Microsoft Vista and IPv6

Windows Vista is the first operating system to automatically install and enable IPv6, the next generation protocol. It has a dual-IP-layer architecture that supports tunneling of IPv6 traffic over an IPv4 backbone. Its IPSec works for both IPv4 and IPv6.

New Features

Windows Vista has many significant new features compared to previous versions of Microsoft Windows.

Dual Stack Architecture -Vista provides separate protocol components for IPv4 and IPv6. Its single implementation of TCP enables TCP traffic over IPv6 to have the advantage of improved performance on high-latency/high-delay connections and other high-loss environments.


Default Installation and Enabling - In Vista, IPv6 is installed and enabled by default and many of its operating system components support IPv6. The preference of IPv6 over IPv4 offers IPv6-enabled applications better network connectivity with the use of IPv6 transition technologies such as Teredo which requires no NAT configuration or application modification.


GUI-based Manual Configuration - Vista also allows manual configuration of IPv6 settings through the properties of the Internet Protocol version 6 (TCP/IPv6) component.


IP Security Support for IPv6 - Vista offers IPSec support for IPv6 traffic including support for IKE and data encryption with AES 128/192/256.


Multicast Listener Discovery version 2 (MLDv2) - Vista supports MLDv2, specified in RFC 3810 allowing IPv6 hosts to register for source-specific multicast traffic in their local multicast routers.


Link-Local Multicast Name Resolution (LLMNR) - Vista supports LLMNR allowing IPv6 hosts on a single subnet without a DNS se-rver to resolve each other names. It is mainly used in single-subnet home networks and ad hoc wireless networks.


Literal IPv6 Addresses in URLs - The WinINet API in Windows Vista supports RFC 2732 and the use of IPv6 literal addresses in URLs. This capability is valuable to application developers, software testers, and network troubleshooters.


PPP Support -Vista supports IPv6 over the Point-to-Point Protocol (PPP) (PPPv6), as defined in RFC 2472.


Dynamic Host Configuration Protocol for IPv6 (DHCPv6) -Vista supports DHCPv6 as defined in RFCs 3315 and 3736. It performs both stateful and stateless DHCPv6 configuration on a native IPv6 network.


Teredo ChangesTeredo- is an IPv6 technology separated by NATs for end to end communication with global IPv6 addresses. The main changes to Teredo are that it is enabled for domain member computers and it can work even if there is one Teredo client behind one or more symmetric NATs.



Configuration

In Windows Vista IPv6 is designed to be self-configuring, but it also allows manual configuration.

Automatic Configuration of IPv6 does not require the use of a configuration protocol such as Dynamic Host Configuration Protocol for IPv6 (DHCPv6). A link-local address is automatically configured with the address prefix fe80::/64 for each physical or logical IPv6 interface. These link-local addresses are used only to reach the neighboring nodes.

They are not registered in DNS and require a Zone ID to specify a destination link-local address. For more useful IPv6 connectivity, additional configuration parameters are required to be set Beyond the link-local address, an IPv6 host is set through Stateless address auto configuration with IPv6 router discovery and Stateful address auto configuration with DHCPv6.

In Stateless address auto configuration with IPv6 router discovery, an IPv6 host sends a multicast Router Solicitation message. It receives one or more Router Advertisement messages that contain subnet prefixes. Based on these subnet prefixes, it determines the additional IPv6 addresses and adds routes to the IPv6 routing table and other configuration parameters. The Router Advertisement message also contains a field that indicates whether stateful address auto configuration should be performed.


In Stateful address auto configuration with DHCPv6, the DHCPv6 automatically configures the IPv6 addresses of DNS servers, which are not configured through router discovery.



Manual Configuration of IPV6 can be done using the properties of Internet Protocol Version 6 (TCP/IPv6) component and the Commands in the netsh interface ipv6 context.

Benefits

Greater Performance and Throughput Maximized network utilization through tuning of TCP/IP configuration.


Larger Address Space Globally reachable address in future


Faster Traffic Quick transmission through efficient routing


Trusted Connection - Authenticated connections for trusted computing


Ease of Configuration Self configuring IPv6


Advanced End-to-End Security - Better protection against address and port scanning attacks


World-Ready Scalability - Capable of supporting and responding to future needs


Security Concerns

Deploying IPv6 in Vista has increased the security concerns but there are certain best practices that help in minimizing the potential risks of IPv6 traffic in Vista. Major security concerns and some of the best practices are given below.

Unauthorized computers communicating on private networks - With an access to the network, it is easy for any computer to obtain a valid IPv6 address configuration and begin communicating. To avoid this unauthorized communication, authorization for automatically assigned addresses and configurations is required. Using IEEE 802.1X-based authentication at the link layer, a computer can be stopped from sending any network traffic until it is authenticated itself to a switch or wireless access point.


Security of IP Packets - Tampering of IP packets, spoofing, and passive capturing pose threats to the protection of IP packets. Using cryptographic security service such as IPsec defined in RFCs 2401-2409 for both IPv4 and IPv6 traffic, IP packets can be transmitted safely over the network.


Host Scans and attacks - Malware such as viruses and worms scan or attack hosts. An attacker can scan IP address of the host and use the services and resources of the host. Using the default behavior of IPv6 for Windows Vista to randomly derive the 64-bit interface ID and the Windows Firewall or any host based firewall, scans and attacks on hosts can be avoided.


Unwanted traffic - Deploying edge firewalls or proxies and intrusion detection systems (IDSs), an attacker's traffic cannot penetrate in to the private network. As all of these security devices are currently not IPv6-capable, there are additional security risks for IPv6 traffic. Some of the remedies include:



Configuring the IPv4-based edge firewall to drop all inbound IPv4 protocol 41 packets.

Upgrading the edge firewall, proxy, and IDS to include IPv6 and tunneled IPv6 functionality.

Right Deployment of ISATAP on private network.