Teredo @ Microsoft Present and Future



Similar documents
Using IPsec VPN to provide communication between offices

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

21.4 Network Address Translation (NAT) NAT concept

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Protocol Security Where?

SYMANTEC ADVANCED THREAT RESEARCH. The Teredo Protocol: Tunneling Past Network Security and Other Security Implications

This section provides a summary of using network location profiles to identify network connection types. Details include:

Firewall Defaults and Some Basic Rules

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

With a little bit of IPv6 magic: Windows 7 DirectAccess

IPv6-only hosts in a dual stack environnment

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Carrier Grade NAT. Requirements and Challenges in the Real World. Amir Tabdili Cypress Consulting

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Next Generation Network Firewall

Cisco Which VPN Solution is Right for You?

The VPNaaS Plugin for Fuel Documentation

LinkProof And VPN Load Balancing

Chapter 4 Firewall Protection and Content Filtering

About Firewall Protection

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Charter Text Network Design and Configuration

Matt Ryanczak Network Operations Manager

NetScaler carriergrade network

Personal Firewall Default Rules and Components

VPN. Date: 4/15/2004 By: Heena Patel

Updates to Understanding IPv6

Configuring IP Addressing and Services

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

How To Configure L2TP VPN Connection for MAC OS X client

Technical White Paper

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

How To - Implement Clientless Single Sign On Authentication with Active Directory

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Tunnels and Redirectors

Secure64. Use cases for DNS64/NAT64

Source-Connect Network Configuration Last updated May 2009

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

LOOK BEHIND THE SCENES: WINDOWS SERVER 2012 FIREWALL AT VOLKSWAGEN AG

Digi Connect WAN Application Guide Using the Digi Connect WAN and Digi Connect VPN with a Wireless Router/Access Point

ISG50 Application Note Version 1.0 June, 2011

Cisco QuickVPN Installation Tips for Windows Operating Systems

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Introduction to Security and PIX Firewall

DEPLOYMENT GUIDE Version 1.4. Configuring IP Address Sharing in a Large Scale Network: DNS64/NAT64

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Table of Contents. Introduction

Overview - Using ADAMS With a Firewall

Creating a VPN with overlapping subnets

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

Examining Proxies to Mitigate Pervasive Surveillance

Developing P2P Protocols across NAT

Computer Networks. Secure Systems

Chapter 4 Firewall Protection and Content Filtering

Network Agent Quick Start

Network Security. Lecture 3

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

Configuring SonicOS for Microsoft Azure

How To Improve Alancom Vpn On A Pc Or Mac Or Ipad (For A Laptop) With A Network Card (For Ipad) With An Ipad Or Ipa (For An Ipa) With The Ipa 2.

Компјутерски Мрежи NAT & ICMP

Peer-to-Peer SIP Mode with FXS and FXO Gateways

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Chapter 4 Virtual Private Networking

Galileo International. Firewall & Proxy Specifications

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Network Address Translation (NAT) Good Practice Guideline

Microsoft Exchange Load Balancing. Unique Applied Patent Technology By XRoads Networks

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Chapter 12 Supporting Network Address Translation (NAT)

IP Security. Ola Flygt Växjö University, Sweden

OpenScape Business V2

How To Configure Virtual Host with Load Balancing and Health Checking

How To Industrial Networking

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Peer-to-Peer Communication Across Network Address Translators

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Darstellung Unterschied ZyNOS Firmware Version 4.02 => 4.03

Transcription:

Teredo @ Microsoft Present and Future Christopher.Palmer@Microsoft.com Program Manager Networking Core Operating System Group IETF 88 1

Overview Teredo is an IPv6 transition technology that provides IPv6 addressability and connectivity for capable hosts which are on an IPv4 network but with no native connection to an IPv6 network. RFC 4380, 5991, and 6081 Microsoft has included Teredo functionality in a default configuration in Windows Vista, 7, and 8/8.1. We are simultaneously: Sunsetting Teredo service for Windows Vista and Windows 7 hosts. Extending Teredo support for Xbox One gaming scenarios. IETF 88 2

Teredo Servers and Relays Network Infrastructure End user device Teredo relay is the gateway for Teredo clients to access the IPv6 Internet. This is unreliable. Teredo clients can communicate directly with one another, this generally works. End user device Teredo servers configure clients (their addresses) and aid in port mapping management (bubbling). Teredo Relay IPv6 Internet IETF 88 Teredo Server 3

