Windows Server 2008 R2 Unleashed (65 page)

server database directory

/OfflineSign — Offline signing zone files, including key genera-

tion/deletion

ptg

:

DnsCmd /? — For help info on specific Command

The /config option of the DNSCMD was used to set the Global Names option of the DNS

server earlier in the chapter. There is no option in the DNS console to set this value.

IPv6 Introduction

The Internet is running out of IP addresses. To resolve this problem, a relatively new tech-

nology is being deployed to give us more addresses. This technology is IPv6 and is

completely integrated into Windows Server 2008 R2.

You might wonder why there is need for more address space when good old IPv4 provides

somewhere in the range of four billion addresses. Unfortunately, there are over 6 billion

people on the planet and, thus, not enough IP addresses for each and every person. In this

age of ever-advancing technologies and Internet-enabled devices, it isn’t uncommon for a

10

single individual to utilize more than one IP address. For example, an individual might

have an Internet connection at home, a workstation in the office, an Internet-enabled

phone, and a laptop to use in a cafe. This problem will only become more exacerbated as

devices such as refrigerators and coffeemakers become part of the wired world.

IPv6, Internet Protocol Version 6, not only brings a number of new features, as reviewed

in Chapter 7, “Active Directory Infrastructure,” such as integrated IPSec, QoS, stateless

298

CHAPTER 10

Domain Name System and IPv6

configuration, and so on, but, more important, it will also provide over

340,000,000,000,000,000,000,000,000,000,000,000,000 unique addresses—that’s 3.4 x 1038!

As mentioned in an earlier chapter, IPv6 provides a number of new features over IPv4:

vastly improved address space, improved network headers, native support for auto address

configuration, and integrated support for IPSec and QoS.

Windows Server 2008 R2’s networking advances are mostly due to the new TCP/IP stack

introduced with IPv6 in Windows Server 2008. Highlighted in the following list are a few

of the features that are included with Windows Server 2008 R2, derived from the new

TCP/IP stack:

.
Dual IP layer architecture for IPv6—
Windows 2003 required a separate protocol

to be installed to enable IPv6 support; whereas in Windows Server 2008 R2, IPv6 is

enabled and supported by default. Windows Server 2008 R2 supports the new stack

that integrates IPv4 and IPv6, leveraging the fact that IPv4 and IPv6 share common

layers (transport and framing).

.
Windows Filtering Platform—
All layers of the TCP/IP stack can be filtered,

enabling Windows Filtering Platform to be more secure, stack integration.

.
Protocol stack off-load—
By off-loading TCP and/or other protocols to the

Network Driver Interface Specification (NDIS) miniport and/or network interface

ptg

adapters, performance improvements can occur on traffic-intensive servers.

.
Restart-less configuration changes—
Leveraging the new TCP/IP stack’s ability to

retain configuration settings, server restarts to enable configuration changes are no

longer necessary.

In the United States, IPv6 is quietly making its way into the mainstream by starting at the

edge. Broadband providers in California such as Comcast have already implemented IPv6

for their customers. Countries like China with their recent implementations have opted to

move to IPv6 as a default.

NOTE

From an implementation perspective, Microsoft Internet Acceleration Server (ISA) 2006

does not support IPv6. As a matter of fact, installing the IPv6 protocol stack on an ISA

2006 server is a security risk as it exposes the server directly to the Internet. This has

made it difficult for many organizations to start deploying IPv6 in a meaningful way.

One of the few IPv6 ready applications is the DirectAccess technology introduced in

Windows Server 2008 R2. See Chapter 24, “Server-to-Client Remote Access and

DirectAccess,” for more details.

Going forward, Microsoft Forefront Threat Management Gateway 2010 (TMG) fully sup-

ports IPv6 and allows many organizations to step into the IPv6 world.

IPv6 Introduction

299

IPv6 Addressing

With the increased address space, there is a change in the addressing. IPv6 is 128 bits,

normally displayed in eight sets of four 16-bit hexadecimal digits. Hexadecimal digits

range from A through F and 0 through 9 (see Table 10.2).

