Sean SilerIPv6 Program ManagerMicrosoft Corporation

Why IPv6 isn’t nearly as screwed up in Windows as you

think it is.”

DNS Resolver

Teredo

Windows Firewall/IPsec

Disabling IPv6

DHCPv6

Application Compatibility

Roadmap

DNS Resolver

"It is going to be mud season onthe Internet, where things willjust be kind of slow and gooey."

–Dr. Paul Mockapetris

Inventor of DNS

http://www.kame.net

Does this interface have an

IPv6 address which is not a

Link-Local or Teredo address?

http://www.kame.net

http://www.kame.net

AAAA query is only performed if sending interface has an IPv6 address that is NOT Teredo or Link-Local

A record query sent FIRST, then AAAA

Prevents duplicate queries if timeouts or NACKs are returned

Ensure DNS Servers can support AAAA records

Ensure DNS Servers can support queries over IPv4 or IPv6

DNS Servers running near capacity with v4 may need to be upgraded once you start handing out IPv6 addresses

Teredo

Home users need the simplicity of NAT…Turn it on and it works

DHCP-PD – If ISP and home gateway are v6 capable, broadcasts RAs in the home

Teredo – tunnels IPv6 packets inside of IPv4 UDP so that they can pass through NAT and out the v4 Internet

IPv4 Internet

Restricted

NAT

Restricted

NAT

Teredo

Server

1. Both clients send packets to Teredo

Server upon Teredo’s first use

2. Bubble to Teredo Client B

3. Opens a Source-specific mapping on

the Client A’s NAT to Client B

4. Bubble to Teredo Server

5. Forwarded bubble to Teredo Client B

6. Bubble to Teredo Client A

7. Opens Source-specific mapping to

Client A from Client B

8. Initial packet to Teredo Client B

Teredo

Client A

Teredo

Client B

Loopback

Native IPv6

ISATAPIPv4 mapped IPv6

(Internal Stack Use Only)

Teredo

IPv6 is the preferred protocol, NOT TEREDO

Windows Firewall/IPsec

Windows Firewall provides full Stateful Packet Inspection for v4 and v6

IPsec fully integrated and IPv6 ready

Disabling IPv6

To Block IPv6, block Port 41

To Block Teredo, block UDP 3544

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\tcpip6\Parameters\DisabledComponents

Not present by default; create it as a DWORD

Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, (ISATAP, 6to4, and Teredo)

Bit 1 Set to 1 to disable all 6to4-based interfaces

Bit 2 Set to 1 to disable all ISATAP-based interfaces

Bit 3 Set to 1 to disable all Teredo-based interfaces

Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and PPP-based interfaces

Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections

Disable all tunnel interfaces 0x1

Disable 6to4 0x2

Disable ISATAP 0x4

Disable Teredo 0x8

Disable Teredo and 6to4 0xA

Disable all LAN and PPP

interfaces

0x10

Disable all LAN, PPP and

Tunnel interfaces

0x11

Prefer IPv4 over IPv6 0x20

Disable IPv6 on all

interfaces and prefer IPv4

0xFF

Perimeter protections

Host protections

Teredo doesn’t suck

DHCPv6

Available in Windows Server 2008

Supports Full Stateful or ‘Options Only’

DHCPv6 client built into Vista (and XP when v6 is installed)

Supports DNS integration for Dynamic DNS

Application Compatibility

Windows XP Windows Vista

Test for Vista Compatibility

Test for IPv6 Compatibility

Win

do

ws

Filte

ring

Pla

tform

A

PIIPv4

WSK

WSK Clients TDI Clients

NDIS

IPv6 Tunnel

IPv6

RAWUDPTCP

Next Generation TCP/IP Stack (tcpip.sys)

AFD

TDX

TDI

WinsockUser

Mode

Kernel

Mode

IPv4 Tunnel

Loop back

WLAN802.3

IPv6 Roadmap

• SQL 2005

• IE7

• Vista

• Mobile

• Exchange

2007 SP1

• SMS/MOM

• Most

everything

else…

• LCS/OCS

• Groove?

• ISA?

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.