Teredo Two Sides of the Coin The Bad Teredo as a technology to reach the IPv6 native Internet lacks operational reliability. Geoff Huston has considerable data on this reality. http://www.potaroo.net/ispcol/20 11-04/teredo.html 40%+ effective failure rate Should not affect users because of RFC 3484/6724. Teredo with relays!= Reliable The Good As a technology for enabling connectivity between IPv4 peers, Teredo is pretty good. With basic matchmaking, able to achieve connectivity between Teredo clients about 90% of the time. Teredo has seen successful usage in controlled environments such as DirectAccess (a Microsoft remote access technology). Teredo without relays = Usable IETF 88 4

The Teredo Service We don t have very specific telemetry on Teredo usage (privacy is important). We do know that Teredo server load had a dramatic increased - correlated to a popular BitTorrent client activating Teredo/IPv6 support. IETF 88 5

9,000,000 Worldwide Teredo Server Traffic (Monthly Average - UDP Datagrams/Second) 8,000,000 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 - IETF 88 6

The Overall Value of Teredo Teredo s value is best realized when coupled with supporting infrastructure for peer discovery, selection, and security. As in, the infrastructure and API support we have for Xbox One. Having a tunneled IPv6 address, by itself, provides little value and causes pain for developers and end-users (because of random bad app behavior). IETF 88 7

Proposed Sunset Plan We plan to deactivate our Teredo servers for Windows clients in the first half of 2014 (exact date TBD). Aligned to that, we encourage the deactivation of publically operated Teredo relays. We will maintain separate Teredo services for special-purpose scenarios that do not require public Teredo relays like Xbox One. We deactivated the Teredo service earlier this year for a test. (see IETF 87 presentation) Folks in the technical community seemed quite happy. There were some app compat issues that we are following-up on. IETF 88 8

Xbox One and Teredo (and IPv6) IETF 88 9

Xbox One and Teredo Teredo provides an IPv6 abstraction for peers. Combined with IPsec, this can provide straightforward, application-transparent, secure P2P connectivity. Xbox One uses Teredo for this purpose. IETF 88 10

Quickly Going to review Xbox One behavior IETF 88 11

IPv6 Networks: IPsec and Transparent Operation IPsec Transport Mode Traffic (ESP Option) Peers IKEv2 Traffic Home Network [Xbox One] Network Infrastructure Allow users to disable firewall capabilities (transparent operation) Allow unsolicited inbound IPsec and IKE IETF 88 12

Sometimes Teredo is more reliable for P2P than native IPv6 Xbox will consider the following peer pairs: Teredo Client -> Teredo Client IPv6 -> IPv6 IPv4-> IPv4 NO Teredo Client -> Native IETF 88 13

IPv4 Networks: Allow Teredo Support outbound UDP with long port mapping refresh intervals (60 seconds +) Teredo traffic will prefer port 3074 for peer traffic. Port forwarding for 3074 is helpful but not necessary (usually). The more open the NAT behavior, the better. Address-Independent > Address-Dependent > Address-and-Port Dependent > UDP Blocked with older nomenclature Open > Address Restricted > Port Restricted > Symmetric > UDP Blocked Outbound UDP for configuration and port mapping management Inbound UDP, with reasonable refresh intervals on port mappings Peers Home Network [Xbox One] Network Infrastructure IETF 88 14

IPv4 Networks: Be Mindful of Hairpinning With CGN, multiple peers may be behind the same NAT device Hairpinning allows those peers to communicate Hairpinning Teredo traffic Home Network [Xbox One] Network Infrastructure Peers IETF 88 15

Packet Format and Native IPv4 P2P traffic will use the ESP option for IPsec Native IPv4 will be used if available, generally for link-local peers. IETF 88 16

Questions? We will send v6ops/nanog notice about exact Teredo service dates. More detailed documentation aligned to this presentation is available at www.microsoft.com/ipv6. Relevant RFC s RFC 6092 for IPv6 security recommendations RFC 4380, 5991, and 6081 for more information on Teredo RFC 4787 and 6888 have recommendations for NAT behavior IETF 88 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information