IPv6 – so what’s it all about?

A few weeks back, I was at a Microsoft TechNet UK event, where Steve Lamb discussed Microsoft’s implementation of the Internet Protocol v6 (IPv6), available in Windows 2000 service pack 3 or later, Windows XP service pack 1 or later, or Windows Server 2003. This is a new version of IP (also known as IP next generation – IPng), intended to overcome some of the limitations of the present version (v4), namely:

  • Exhaustion of available addresses – not such a major issue now that network address translation (NAT) is so common, but potentially a future issue as more and more devices are IP-enabled.
  • Large routing tables in backbone routers (the average ISP has 90,000 entries under IPv4).
  • A need for simpler, stateless configuration.
  • A need for better support of real-time data delivery (QoS)

IPv6 provides a 128-bit address space (compared with IPv4’s 32-bit implementation), and instead of being represented using four octets in dotted decimal notation, IPv6 addresses use eight groups of four hexadecimal digits, which incorporate the media access control (MAC) address of the client, for example, 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A

I’m told that there was an IPv5 (presumably with a 64-bit address space?), but it took too long to ratify. The IPv6 addressing scheme gives a vast number of possible combinations (about 340 undecillion – that’s more than 340000000000000000000000000000000000000!) and allows for faster routing due to its simplified header.

Like most protocols in the TCP/IP suite, IP is made up on an number of sub-protocols and IPv6 is actually formed of five core protocols:

  • Internet protocol (IP).
  • Internet control message protocol (ICMP).
  • Multicast listener discovery (MLD).
  • Neighbor discovery (ND).
  • Top level aggregator (TLA).

(Yes, there really is a three latter acronym called TLA!)

In terms of application support, Microsoft’s IPv6 implementation is as per the IETF RFCs (i.e. not extended in any way). The tools look similar to the IPv4 versions, apart from the different addresses. DNS and RPC are both supported by the IPv6 stack, as are sockets interface extensions; however IPSec on IPv6 is only partly functional. There is also support for an IPv6 IP Helper API.

So what are the barriers to IPv6 adoption? For a start, businesses will need to see some benefit first, and although IPv6 addresses are available now, the initial worries about a lack of IPv4 addressing space have been alleviated (for the time being) with the use of network address translation (NAT) and private IP address ranges. Organisations implementing IPv6 do not need to drop IPv4 and convert overnight – it is possible to mix and match there is a world-wide IPv6 test network backbone; however, many organisations are using NAT as a line of defence in their security model and so firewall configurations will need to be re-examined if an IPv6 migration is performed. Add to that the fact that IPv4 is well understood by administration staff (IPv6 is not), a critical mass must build up before most organisations will be ready to make the move, although the the US government is mandating that all federal agencies must use IPv6 by 2008 – maybe that will start the ball rolling.

In summary, IPv6 is here today, but many organisations will not be in a rush to migrate. The next generation of Windows (codenamed Longhorn) is expected to include a new networking stack that supports both the IPv6 and IPv4 networking standards and I would expect IPv6 to gain some momentum around about the time of it’s expected release (2006-7). Until then, IPv6 will remain something to look at in our labs. Wikipedia has more information about IPv6 for those who wish to learn more.

Best practices for managing automatic IP addressing with DHCP

Dynamic host configuration protocol (DHCP) is often taken for granted – we expect it to work; however there are a few items which need to be considered and this post is intended as a general discussion of DHCP best practice.

Most administrators will be familiar with the overall DHCP concept – basically a database of IP addresses allocated to clients dynamically, allowing centralised IP address management; however, most of the organisations I see still need to use static addresses for some devices (e.g. servers). Whilst there is nothing wrong with this and I would still suggest using fixed IP addresses for networking equipment and the DHCP server itself, reservations can be useful to reserve particular addresses for certain clients, based on their media access control (MAC) address. The main drawback of this approach is that if the NIC in the computer changes, so does the MAC, although reprogramming the MAC address is possible (as is setting up a new reservation).

If there are static addresses in use which fall within the an IP address range intended for DHCP, exclusions can be configured (much easier than configuring several scopes to cover the fragmented IP range). Exclusions can be configured for a single address, or for a range of IP addresses.

Lease duration is another area to consider (i.e. the amount of time before a client needs to renew its DHCP address) – if this is set too long, and there are a large number of mobile clients, there is a risk of running out of available IP addresses as these mobile clients join the network, lease an address and then leave again without releasing it; conversely, too short and there is a large amount of renewal traffic as the DHCP client attempts to renew its lease at the half life. For most environments, I find that an 80:20 rule can be applied – i.e. provide 20% more addresses than are expected to be in use at any one time (to cater for mobile clients) and set the lease time to 1 day but for a subnet with largely static PCs, then longer leases may be appropriate.

DHCP includes a number of pre-defined options that can be set on a client:

  • Server options apply to all scopes on a server (e.g. 006 DNS servers, 015 DNS Domain Name).
  • Scope options apply to a single scope (e.g. 003 Router).
  • Class options can be applied to a specific type of device.
  • Reservation options apply to specific reservations.

