Building IPv6 (Firewall & IPSec)
Aware Applications
Mohit Talwar
COM304
Development Lead
Microsoft Corporation
Outline
Motivation
Simple Client
Simple Server
Demo
Advanced Topics
2
IPv6 is Ready
Optional on Windows XP
“netsh interface ipv6 install”
“netsh interface ipv6 set teredo client”
Enabled by default on Windows Vista
Pervasive IPv6 support in OS components
IPv6 connectivity preferred over IPv4
IPv6 is on by default in Windows Vista!
3
IPv6 is Real
No support required from the network
Transition technologies tunnel IPv6 over IPv4
E.g. Teredo, 6to4, …
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection:
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
IP Address. . . . .
Default Gateway . .
DNS
. .
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
. . . .
.
.
.
.
.
:
:
:
:
:
192.168.1.102
255.255.255.0
fe80::20c:f1ff:fe34:8106%5
192.168.1.1
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 3ffe:831f:4004:1954:0:eebe:e7ec:1042
Default Gateway . . . . . . . . . : ::
4
IPv6 Benefits
NAT Traversal
IPv4 
IPv6 
NATs a significant challenge to
P2P applications
IPv6 provides automatic NAT
traversal (Teredo)
Options
Simply write an IPv6 aware
application!
Consumers configure NATs
Providers host relays
Applications do NAT traversal
NATs break over 50% of P2P
scenarios
IPv6 connects over 95% of
the P2P scenarios
IPv6 provides NAT traversal!
5
IPv6 Benefits
Ad-Hoc Networks
IPv4 
IPv6 
May take 63s for autonet
address configuration
Instantaneous link-local
address configuration
Can only have one interface
with autonet addresses
No ambiguity when using
multiple link-local addresses
Few applications built for this
configuration
Important Windows Vista
scenario: People Near Me
6
IPv6 Benefits
Better Behavior
IPv4 
IPv6 
ARP takes upto 2 minutes to
detect failures
ND detects failures in less
than 30 seconds
Gratuitous ARP can mess up
address tables in switches
DAD has no adverse impact
on switches
7
IPv6 Benefits
Secure Neighbor-Discovery
Secure extension of ARP
Mobility
Retain addresses across subnet moves
Increase support for P2P scenarios
Addressibility across Firewalls
8
Supporting IPv6
Higher Layers (.Net, HTTP, P2P SDK etc)
Zero work!
Lower Layers (Winsock & .Net Sockets)
Client Applications
Windows Vista & Beyond: WSAConnectByName
Windows XP & Beyond: Address agnostic
Server Applications
Windows Vista & Beyond: Single socket
Windows XP & Beyond: Dual socket
9
Supporting IPv6
Winsock
Addresses
Use SOCKADDR_STORAGE and PSOCKADDR
SOCKADDR_IN6 when using v4-mapped (Vista Only)
Name Resolution
GetAddrInfoW
WSAConnectByName (Vista Only)
Core Socket Functions
socket, bind, connect, sendto…
IPV6_V6ONLY (Vista Only)
IPHLPAPIs
GetAdaptersAddresses
Address agnostic APIs (Vista Only)
Macros
INETADDR_ISLOOPBACK(PSOCKADDR …)
10
CHECKV4.EXE
11
Simple Client
Broken (IPv4 Only)!
StartClient(PCSTR HostName, USHORT Port)
{
ClientSocket = socket(AF_INET, ...);
HostEntry = gethostbyname(HostName);
A.sin_addr = *(HostEntry->h_addr);
A.sin_port = htons(Port);
connect(ClientSocket, &A, ...);
}
12
Simple Client – Windows Vista
Fixed (ConnectByName)!
StartClient(PCSTR HostName, USHORT Port)
{
ClientSocket = socket(AF_INET6, ...);
//
// Reset IPV6_V6ONLY to FALSE.
//
setsockopt(ClientSocket, IPPROTO_IPV6, IPV6_V6ONLY, ...);
WSAConnectByName(ClientSocket, HostName, Port, ...);
}
13
Simple Client – Windows XP
Fixed (Address Agnostic)!
StartClient(PCSTR HostName, USHORT Port)
{
//
// First, Resolve HostName.
//
GetAddrInfoA(HostName, Port, ..., &AddressList);
//
// Then, iterate over all addresses (in order).
