What about the issue of 2 queries being made, both ipv4 and ipv6 at the same time on vista. This could almost double the internet load from windows users who switch to vista. This could have a tremendous problem on the already lagged
Initially, the impact of additional v6 DNS queries should be minimal since Vista will not do an IPv6 name query unless the client system has a native IPv6 address (i.e. not Teredo). Since very few networks provide v6 addresses, there will be a small number
of v6 lookups. Eventually, there will be a pick-up in v6 queries as more 6to4 routers, and native v6 networks, are deployed. However, this should give network providers plenty of time to increase their name server capacity to handle the additional traffic.
Here are details on how Vista IPv6 DNS queries work.
I cannot quite tell what the default Teredo behavior is in Vista RTM. Is Teredo enabled by default? Is any overt action required by the user to enable Teredo? If the DNS resolver returns an IPv4 and an IPv6 address, will Vista use Teredo preferentially
Is the Edge Traversal feature for "outbound" traffic, as well as for "inbound" (server) traffic? Or just if Vista is acting as a server (or peer)?
Teredo is on by default in Vista, so long as 1) the edge device allows ALL outbound UDP traffic and 2) an application or service authorized to use Teredo is sending or recieving IPv6 traffic.
Most applications/services that want to use Teredo automatically enable the "Edge Traversal" option in the Windows Firewall exceptions (e.g. Live Messenger 8, Remote Assistance). However, if you want to make services like web hosting, ping, or file sharing
accessible over Teredo you will have to manually set the "Edge Traversal" option in the Windows Firewall MMC snap-in Exception for that application/service (of course, this is only useful for applications that are IPv6 compatible, edge traversal won't have
any impact on IPv4 only apps).
Vista will prefer any IPv6 address it gets through DNS, even if it is a Teredo address. However, as a precaution to prevent overloading of DNS hosts Vista will NOT automatically register Teredo addresses with DNS. Also, if the only IPv6 interface on your system
is a Teredo one, Vista will NOT do IPv6 DNS lookups (again to prevent overloading DNS hosts on the Internet).
I think it is important to clarify the role of Teredo. Teredo is primarily useful in Peer-to-Peer communications with other systems that also have Teredo or 6to4 addresses. There are no supported Teredo relays on the Internet that would carry traffic between
the general IPv6 Internet and Teredo.
In short, Teredo is a great tool to improve Peer-to-Peer connectivity to other systems using Teredo, but it is not a good vehicle for gaining broader IPv6 connectivity. For this 6to4 is highly recommended, which does have supported relays on the Internet (Microsoft
even hosts one).
Technically, there is no reason that Teredo relays can't exist on the Internet (implementations have already been made). It's just that no one is hosting one for general use due to the cost issues (i.e. you can't make people pay for using it). Every once in
a while a Teredo relay shows up on the Internet, but they are quickly taken down again when the owners realize that all Teredo traffic starts to be routed through them.
Will it happen? I doubt it for many years to come.
Still I don-t like the (typical) Microsoft-idea to host the "Teredo"-Servers, which is another word for 'Trackers' and logging all traffic that goes through.
I agree that IPv6 likely won't completely supplant IPv4 for a decade or more. However, I am really quite amazed at the recent progress being made towards supporting it. 2 years ago major software vendors didn't want to give me the time of day when asking about
IPv6 plans. Now, however, I am being constantly blind-sided by yet another major software developer asking for advice on working with IPv6.
True, much of this developer interest in IPv6 stems from the US government requirements for requiring IPv6 support in 2008, but the impact this is having on the software industry is quite pronounced.
Enterprise-class hardware vendors have almost completely migrated their products to supporting IPv6 now. This is a MAJOR change from just 2004 when these same router vendors would get in big arguments as to whether the market really
Further, I am seeing so many prototype home routers, and SOHO networking, devices coming out with IPv6 support that my breath is just taken away with this. Almost all the major NAT vendors have 6to4 versions under works for sale early in 2007 (just one of the
major vendors is a bit behind, with plans for mid-2007). The primary driver for this is the advent of Vista. But we are also having ISPs tacitly support Microsoft's requests for home router IPv6 support too. At a recent home router plug-fest we had at the
Microsoft Redmond campus, a major US ISP stood up and told all the router vendors that they wanted IPv6 support by 2008.
Yes, the slow adoption of IPv6 has been frustrating (to say the least), but we are finally seeing
real traction now.
As far as Microsoft's hosting of Teredo servers goes, I would like to point out that the Teredo servers have no idea
what traffic is going through them. The only thing the Teredo servers know is the IP addresses of the systems using them. This isn't really much different from what a DNS host sees. Also, I should add that Microsoft really doesn't want to host Teredo
servers (due to the expense) and is really pushing the adoption of 6to4 (hence the demands on home router vendors to support 6to4) so that Teredo isn't necessary for IPv6 traffic.