Occasionally it may be necessary to configure custom options – e.g. 060 for a pre-boot execution environment (PXE) client or 252 for web proxy auto-discovery (WPAD).

If there are multiple DHCP servers on a subnet, then the client will be allocated an address by the first one to answer – hence the reason for Windows 2000 and later DHCP servers supporting DHCP authorisation in Active Directory (hence preventing the use of rogue DHCP servers); however this will not affect non-AD DHCP servers (such as the one in Virtual Server, or on an ADSL router). When a client issues a DHCP request, all listening servers respond with an offer and the client will respond to the first answer received. Because DHCP requests are broadcast-based, they typically cannot traverse routers and so DHCP relaying must be configured to overcome this where clients are remote from the DHCP server.

To configure DHCP for redundancy, it is generally advised to configure two DHCP servers and to split the scope using a 50:50 or 80:20 ratio (50:50 works well where both DHCP servers are on the same site; 80:20 may be often appropriate where a remote site is providing redundancy for a local server) so, for example, if I want to allocate addresses on the network 192.168.1.0/24, I might reserve the top 10 or so addresses for static devices and create two scopes on two DHCP servers – one for 192.168.1.1-120 and the other for 192.168.1.121-240. This provides 240 potentially available addresses but if one server is unavailable then the other can answer. Of course, this scenario only provides for 120 clients (96 taking into account my earlier recommendations for dealing with mobile devices). It is also possible to cluster DHCP servers for redundancy.

Superscopes can be used to group several scopes into one for management purposes, but when I tried to implement these in a live environment, we found that they did not work well and had to revert to individual scopes for each subnet.

Since Windows 2000, the Microsoft DHCP server implementation has included DNS integration. Set on the scope properties, this allows three options for updating A and PTR records in DNS as IP addresses are leased to DHCP clients:

  • Enable DNS dynamic updates, either always, or if requested (by Windows 2000 or later clients).
  • Discard DNS records when the lease is deleted (i.e. clean up afterwards).
  • Dynamically update DNS for legacy clients that do not request updates (e.g. Windows NT 4.0).

In terms of new features, Windows Server 2003 improves on Windows 2000 Server by allowing backup and restoration of the DHCP database from the DHCP console. It also provides for both user- and vendor-specified option classes. Potentially the greatest area of improvement is integration of DHCP commands within the netsh command shell.

Finally, DHCP servers use a JET database and may be busy. At a recent Microsoft TechNet UK event, John Howard recommended that every now and again, the service is stopped and jetpack.exe is used to perform database maintenance, improving performance (as described in Microsoft knowledge base article 145881).

Performance tips for Microsoft Virtual Server 2005

A few days back, I blogged about the performance issues I’d experienced with Microsoft’s virtualisation products. John Howard’s blog reports that Microsoft knowledge base article 903748 was released today, featuring a whole load of performance tips for Virtual Server 2005.

Microsoft acquires FrontBridge

Back in March, I wrote about some new e-mail message continuity services from FrontBridge. Well, according to a press release just received from Microsoft, FrontBridge is about to become Microsoft’s latest acquisition as it steps up its systems management and security capabilities. With the purchase of Giant Company (anti-spyware), Sybari (anti-virus) and now FrontBridge (anti-spam and message continuity), Microsoft’s security arsenal is starting to look good. It will be interesting to see how these purchases shape up and whether they are integrated into Windows, retained on an application service provider (ASP) basis, or developed into one or more new products, perhaps as part of the System Center family, or (in the case of FrontBridge) maybe we will see some of the new technology integrated into Exchange 12?

Find out what the moon is made of using Google maps

Today is the 36th anniversary of the Apollo 11 moon landings (thought by some to be a hoax, and by others to be a fantastic scientific achievement on the part of mankind). To celebrate this, Google has added some NASA imaging to Google Maps and if you zoom in really close, you can really see what the moon is made of! The Google Moon FAQ has more details of Google’s plans for expanding Internet search features beyond the boundaries of planet earth!

A quick Internet security audit (and other Internet tools)

Audit your firewall online, check your privacy and remove spyware.Yesterday, I stumbled across AuditMyPC, which includes a number of tests (and tips) to help improve PC and network security. Most of the information is available elsewhere on the ‘net but it’s nice to find it all in one place. What worried me (and convinced me that the guy who runs this site knows what he is doing) is that the site was able to discover my NATted IP address. Luckily it was only on my PC with the Microsoft Java Virtual Machine (JVM) installed (unfortunately I need the JVM to use my employer’s awful time-sheeting system and, being a consultancy, time-sheeting is pretty important to us!). I know that my public IP address is easily obtained, but the ease at which a bit of Java code discovered information which should only be available from inside my firewall was a bit of a worry, especially on a fully patched Windows Server 2003 (SP1) system!

Whilst on the subject of Internet tools, some of the others that I find useful are Demon’s Internet query tools as well as the tools at network-tools.com (which include a handy feature for converting base 10 addresses to dotted decimal IPv4 addresses), the subnetmask.info network tools and Gibson Research Corporation’s ShieldsUp! port scanner.

