Score: 4, Funny

    It is a very tough feature to code however, just ask the guys who failed to add it to the iphone for several years...

  11. Article is so full of inaccuracies... by A+beautiful+mind · · Score: 4, Informative
    ...that I barely know where to begin.

    IPv6 has been "the next generation of TCP/IP protocols" for so long that you can be forgiven for thinking that it will never be useful.

    IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

    Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

    Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

    To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

    Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

    By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.

    This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.

    Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6.

    No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries, they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  12. Or DirectAccess may just sink it for good... by BobMcD · · Score: 3, Interesting

    From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:

    Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:

    . set specific policies (no split tunneling)
    . force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
    . ensure proper key and credential management, including two-factor or challenge/response
    . audit activities while user is connected to the VPN.

    The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.

    What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.

    As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.

    1. Re:Or DirectAccess may just sink it for good... by EndlessNameless · · Score: 3, Informative

      //My problem, from your point of view, is that I'm not an elitist.//

      Your problem, from my point of view, is that you're not competent. //In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world.//

      It's called a firewall. Or a router with a proper ACL. You can google this stuff. NAT doesn't prevent routing to the outside world; it merely prevents the outside world from seeing your internal network structure. A properly-configured router or firewall will do that and more. //If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.//

      Every firewall I've ever seen has a default-deny setting which can be enabled for ingress/egress independently for every IP address, by individual IPs, or by ranges. Your argument boils down to the fact that NAT must drop inbound packets without either an existing connection or a mapping by default. You're proposing security by virtue of laziness---and neglecting other security features, to boot. //So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing//

      You're using NAT as a method of access control, which is not what it was designed for. In addition, it does so very poorly and leaves a number of gaps in your security that a real access control device would cover.

      In short, the control NAT gives you is illusory and meaningless. You have a far greater degree of control with a real firewall---regardless of whether it uses NAT. Get a real security implementation going and quit QQing about this new-fangled intarweb.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  13. Either that... by roc97007 · · Score: 3, Insightful

    ...or DirectAccess will be a dead feature because it requires a protocol that few want to support.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  14. Re:IPV6 is fatally broke by metamatic · · Score: 3, Informative

    Websites with external consumers cannot stop using IPv4 until all potential consumers use IPv6. So until everyone uses IPv6, every host must continue to run IPv4 or both.

    You make it sound like that's a difficult problem, rather than a matter of putting a few extra lines in a config file for the transition period.

    Does this mean you cannot run IPv6 at home? No, it just means you must also run IPv4 to get to websites that haven't bothered to support both.

    No, you're wrong there. While an IPv4 connection cannot reach IPv6 hosts, an IPv6 connection can reach any IPv4 host using tunneling. You talk pure IPv6 to your IPv6 ISP, and if there's a need to fall back to IPv4, they route the traffic via a tunnel broker.

    Using similar technology, you can get IPv6 even if your ISP only supports IPv4. That's how I'm doing it.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  15. Re:IPv6 addresses are overly complex by Yaztromo · · Score: 3, Informative

    They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.

    The problem with breaking up a /8 is that you can't just spread around 16.7 million addresses to the individual machines around the globe that need them -- not unless we're ready to handle the massive explosion of routing table entries that would require (and we're not). CIDR still defines a routing hierarchy, where the huge swaths of free addresses exist within that hierarchy isn't necessarily geographically where they are needed, or where the systems that need them are going to be able to connect to them.

    Not to say that some breaking up of largely unused /8's and /16's can't be done -- just that it's nowhere near as trivial a problem as most people seem to assume it is. It isn't like there is an abundance of resources in one area, so we can put them on a ship and send them to an area where the resource need exists.

    Of course, all of this presumes that the holder of the /8 is using it in some sane manner where is it even possible to break the address space into routeable blocks...

    Yaz.

  16. Re:Why? by mister_playboy · · Score: 3, Insightful

    The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.

    In most of our lifetimes? Per Wikipedia:

    The very large IPv6 address space supports a total of 2^128 (about 3.4×10^38) addresses—or approximately 5×10^28 (roughly 2^95) addresses for each of the roughly 6.5 billion (6.5×10^9) people alive in 2006. In a different perspective, this is 2^52 (about 4.5×10^15) addresses for every observable star in the known universe.

    It will take way more than poor management to use up all those numbers in any timescale with meaning to a human life.

    --
    Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will