There is also nothing to prevent anyone from hosting their own Teredo servers (it's an RFC after all, with implementations on multiple platforms), and we encourage it. Unfortunately, there doesn't seem to be a great business model that makes it attractive for
people to host Teredo servers right now. You can't restrict who uses your Teredo server so anyone hosting one is just doing it for "the good of the community". Nevertheless, Microsoft is talking with ISPs to see if they are interested in hosting Teredo servers
themselves. We will see what becomes of this...
So can an application be developed on XP, using the Teredo framework, that will work with both IPv4 and IPv6, using the same code, but having a address config setting that can be entered in either format?
Also, do you have an idea of how quickly the backbone will become IPv6 aware, and support both types of traffic. And will systems such as IM and Windows Messenger become the new DNS system of sorts. Of course web browsing will continue to use DNS, and I'm
sure the DNS system as a whole will incorporate IPv6 along with the rest of the Internet community.
Yes, applications can be developed for XP that are capable of working with Teredo. However, the app would have to have different case handling for Vista and XP since the way to activate Teredo on XP is different than in Vista. Also, since IPv6 is off by default
on XP, the application would either have to turn it on, or recommend users do so if it really wanted to rely on Teredo. This can create some usability issues since a reboot is required with installing and uninstalling IPv6 on XP (i.e. some users don't like
having to do a reboot when installing an app).
As far as IPv6 backbone adoption goes, I suspect that it will occur as the percentage of tunnelled IPv6 traffic increases. ISPs don't like tunnelled traffic, and if 50% or better of all their traffic was in Teredo or 6to4 tunnels, they would likely want to
start provisioning v6 natively.
We do see some ISPs moving towards IPv6 already. In Asia some ISPs are moving there right now (some ISPs provision IPv6 in Japan). Interestingly, some of the motivation for IPv6 we are hearing from some large North American ISPs is due to a lack of IPv4 address
space for managing all the devices on their networks. A large ISPs with 20 million users or so might need 4 or 5 IP addresses per customer just to manage set-top boxes, IP phones, cable modems, etc. There simply isn't any extra contiguous IPv4 address spaces
available to handle those kinds of needs. One large American ISP has told us they have aggressive plans to have IPv6 deployed on their networks by 2008. However, they still plan on provisioning their Internet customers with IPv4 addresses, but all the other
devices their customers have would be managed with IPv6. This means this ISP would only have to use
one IPv4 address per customer.
However, keep in mind that very little of the operating system in Windows XP supports IPv6. For example, the Remote Assistance tool in Windows XP doesn't work with IPv6. Also, Teredo can't be configured with an Edge Firewall traversal option as there is in
Vista (i.e. only applications themselves can invoke Teredo on XP by calling a specific Windows Socket option).
In short, IPv6 on XP is fine if you are writing your own protocol agnostic application, or wish to experiment with pinging, etc.
If this is so easy and so great, I would really like to see Live Messenger use this.
Actually, the new 8.1 beta of Live Messenger does support IPv6 for file transfers, and sets the Edge Traversal flag when installed on Vista, so it can work with Teredo. However, there are still a couple issues with timing that prevent all messenger file transfers
from using Teredo all the time. In particular, Messenger doesn't wait very long for Teredo to start up before it resorts to a slower speed relay link (i.e. if Teredo was already working this won't be a problem, but if it is the first time it was used then
it's a problem). This will hopefully be solved in the next messenger release.
Unfortunately, the only part of messenger that supports IPv6 today is the file transfers. We are talking with them about their VOIP features.
We are also talking with other peer-to-peer vendors about Teredo and IPv6, but I haven't heard firm plans from these vendors for supporting IPv6 yet.
I should be careful to set expectations appropriately here. Teredo is not some panacea that solves ALL NAT connectivity issues. In fact, Teredo is just implementing many of the tricks that messenger (and other peer-to-peer applications) have already employed.
The big difference with Teredo is that it is open for any application to use it, and there is no need for developers to create their own NAT traversal infrastructures.
The one glaring hole in NAT traversal that Teredo doesn't cover is with Symmetric NATs. About 18% of NATs have Symmetric behaviour, and Teredo doesn't work well with them (or any other peer-to-peer software). If you extrapolate the numbers this is a big issue,
since there is a high chance of failure if just one of the parties in a connection is behind a Symmetric NAT. What really annoying about this is that NAT vendors never specify which classification of device they are (e.g. CONE, restricted, Symmetric, etc).
This makes it impossible for users to even make educated decisions as to which NATs to buy.
Fortunately, there is a Vista router logo program that will go to NATs that pass a series of tests the Windows networking team has created, and NO Symmetric NAT will pass these tests. In early 2007 you will start to see NATs sold with the Vista logo. Additionally,
some of my colleagues are working on a downloadable NAT testing tool that will tell what classification of NAT you have, and how well it works with Vista. This makes it possible for anyone to test their own NATs. This NAT evaulation tool will be released someone
in the next few months.
There are a lot of people, who want the layer of seperation provided by NATS, and in fact I plan to run an IPV6 NAT. Anyone find this a strange suggestion that NAT's are just something to fix a simple problem, and not what I think many people use them
I completely agree that there is value in having some sort of edge security on a network. To that end, all the IPv6 equipped home routers that I know about (to be on the market in 2007) all have IPv6 firewalls. This will ensure that all inbound traffic is blocked
unless there was an outbound request first.