//
for (A = AddressList; A != NULL; A = A->ai_next) {
ClientSocket = socket(A->ai_family, A->ai_socktype, 0);
connect(ClientSocket, A->ai_addr, A->ai_addrlen);
}
}
14
Simple Client – .NET
Fixed (Address Agnostic)!
//
// First, Resolve HostName.
//
HostEntries = Dns.GetHostEntry(HostName);
//
// Then, iterate over all addresses (in order).
//
foreach (Address in HostEntries.AddressList) {
A = new IPEndPoint(Address, Port);
ClientSocket = new Socket(A.AddressFamily, ...);
ClientSocket.Connect(A);
}
15
Simple Server
Broken (IPv4 Only)!
StartServer(USHORT Port)
{
ServerSocket = socket(AF_INET, ...);
A.sin_addr.s_addr = INADDR_ANY;
A.sin_port = htons(Port);
bind(Socket, &A, ...);
...
}
16
Simple Server – Windows Vista
Fixed (IPV6_V6ONLY)!
StartServer(USHORT Port)
{
ServerSocket = socket(AF_INET6, ...);
//
// Reset IPV6_ONLY to FALSE.
//
setsockopt(ServerSocket, IPPROTO_IPV6, IPV6_V6ONLY, ...);
IN6ADDR_SETANY(&A);
A.sin6_port = htons(Port);
bind(ServerSocket, &A, ...);
...
}
17
Simple Server – Windows XP
Fixed (Dual Socket)!
StartServer(USHORT Port)
{
ServerSocket4 = socket(AF_INET, ...);
ServerSocket6 = socket(AF_INET6, ...);
IN4ADDR_SETANY(&A4);
IN6ADDR_SETANY(&A6);
bind(ServerSocket4, &A4, ...);
bind(ServerSocket6, &A6, ...);
...
}
18
Simple Server – .NET
Fixed (IPV6_V6ONLY)!
ServerSocket = new Socket(AddressFamily.InterNetworkV6, ...);
ServerSocket.SetSockOption(..., IPV6_V6ONLY, ...);
A = new IPEndPoint(IPAddress.IPv6Any, Port);
ServerSocket.Bind(A);
...
19
NAT Traversal Using Teredo
Jay Beavers
Developer
Project Max
20
Advanced Topics
Secure Sockets
Address Selection
Address Publication
Network Events
Firewall Considerations
21
Secure Sockets
IPv6 provides e2e connectivity (enabling IPSec)
Secure sockets provide control over IPSec policies
WSASetSocketSecurity
Specify security requirements
Before WSAConnect
E.g. Require IPSec encryption for a peer
WSAQuerySocketSecurity
Query applied security properties
After WSAConnect
E.g. Use peer’s security token for authorization
22
Address Selection
IPv6 exposes multi-homing issues
Multiple interfaces & addresses
Problem involves choosing one of many…
Destinations: The address to connect to
Sources: The address to connect from
192.168.1.102
fe80::20c:f1ff:fe34:8106%5
3ffe:831f:4004:1954:0:eebe:e7ec:1042
157.59.1.1
3ffe:831f::8000:f227:62c4:fefe
3ffe:831f::baad:f00d:baad:f00d
23
Address Selection
Destination Address Selection
Automatically performed by GetAddrInfo
SIO_ADDRESS_LIST_SORT
Caveat: IPv6 preferred over IPv4
192.168.1.102
fe80::20c:f1ff:fe34:8106%5
3ffe:831f:4004:1954:0:eebe:e7ec:1042
157.59.1.1
3ffe:831f::8000:f227:62c4:fefe
3ffe:831f::baad:f00d:baad:f00d
24
Address Selection
Source Address Selection
Automatically performed by ConnectByName
SIO_ROUTING_INTERFACE_QUERY
192.168.1.102
fe80::20c:f1ff:fe34:8106%5
3ffe:831f:4004:1954:0:eebe:e7ec:1042
157.59.1.1
3ffe:831f::8000:f227:62c4:fefe
3ffe:831f::baad:f00d:baad:f00d
25
Address Publication
Publisher
Publish(PIP_ADAPTER_UNICAST_ADDRESS AddressList)
{
//
// Iterate over *all* addresses.