TABLE 10.2

Number Conversion

Decimal

Hexadecimal

Binary

0

0

0000

1

1

0001

2

2

0010

3

3

0011

4

4

0100

5

5

0101

6

6

0110

ptg

7

7

0111

8

8

1000

9

9

1001

10

A

1010

11

B

1011

12

C

1100

13

D

1101

14

E

1110

15

F

1111

The reason for displaying the digits in hexadecimal is to cut down on the length of the

address. For example, an IPv6 address in binary form would be as follows:

10

0010000000000001 0000110110111000

1111101110010010 0000000000000000

0000000000000000 0000000000000000

1001000111000010 0000000000010010

300

CHAPTER 10

Domain Name System and IPv6

This makes for a very long address to have to type in. However, displayed in hexadecimal,

the same address would be as follows:

FC00:0db8:fb92:0000:0000:0000:91c2:0012

This is much shorter. This can be abbreviated even more as the following:

FC00:db8:fb92::91c2:12

These methods of shortening the IPv6 address, such as the abbreviated form (more on this

later in the chapter), help make the IPv6 addressing more manageable.

Still, this is a huge change from the 32-bit IPv4 addressing, where an address would be

something like 172.16.1.11. Trying to remember 32 hexadecimal digits versus 4 decimal

numbers is a significant change, when DNS itself was created so that users would not have

to remember the 4 decimal numbers.

Comprehending IPv6 Addressing

Comprehending IPv6 addressing can become a steep uphill challenge, as well as hard on

the fingers due to all the typing. The addresses are so long that abbreviation mechanisms

and conventions are used to ease the burden. However, this makes learning the addressing

ptg

that much more difficult.

Here are a few rules and tips to assist with the future IPv6 change, as well as some conven-

tions that reduce the typing needed to enter the addresses:

. IPv6 DNS records show as AAAA records (or quad A).

. With IPv6 prefixes, a / slash in IPv6 defines the network with addresses (for example,

fc00:db8:1234::/48 is fc00:1234:5678:0000:0000:0000:0000:0000 through

FC00:0db8:1234:FFFF: FFFF: FFFF: FFFF: FFFF). Thus, FC00:db8:1234::/48 implies that

the first 48 bits are assigned to the network portion of the address—4 bits for each

hexadecimal digit, visible or not, totaling 16 bits for each segment and 48 bits for

three segments. This leaves 80 bits remaining out of a total of 128 bits in the

address. 80 bits translates into five groups of four hexadecimal digits. Because each

hexadecimal digit represents 4 bits, four multiplied by four, and then by five (for the

five groupings), makes 80. After you get the hang of it, it is similar to dealing with

“/24” being three groups of eight represented as 255.255.255.0 in IPv4.

. With IPv6 zero compression, consecutive groups of zeros can be subbed with a dou-

ble “:” (colon). This means that FC00:db8:bc92:0000:0000:1293:91c2:0012 would be

the same as FC00:db8:fb92::1293:91c2:0012.

NOTE

The caveat is that there can be only one double colon used in an IPv6 address to com-

press consecutive groups of zeros. Otherwise, it would not be possible to determine

how many zeros were compressed.

IPv6 Introduction

301

. RFC 2732 dictates that IPv6 address can be used in a URL syntax. As an example,

FBAC:FA9A:B6A54:3910:A81C:C1A8:B6A4:A2BB can be literally used in a URL as

long as it is enclosed in brackets [ and ], as seen in this example:

http://[FBAC:FA9A:B6A54:3910:A81C:C1A8:B6A4:A2BB].

. Loopback for IPv6 is ::1. This might be the only case where an IPv6 address is shorter

than the equivalent IPv4 address.

These conventions make it much easier to enter the addresses, if not quite as easy as

IPv4 addresses.