I don't think that simply obscuring the IP address of your PC with a NAT really offers all that much protection. Someone could still spoof packets to get back in through the NAT. The only thing that a NAT does, beyond some simple firewall-like functionality,
is to make legitimate peer-to-peer connectivity difficult.
I suppose one could argue that peer-to-peer services just aren't used that much today due to all the NAT issues, and that IPv6 could be making things more "insecure" by the mere virtue of enabling more peer-to-peer scenarios. But by this logic we could say
that shark attacks would decrease if people just stayed out of the ocean.
IPv6 doesn't make you more insecure than with a NAT, but it does make it possible for you to do more things on the network that were otherwise impossible, and some of these new capabilities might create new vulnerabilities. But this is a seperate discussion.
The one you mentioned that was more interesting to me was to block access to the domain teredo.ipv6.microsoft.com in the firewall. Teredo will not work if it cannot resolve this domain. I prefer this method. Is it likely that teredo could use additional
domains or is this the only domain it uses exclusively?
Yes, this is the only domain Teredo tries to resolve to. However, it is possible to manually configure the client to point to a specific Teredo server if the user wishes. So, preventing resolution of teredo.ipv6.microsoft.com would certainly stop most people
from using Teredo, but it is still possible for a power user to redirect the client to a different server if they wish.
Of course, there would have to be some other Teredo server hosted in this case.
What about the security of the new networking stack. With NATs , you were able to protect yourself from worm attacks, because NAT will drop malicious packets, and its as if you have a good hardware firewall.
With Windows Vista, you have the Windows Firewall replacing NATs in software, but still software is not like hardware, as its error prone.
Let's be clear here: IPv6 will not arbitrarily start punching holes, like swiss cheese, through NATs. Applications and/or users will have to make explicit decisions they want to traverse the NATs in the first place (hence the need
for the new Edge Traversal option in the Windows Firewall). Further, it is innacurate to think of this NAT traversal capability as really being an "IPv6" thing. NAT traversal is done ROUTINELY by peer-to-peer software today. If you run an instant messaging,
file sharing, or voice/video application, it is making use of keep-alive packets to lock a hole open (for itself) in your NAT.
The only real difference with what Teredo offers (over today's NAT traversal) is that application developers don't have to create their own NAT traversal infrastructures anymore. In this way, there is a level playing field for ANY application to take advantage
of NAT traversal, even if it is written by a developer in her garage who doesn't have the capital to host special rendezvous servers and so forth.
Does IPv6, and this tunneling technology, help lower costs of bandwidth for companies?
Teredo (and IPv6 tunneling) should have a negligable effect on bandwidth costs, one way or the other. The biggest impact of Teredo will be to increase the usage of peer-to-peer type scenarios. Thus, a larger number of PCs could start acting as hosts/servers.
Networks that are archticted around the principals of unequal traffic flows (i.e. clients recieve much more data from remote hosts than then ever upload), could find these assumptions flawed.
Instead of a world where masses of clients recieve data from a relative handful of massive servers, we are moving towards a system where traffic can be much more evenly distributed, with all systems acting as both hosts and clients.
Will we be able to use secure protocols by default in our every day communications?
Actually, a lot of improvements have been made to IPSec in Vista that make it pretty simple to create policies that will encrypt, and/or, authenticate traffic. For example, it is pretty easy to create a policy that will opportunistically encrypt all traffic
with anyone other system that has a similar policy (even if that remote system doesn't have a special credential).
But I will leave it to the IPSec team to get into details as to how people can create their own policies.
My (limited?) understanding of IPV6 is that if you have these random services running and you set the network traversal flag in the windows firewall by accident or otherwise, the world and his dog can get access. It will be like living in a network DMZ
Keep in mind that this Edge Traversal flag must be set for EACH application or service that wants to recieve traffic over Teredo. Just having the flag set for one service won't mean that other services become accessible over the Internet via Teredo.
Still, it is true that Vista now gives users (and developers) the ability to easily have direct access to the Internet by doing nothing more than setting the Edge Traversal flag. This is a lot of power by enabling scenarios that were impossible before, but
can certainly lead to grief if users (and applications) just start setting the Edge Traversal flag on every firewall exception as a matter of course.
You should only use Edge Traversal when you KNOW you want that particular appliation or service to be directly hosted on the Internet.
I suppose everyone would be safer if cars were banned and everyone had to ride the bus. Yes, giving people the ability to do new things opens the possibility for abuse, and problems. But that doesn't mean we should just never empower people (and developers)
in the first place.
Also, let's keep this in perspective. Existing peer-to-peer applications make themselves directly reachable on the Internet today as it is (i.e. by sending keep-alive packets locking open holes in NATs). An application that uses the Edge Traversal flag in Vista
is no more insecure than if that application had implemented it's own NAT traversal keep-alive architecture.