Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows 7 May Finally Get IPv6 Deployed

kdawson posted more than 4 years ago | from the whatever-it-takes dept.

Networking 283

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

Sorry! There are no comments related to the filter you selected.

IPv6 addresses are overly complex (0, Troll)

sopssa (1498795) | more than 4 years ago | (#30528784)

While it will be useful, I don't think widespread usage of IPv6 will start before we run out of IPv4 addresses.

I rather type in 49.1.4.22 than 2001:db8:85a3::8a2e:370:7334

Re:IPv6 addresses are overly complex (5, Insightful)

kennedy (18142) | more than 4 years ago | (#30528812)

Uhh... 3 letters for you. D.N.S.

Re:IPv6 addresses are overly complex (1, Interesting)

sopssa (1498795) | more than 4 years ago | (#30528974)

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Re:IPv6 addresses are overly complex (5, Funny)

sunderland56 (621843) | more than 4 years ago | (#30529060)

Yeah, typing in IP addresses is a pain in those situations. Maybe in future Microsoft will add a "cut" and "paste" feature to Windows 7, like they have in OSX - that should make life easier.

Re:IPv6 addresses are overly complex (4, Funny)

OnlineAlias (828288) | more than 4 years ago | (#30529334)

It is a very tough feature to code however, just ask the guys who failed to add it to the iphone for several years...

Re:IPv6 addresses are overly complex (3, Insightful)

Nimey (114278) | more than 4 years ago | (#30529162)

Dynamic DNS, then. I use that for remoting into my computer and router from other places.

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30529422)

Most ISPs already assign "easy" IDs at the moment, as you will probably have seen in a router / modem / filesharing program / certain games.
Some usually just use generate several sub-domains with the octets of the IP, some use an internal ID generated from god knows what.
The only problem with this is how do you compress a long base62 string to something smaller?
In IPv4, creating a smaller, easily remembered ID was pretty trivial since IPs (by default) octets use 0-255, but now the octets use all the characters traditionally used for these IDs.
Now you either let people choose their own IDs (stevescomputer.homedns.ISPSITE.TLD), or somehow use non-traditional characters, potentially breaking support for countless applications. (seriously, some things don't even accept hex-encoded IPs...)

It would make sense for ISPs to try cash in on this actually, a DNS address directed at your IP. Shocks me that they haven't (AFAIK) tried it.
Yeah, not good from our point of view, but as a business choice, it would make sense.

Entering IPs is so last decade. DynDNS or the countless others, oh yes yes yes.
I wish things would change over, no human should ever need to memorize IPv6 addresses. (minimized versions of IPs don't count much)

Re:IPv6 addresses are overly complex (2, Interesting)

Ephemeriis (315124) | more than 4 years ago | (#30529504)

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

Pretty much every machine has a DNS name these days. They aren't usually authoritative... But for a LAN game it'll do.

For non-LAN games you've frequently got some kind of server listing service or match-making service out there that can help you find your buddy's server. Or you could always use DynDNS/No-IP/whatever to get yourself a DNS name.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Again, many (most?) devices have a DNS name of some sort.

If not... Yes, it can be a pain to write down an address. And the extra address space in IPv6 is going to make that more painful... Although there are shortcuts built into IPv6 that let you shorten the address...

But, seriously, is that a reason not to adopt IPv6? There's too many digits, it's too hard to write out by hand?

Re:IPv6 addresses are overly complex (2, Informative)

Monkeedude1212 (1560403) | more than 4 years ago | (#30529574)

In some games you even have to manually type in the address if you want to connect to your friends server.

Either you're playing some older games, which came out when TCP/IP Was just starting to Boom and didn't have any DNS functionality built in - or your friends aren't hosting their server on the web, and thus DNS wouldn't resolve it - or your friends aren't port forwarding properly for that games specific host-finding service to pick it up.

In any case - if you are willing to go through the trouble of communicating an IPv4 Address to join a game, making it an IPv6 address will either be the smallest most miniscule inconvenience that you'll forget after its deployed
OR
You'll learn to set up servers and DNS in such a way that they will work without you needing to memorize and jot down IP addresses.

Either way, its moving forward.

Re:IPv6 addresses are overly complex (1)

vlm (69642) | more than 4 years ago | (#30529194)

Uhh... 3 letters for you. D.N.S.

I've been involved long enough to remember people saying DNS A6 records were the wave of the future, and look where they are today.

(Yes I know, use AAAA now, I'm just pointing out the turmoil)

Re:IPv6 addresses are overly complex (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30528818)

It pains me to think it, but how long before we see "IPv6 shortening services"?