NOTE

The fc00::/7 prefix is the private reserved IPv6 address range. The private ranges in

IPv6 are called the unique local addresses (ULA) and are not globally routable. This is

equivalent to the 10.x.x.x, 172.16-31.x.x, and 192.168.x.x IPv4 private addresses.

The unique local address range (fc00::/7) is further divided into 2 /8 address ranges.

The first is the fc00::/8 range, which is available for private use. The second is the

fd00::/8 range, which is to include a random 40-bit string. The local link address is

assigned the fe80::/10 range, which is from the second range.

ptg

IPv6 Transition Technologies

IPv6 is most likely to be deployed in an IPv4 world today, given the prevalence of IPv4 in

the Internet today. This creates an IPv4 gap across which IPv6 devices need to communi-

cate. Figure 10.18 shows the gap between IPv6 devices.

?

IPv4 Network

?

Gap

IPv6 Device

IPv6 Device

FIGURE 10.18

The IPv4 gap between IPv6 devices.

Most organizations will need to use IPv6 transition technologies to bridge the IPv4 gap

from their IPv6-enlightened devices to communicate. Figure 10.19 shows the IPv4/IPv6

protocol stacks in place of the devices shown in the previous figure.

10

Application Layer

Application Layer

IPv4 Network

Transport Layer

Transport Layer

IPv4

IPv4

IPv6 Device

IPv6

IPv6

IPv6 Device

Network Layer

Network Layer

FIGURE 10.19

Bridging the IPv4 gap with transition technologies.

302

CHAPTER 10

Domain Name System and IPv6

Communications between IPv6 devices (either hosts or routers) over IPv4 networks is

accomplished with IPv6 over IPv4 tunneling. In tunneling, the IPv6 packets are encapsu-

lated in an IPv4 packet by the source device and routed through the IPv4 network. When

the encapsulated packet arrives at the boundary between the IPv4 and IPv6 networks, the

IPv4 encapsulation is stripped off and the IPv6 packet continues on its way.

Older operating systems such as Windows 2003 and Windows XP implemented a dual

protocol stack to support IPv6. This essentially duplicates the Transport layer, including

the TCP and UDP protocols. These are the workhorse protocols of the Internet, and the

dual-stack architecture is very inefficient and introduces a lot of overhead. Windows 2008

R2, Windows 2008, Windows 7, and Windows Vista have a modern protocol dual IP layer

architecture that is designed from the ground up to support IPv6. This architecture is

much more efficient and performs much better. Figure 10.20 shows the two architectures.

Application Layer

Application Layer

Transport

Transport

Transport Layer

Layer

Layer

IPv6

IPv4

IPv6

IPv4

Network Layer

Network Layer

ptg

Dual IP Layer

Dual Stack

Architecture

Architecture

FIGURE 10.20

Dual IP layer and dual-stack architectures.

These transition protocols provide tunneling of IPv6 traffic through IPv4 network by

encapsulating the IPv6 packet in an IPv4 packet, as shown in Figure 10.21.

IPv6 Packet

IPv6

EXTENSION

PACKET

HEADER

HEADER

PAYLOAD

IPv6

IPv6

EXTENSION

PACKET

HEADER

HEADER

HEADER

PAYLOAD

Pv4 Packet

FIGURE 10.21

IPv6 packet encapsulation in an IPv4 packet.

IPv6 Introduction

303

The IETF RFC2893, “Transition Mechanisms for IPv6 Hosts and Routers,” defines the IPv4

compatibility mechanisms for tunneling IPv6 over IPv4. The RFC defines two types of

tunnels, specifically:

.
Configured tunnels—
These are tunnels that are manually configured with the

static routes through the IPv4 network.

.
Automatic tunnels—
These tunnels don’t require manual configuration, as they are

derived from the IPv4 addresses of the devices. Windows supports the ISATAP, 6to4,

and Teredo automatic tunneling protocols.

NOTE

In Windows, static tunneling routes can be added with the netsh interface ipv6

add v6v4tunnel command.

Most IPv6 tunnels are automatic tunnels, due to the ease of configuration. ISATAP and