//
for (A = AddressList; A != NULL; A = A->Next) {
//
// Publish if *eligible*.
//
if (A->Flags & IP_ADAPTER_ADDRESS_DNS_ELIGIBLE) {
...
}
}
}
26
Address Publication
Resolver
Sort(PSOCKET_ADDRESS_LIST AddressList)
{
//
// Combine resolved IPv6 and IPv4 addresses in single list.
// (represent IPv4 addresses as v4-mapped IPv6 addresses).
//
Socket = socket(AF_INET6, SOCK_DGRAM, 0);
WSAIoctl(Socket, SIO_ADDRESS_LIST_SORT, AddressList, ...);
closesocket(Socket);
}
27
Network Events
Address Notifications
SIO_ADDRESS_LIST_CHANGE
Applications that retry on address change
E.g. IM client registering addresses with IM server
Route Notifications
SIO_ROUTING_INTERFACE_CHANGE
Applications that bind to the preferred source address
E.g. Video conferencing client switching from wireless to wired
Requires an overlapped socket
Vista: Can use a single socket for both IPv4 and IPv6 notifications
28
Network Events
Notification Handler
NotificationHandler(VOID)
{
//
// Sleep before processing event.
// Address & Route changes usually occur in quick succession.
//
Sleep(1000);
//
// Register for the next event before processing the current.
// Ensures that no events are missed.
//
WSAIoctl(Socket, SIO_ADDRESS_LIST_CHANGE, ...);
...
}
29
Firewall
Host Firewall is on by default (as in XP/SP2)
Application requirements
Application exceptions (during install)
OR
Port exceptions (during run-time)
Exceptions stored as filters in a central database
Can be used by 3rd party firewalls
30
Firewall
UDP echo server bound to in6addr_any
Receive request on address 
May reply from address !
Reply may be dropped by client’s host firewall 
Root Cause: Asymmetry in address selection
192.168.1.102
fe80::20c:f1ff:fe34:8106%5
3ffe:831f:4004:1954:0:eebe:e7ec:1042
157.59.1.1
 3ffe:831f::8000:f227:62c4:fefe
 3ffe:831f::baad:f00d:baad:f00d
31
Firewall
Fixed (WSASendMsg)!
UdpServer(USHORT Port)
{
WSAMSG WsaMsg = {..., &Data, ..., &Control, ...);
setsockopt(..., IPV6_PKTINFO, ...);
WSARecvMsg(Socket, &WsaMsg, ...);
WSASendMsg(Socket, &WsaMsg, ...);
}
32
Summary
IPv6 provides NAT traversal!
Excellent platform for P2P applications
IPv6 is on by default in Windows Vista!
Ready for primetime
Porting to IPv6 is easy!
Call to action: Make your applications IPv6 aware!
33
Community Resources
At PDC
COM Track Lounge (I’ll be there Wed, 9am - 5pm)
Ask The Experts (Thu, 6:30pm)
COM 319 – Windows Vista: Integrating with the People Near Me…
PRS L05 – Case Study: What We Learned Building Project Max…
After PDC
Catch this session on DVD in case you missed it
COM 311: Developing P2P Applications using Windows Vista…
News Groups
microsoft.public.platformsdk.networking.ipv6
microsoft.beta.longhorn.networking.home
MSDN Forum
Communications and Networking in Windows Vista
MSDN Technology Center
http://www.microsoft.com/windowsserver2003/technologies/ipv6/default.mspx
Teredo overview
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx
Windows Firewall APIs
http://msdn.microsoft.com/library/en-us/ics/ics/windows_firewall_start_page.asp
34
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Appendix: Teredo Introduction
Provides IPv6 connectivity behind IPv4 NAT
Last resort connectivity mechanism
Tunnels IPv6 traffic over UDP/IPv4
Uses public Teredo (echo) servers
To determine NAT port-mapping
To initiate communication with a peer
36
Appendix: Teredo in a Slide
1. Client: Echo-Request
Creates Port-Mapping
2. Server: Echo-Response
Contains Port-Mapping (A, P)G
Teredo Server
3. Client forms IPv6 address
Elements: Server, (A,P)G
4. Peer parses IPv6 address
Determines Port-Mapping, Server
Encapsulates packet over UDP
Client
Peer
37