Re:IPv6 addresses are overly complex (1)

sakdoctor (1087155) | more than 4 years ago | (#30529330)

http://ipv6.youtube.com/watch?v=oHg5SJYRHA0 [youtube.com]

I'll just leave this here. Although the URL isn't currently valid, it will be once ipv6 rolls out.

Re:IPv6 addresses are overly complex (1)

PizzaAnalogyGuy (1684610) | more than 4 years ago | (#30529502)

Hello!

I'm coming from year 4931 and using my time machine, I have traveled here to tell you that this url actually worked. We rolled out ipv6 four years ago.

Now where do I get those delicious Hawaiian pan pizzas... With ham, pineapples, bacon and salami.. With some BBQ sauce, mm..

Eat your delicious pizzas now, because when China soon takes over the world they will make pizza illegal.

See you in future!

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30529570)

Wow, time-delayed Rickrolling... I am impressed at your initiative.

Re:IPv6 addresses are overly complex (1)

Adm.Wiggin (759767) | more than 4 years ago | (#30529606)

Actually, I'm surprised that Google's current IPv6 roll-out (by attaching AAAA records to their domains for qualifying name servers) doesn't include youtube.com yet.

Re:IPv6 addresses are overly complex (4, Funny)

johnw (3725) | more than 4 years ago | (#30528842)

Why type either? You should look at getting DNS up and running on your systems. It's a bit cutting edge, but well worth it.

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30529360)

Why type either? You should look at getting DNS up and running on your systems. It's a bit cutting edge, but well worth it.

You still type? How quaint.

--
Posted by OnStar(tm) Internet voice gateway

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30528850)

You've heard of DNS right?

Re:IPv6 addresses are overly complex (1)

mr crypto (229724) | more than 4 years ago | (#30528866)

Hmmm... Looks like the tiny URL problem all over again. We need tiny IP! :)

Re:IPv6 addresses are overly complex (2, Insightful)

Virak (897071) | more than 4 years ago | (#30528906)

Do you seriously believe "the addresses are really long" is going to be the main thing blocking IPv6 adoption? Or even something the average person will care about in the slightest?

Re:IPv6 addresses are overly complex (1)

negRo_slim (636783) | more than 4 years ago | (#30529270)

Do you seriously believe "the addresses are really long" is going to be the main thing blocking IPv6 adoption? Or even something the average person will care about in the slightest?

I agree to the 'average' person IP4 addresses are already too long.

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30528946)

Your average joe won't be typing in ip addresses

Re:IPv6 addresses are overly complex (1)

elzurawka (671029) | more than 4 years ago | (#30528992)

Your average Joe probably doesn't even know what IPv4 is, let alone the reasons for going to 6

Re:IPv6 addresses are overly complex (1)

Cro Magnon (467622) | more than 4 years ago | (#30528962)

I might be in the minority here, but I'd rather type "www.whatever.com" than either of the other choices.

Re:IPv6 addresses are overly complex (2, Interesting)

Mr. DOS (1276020) | more than 4 years ago | (#30529198)

Offtopic, but I'd much rather you typed in whatever.com [no-www.org] .

      --- Mr. DOS

Re:IPv6 addresses are overly complex (5, Informative)

Chris Mattern (191822) | more than 4 years ago | (#30529266)

Off-offtopic, but I'd much rather you typed in example.com. Don't refer to what might be a real URL as an example when you've got a name reserved by RFP for that purpose.

Re:IPv6 addresses are overly complex (1)

Mister Whirly (964219) | more than 4 years ago | (#30529652)

I hate lazy people, and I'd much rather you typed "http://www.whatever.com". I mean, otherwise how is your web browser supposed to know to use hypertext transfer protocol??

Re:IPv6 addresses are overly complex (1)

Urban Garlic (447282) | more than 4 years ago | (#30529892)

I actually do that http thing. It's not that I'm espeically diligent, or think the browser won't guess correctly, it's somewhere between a persistent habit and a neurosis. On the other hand, I am diligent about getting the https:/// [https] ones right.

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30529746)

Why would you feel the need to dictate that example.com resolve to my web server?

That is pretty presumptuous of you to even assume I have a web server, or that I only registered a domain to do one thing, namely serving web pages.

My personal network has a number of machines at home, plus a number of machines spread around in colo centers, which all combined probably run a good 30 services.

The www hosts point to web servers within the sub-domain they belong in. Yes there is more than one.

The '' A record (ie no sub-domain) is a round robin address that returns the IP addresses of specific servers running a specific service, none of which are a web server.

I guess to the post-1995 internet users, where nothing else exists except the web, this is acceptable (Thou email is magically shoehorned in there somehow, but it is still "email on the web" to those types.)

But a lot of us here are the back end technical types in charge of keeping things actually working, so could not make use of your suggestion at all.

