How Vista Will Handle IPv6

In my previous article An Inside Look at IPSec in Vista, I discussed how IPSec has been moving steadily from the WAN to the LAN as it finds application for securing internal traffic on corporate networks. I also described new features of IPSec in the upcoming Windows Vista and Longhorn Server platforms and how these enhancements are going to make it easier to use IPSec to secure the internal network. Many of these enhancements are founded upon the Next Generation TCP/IP stack, which is the completely re-architected TCP/IP protocol stack in Vista and Longhorn. This article continues by examining changes to IPv6 in these platforms and how these changes enhance the manageability, usability, and security of Windows-based networks.

IPv6 Before Vista

IPv6 support first became available for Windows platforms in 1998 when Microsoft Research released a trial version of a TCP/IP protocol stack supporting it. In March 2000, Microsoft released a technology preview version of IPv6 for the Windows 2000 platform, and then in October 2001 when Windows XP was released, the platform included a developer preview version of the stack. September 2002 saw the release of Service Pack 1 for Windows XP, including a production-quality version of the stack that was now fully supported by Microsoft, but this version still had limited APIs and no support for file and print sharing. Then in July 2003 the Advanced Networking Pack was released for Windows XP, with an updated IPv6 stack, firewall support, and support for IPv4/v6 transition technologies like Teredo, ISATAP, and 6to4. Windows Server 2003, which was released earlier in March 2003, also included similar support for IPv6 plus limited support for IPSec over IPv6 but with no support for data encryption or Internet Key Exchange (IKE). Finally, when Windows XP Service Pack 2 was released, the IPv6 capabilities in the Advanced Networking Pack were rolled into the platform and Windows Firewall supported both IPv4 and IPv6, compared to the two separate versions of Internet Connection Firewall needed in Windows XP Service Pack 1 and earlier. Plus, if you wanted to configure IPv6 in XP SP2, you had to do it from the command line using the ipv6 command (for configuring IPv6 settings in XP SP1 and earlier), the ipsec6 command (for configuring IPsec security policies and associations), the netsh interface ipv6 command (for configuring IPv6 settings in XP SP1 and Windows Server 2003), and so on. Clearly, IPv6 in pre-Vista platforms is not all that easy to configure.

Related Reading Windows Server Hacks 100 Industrial-Strength Tips & Tools By Mitch Tulloch Table of Contents Index Read Online--Safari Search this book on Safari:   Only This Book All of Safari Code Fragments only

The key difference between the old and new platforms is that prior to Vista the TCP/IP networking stack of all Windows platforms was implemented as a dual-stack architecture. This meant that the driver for the IPv6 stack (Tcipi6.sys) was a separate networking component from the driver for the IPv4 stack (Tcpip.sys), so if you wanted IPv6 connectivity you had to install IPv6 protocol support from the Network Connections folder because in Windows XP and Windows Server 2003 only IPv4 is installed by default. It also meant that the IPv4 and IPv6 stacks each had their own separate transport layer so they implemented TCP and UDP separately. Additionally, each stack had its own separate framing layer to encapsulate IPv4 and IPv6 packets for transmission over different LAN or WAN media. And having two separate stacks created problems for developers writing Windows Sockets applications, because to ensure that applications would support both types of network connectivity they needed to be coded to create separate sockets for both IPv4 and IPv6.

IPv6 After Vista

In Vista (and Longhorn Server), however, a fundamental change has taken place, for the Next Generation TCP/IP stack is now implemented as a dual-layer architecture, not dual-stack. That means the two network layer components for IPv4 and IPv6 share the same transport layer components for TCP and UDP. It also means that IPv4 and IPv6 share a common framing layer at the bottom of the stack. And it means that IPv4 and IPv6 are both enabled by default--there's no separate protocol to install using the Network Connections folder--though it is possible to disable IPv6 support at the physical layer in Vista if you're in an all-IPv4 networking environment. But the idea is that we're not likely to remain in such pure IPv4 environments for long as more and more large enterprises (and possibly whole countries like China, Japan, and South Korea) migrate their legacy IPv4 networks to IPv6, so leaving IPv6 enabled by default is probably a good idea.

In Vista now you also can configure IPv6 settings using the GUI and not just using netsh from the command line. Another change is that Teredo, an IPv4/v6 transition technology for supporting end-to-end communications through NATs using IPv6 global addresses, is enabled by default on Vista computers that are members of a domain. Still another enhancement in Vista is that IPSec over IPv6 now fully supports both data encryption and IKE, and instead of having to configure IPSec policies and security associations from the command line, now you can use the IPSec snap-in to do this more easily from the GUI. Finally, the new APIs of the Next Generation TCP/IP stack let developers write network-aware applications more easily, though consideration should be given to ensuring that applications are still compatible with downlevel Windows platforms.

Conclusion

All in all, Vista makes great strides in providing easy-to-use IPv6 support for Windows-based networks, and the other enhancements of the Next Generation TCP/IP stack do even more to make Windows networking more secure, reliable, and efficient.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.

Return to the Windows DevCenter.