Allowing ISA Server 2000 web proxy clients to use non-standard ports for HTTPS

I spent most of today trying to get some ISA Server 2000 web proxy clients to access a web application using HTTPS on a non-standard port (4443). The issue was further complicated by the fact that the application server needed to be accessed using an upstream proxy server. Once the network manager had verified that the upstream proxy could access HTTPS requests on 4443 (and I had tested using my browser and the upstream proxy settings), it took me a while to work out why ISA Server wasn’t forwarding the requests. Instead, my proxy logs were showing some strange results:

sourceip anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2005-07-15 15:13:13 isaservernametargetserver – 4443 – 212 2855 SSL-tunnel CONNECT – – 407
sourceip anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2005-07-15 15:13:13 isaservernametargetserver – 4443 – 316 537 SSL-tunnel CONNECT – – 407
sourceip domainname\username Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2005-07-15 15:13:13 isaservernametargetserver – 4443 – – – SSL-tunnel – targetserver:4443 Inet 12204

Because the logs suggested that the ISA server was forwarding requests to the Internet, I thought that I needed to set up another destination set for the application server and a separate routing rule for access to this server using the non-standard port number. That turned out to be completely wrong (and I’ve since removed both the new destination set and the routing rule). I still don’t know why the 407 errors occur (HTTP client error 407 means proxy authentication required) but the 12204 error led me to the answer, which is contained in Microsoft knowledge base article 283284.

“With secure socket layer (SSL) tunneling, a client can establish a tunnel through ISA Server directly to the web server by using the requested HTTPS object. Whenever a client browser requests an HTTPS object through ISA Server, it uses SSL tunneling. SSL tunneling works by default for outgoing client requests to ports 443 and 563.”

The article also includes the VBScript code to add a port to the ISA Server’s tunnel port range. Depending on the version of ISA Server in use, this information is stored in a different location:

  • For ISA Server 2000 Standard Edition, ISA Server 2000 Enterprise Edition (standalone mode), and ISA Server 2004 Standard Edition: ISA storage is maintained in the registry.
  • For ISA Server 2000 Enterprise Edition (array mode): ISA Storage is maintained in Active Directory.
  • For ISA Server 2004 Enterprise Edition: ISA Storage is maintained in the Active Directory application mode (ADAM) configuration storage server).

Although the code to do this is contained within the Microsoft article, Jim Harrison has made the script available for download from his ISA Server tools repository. Once I had edited the script to change the port number to 4443, I ran it on one of the array members and force refreshed the settings by selecting the array in the ISA Management console and pressing F5. What none of the newsgroup information I found on this topic told me (although to be fair the Microsoft article says that a restart of the Microsoft ISA Server Control service is required) is that it also didn’t take effect until I restarted the web proxy service on my ISA Servers. Another item to note from the Microsoft article is that the script does not produce any output if it succeeds and if it is run again, it will produce an error because the range being set already exists.

Once I had restarted the web proxy service, my clients could access the web application using port 4443 and the ISA Server logs showed a successful connection via the upstream proxy server:

sourceip domainname\username Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2005-07-15 16:56:01 isaservernameupstreamproxyname upstreamproxyip upstreamproxyport – 726 2258 SSL-tunnel – targetserver:4443 Upstream 995

Virtual PC and Virtual Server performance issues

I used to use Microsoft Virtual PC 2004 on my work PC (e.g. running my work environment inside a VM so that I can easily resurrect it after a rebuild) but I found that performance was abysmal after I resumed from hibernation. Well, it seems it wasn’t just me having issues and Thomas Lee reports that Microsoft knowledge base article 889677 describes a hotfix for the issue. Nowadays I’m using Microsoft Virtual Server 2005 on a Windows Server 2003 SP1 machine and having performance issues when I run more than one VM (each guest is slow to respond to keyboard/mouse actions). In fairness, the host is a notebook PC, and it is running Windows SharePoint Services too, but there are no performance issues on the host – just the guests. It would seem logical to suspect a slow laptop hard disk as the cause, but there are no obvious signs of large amounts of disk activity. John Howard blogged about performance when running Windows Server 2003 SP1 as a guest, but I can’t find anything about poor host performance. I guess I’ll have to wait for Virtual Server 2005 service pack 1.

Preview of the new features expected in Exchange Server 2003 service pack 2

My colleague Neil Chapman sometimes blogs about Exchange Server’s mobility features, including some of what is coming in Exchange Server 2003 service pack 2 (SP2) later this year. Microsoft have also published a preview of the new features we can expect to see including:

  • Mobile e-mail improvements (Neil is best placed to comment on these).
  • Better protection against unsolicited commercial e-mail (commonly known as spam) with an updated intelligent message filter (IMF) and support for sender ID (which has now been approved by the Internet engineering steering group – the approval board of the Internet engineering task force – as an experimental standard, along with the competing sender policy framework technology).
  • Mailbox advancements (most significantly the raising of the 16Gb information store limit on Exchange Server 2003 standard edition to 75Gb, new features for enforcing cached mode, and a new offline address book format).