Re:IPv6 addresses are overly complex (1)

ogl_codemonkey (706920) | more than 4 years ago | (#30529936)

Yeah, I'd be right there with you *if* it wasn't an error to make the root record for a DNS zone a CNAME (which would apparently break mail services, among other things - I'm not a DNS *or* E-mail expert, ymmv)

So if your hosting infrastructure is managed separately to your customer's DNS records, they can either only point HTTP requests at your entry point (load balancer du jour) or they have to statically configure it as an A (or A6) record - and then it becomes *your* problem when you retire an old uplink and their website doesn't work anymore.

Also, a redirect is at *least* one extra round-trip; so if your brain-dead clients (see: 'Webmins') put the 'www' in their phpbb or Gallery configuration - adding extra round trip to every resource in a request - they start complaining about hosting performance...

Re:IPv6 addresses are overly complex (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30529108)

Even worse is the fact that a lot of routers still can't handle it.
This has caused a lot of problems for users of Ubuntu Karmic Koala, which enabled IPv6 by default.
After upgrading to Kubuntu 9.10 I was getting huge delays and failed connections (but not all the time) on everything from Konqueror to apt-get.
It turns out the problem was a bug in my DSL modem, causing it to choke when trying to connect to a host that has IPv6 enabled.
I was able to work around it, but a lot of people are still having trouble.
Let's see how Microsoft deals with all the older installed hardware.

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30529508)

I imagine they will deal with it fine seeing as how it was on by default and the preferred interface in Vista too so they have several years experience with it.

Re:IPv6 addresses are overly complex (1, Insightful)

selven (1556643) | more than 4 years ago | (#30529112)

We won't run out. It's like peak oil - we won't just have one random guy scrape and hit rock bottom and suddenly the world panics. It'll become gradually harder and harder to find and prices will slowly go up, reducing consumption. Essentially, we'll never use 100% of our oil until it is completely superseded by newer technologies. Same with IPv4 addresses. They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.

Re:IPv6 addresses are overly complex (1)

Greg Hullender (621024) | more than 4 years ago | (#30529182)

While it will be useful, I don't think widespread usage of IPv6 will start before we run out of IPv4 addresses.

I rather type in 49.1.4.22 than 2001:db8:85a3::8a2e:370:7334

I don't think that'll happen until we run out of words and names!

--Greg

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30529238)

I'm far more annoyed with the security roadblocks put up by the V.7 RDP client.

Re:IPv6 addresses are overly complex (0)

Anonymous Coward | more than 4 years ago | (#30529778)

My hosts file is going to be messy, too.
But I think it's going to come into its own now.

However, I can see all sorts of problems when I have to ask a client which IP6 block he has for his LAN. Every one will be different. You won't be able to simply use 192.168 or 10.x or 172.x for in-house? Sounds like endless opportunities for excellence.

Re:IPv6 addresses are overly complex (1)

Rockoon (1252108) | more than 4 years ago | (#30529800)

IPv6 wont become widespread until the millions upon million of existing routers that do not support it die of old age.

Re:IPv6 addresses are overly complex (2, Funny)

fearlezz (594718) | more than 4 years ago | (#30529888)

Anyone can type a DNS name. An ipv4 address is a bit cooler. But just imagine your coworker's respect when they see you telnet to 2001:db8:85a3::8a2e:370:7334

Not localhost (1)

SuperKendall (25149) | more than 4 years ago | (#30530016)

0:0:0:0:0:0:0:1

or ::1 shorthand.

Why? (0, Troll)

pdangel (812046) | more than 4 years ago | (#30528820)

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

What ever, just another service I have to stop/remove on a PC.

Re:Why? (5, Informative)

Anonymous Coward | more than 4 years ago | (#30528900)

You don't need NAT to run a firewall that has the same security functionality as NAT

Re:Why? (3, Insightful)

FooAtWFU (699187) | more than 4 years ago | (#30529018)

Mod parent up. If you can map between the "inside" and the "outside" of your organization you can drop packets coming from the outside just as readily.

Re:Why? (0)

Anonymous Coward | more than 4 years ago | (#30529138)

May I suggest you do a little more research on the currently impending doom.

http://www.lammle.com/blog/

Re:Why? (4, Informative)

0racle (667029) | more than 4 years ago | (#30529200)

IP6 (and DirectAccess) in no way require you to remove a firewall between you and the rest of the universe. NAT however, can go away.

Re:Why? (0)

Anonymous Coward | more than 4 years ago | (#30529346)

nat will NOT go away. nat IS useful, at least to easily identify the hosts in your private network
ipv6 has some thing similar, but combined that with the fact that you can have multiple ips on one interface (without alias) and to the large number of addresses, and you get why nat is no longer a problem.

Re:Why? (2, Insightful)

MathiasRav (1210872) | more than 4 years ago | (#30529252)

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

Network address translation came into use because you had limited supply of IP addresses, pigeonhole problem basically. With IPv6 that's not needed, because surely 3.4×10^38 addresses should be enough for anyone. You'll just need a firewall to reject requests from outside your own assigned block.

Re:Why? (2, Interesting)

mark-t (151149) | more than 4 years ago | (#30529758)

The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.

Notwithstanding, however, thanks to this quaint little notion of "extension headers" in ipv6, it is even entirely possible to route _THROUGH_ a NAT... directing packets to specific machines inside of the NAT as long as the NAT is configured to act like a router and to process the appropriate extension headers... an upshot of this is that it would effectively increasse the total number of usable IP's, because the effective IP address length would be extended by however many bits of address you put into the extension header. This process could even be chained through multiple levels of NAT's _theoretically_ indefinitely, but in practice would always be limited by the sizes of the routing tables involved, and whatever the minimum MTU for an IP packet is at the time (which is theoretically as small as 68 bytes today, but nobody uses them anywhere close to that small). Individual IPv6 packets have a maximum size of 64K each, so there's a hard limit in how big it can get regardless of how much the MTU goes up.

Re:Why? (2, Interesting)

Monkeedude1212 (1560403) | more than 4 years ago | (#30529410)

On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

If you've never had a problem with NAT, you don't have enough uses for the internet. I used to be a firm believer that NAT was a seemless solution to the problem of not having enough IP's.

Once you try implementing it in the professional world, where you have to worry about not just NAT but NAPT, because you've got Webservers, Print Servers, Email Servers, Backup Servers, File Servers, Application Servers - and then you've got to implement some service such as Remote Desktop from a WebApp (that has to get past the Proxy, no less), so that those who want to work from home can Remote into their PC without a VPN - lets just say that even a small handful of extra IP's would help, and if we COULD get each PC it's own individual IP, it'd be much appreciated.

It's not that it's impossible to do what you want, its just that as things grow, things get more convoluted, and doing such tasks take far more troubleshooting.

Re:Why? (2, Interesting)

pdangel (812046) | more than 4 years ago | (#30529512)

Yes NAT is a pain..and some cases breaks business apps. Hair Pin turns are the bane of my existence. But you are saying place thing either outside a firewall because its easier, or place your support staff on the Internet with out VPN?

I agree that ISP have a need for IPv6. But why would a Windows 7 user need it? Default out of the box? Or did I miss read that MS has that service on by default?

Re:Why? (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30529636)

Meh, we need a solution to let regular business dev reps to Remote in from home (not the support staff) without a VPN. It'd be nice if it was hosted in a web app so that we don't have to install anything on Client machines. (Something Like Remote Web Workplace).

Windows 7 has DirectAccess or whatever they're calling it, which supposedly allows for this to happen, and it needs IPv6 to run I guess.

Re:Why? (1)

dave562 (969951) | more than 4 years ago | (#30529842)

Have you looked at the Sonicwall SSL/VPN appliance? I'm sure that there are probably other vendors and even open source solutions that provide similar functionality. With the Sonicwall device all you need is a web browser and you can have a secure remote desktop connection into anything on the private network. I think you can also publish individual applications (a la Citrix, etc) but I never had to get that fancy with it.

Re:Why? (1)

Ephemeriis (315124) | more than 4 years ago | (#30529556)

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

While I don't think I'd recommend connecting any machine - Windows or otherwise - to the Internet without a firewall... I don't see why you think you need NAT.

NAT is Network Address Translation. It has absolutely nothing to do with security. It's a way to overload a single public IP address and funnel multiple private IP addresses through it.

Yes, NAT gives you a default, basic firewall just because you have to explicitly define incoming translations. But there's absolutely no reason you need NAT in order to do a firewall.

I've got dozens of servers sitting behind firewalls with absolutely no NAT going on at all.

Wah happen to ipv5? (0)

Anonymous Coward | more than 4 years ago | (#30528834)

I gotz to noze !!

Re:Wah happen to ipv5? (1)

isama (1537121) | more than 4 years ago | (#30528952)

the even versions are stable, the uneven are testing, so i'd like to ask the question what happened to ipv2?

Another Genuine Advantage ? (3, Insightful)

mbone (558574) | more than 4 years ago | (#30528916)

I have to say that this is what struck my eye :

In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings.

OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

By the way, this sets up an IPSEC VPN, so I am not sure why the OP says it doesn't require a VPN.

Re:Another Genuine Advantage ? (0)

Anonymous Coward | more than 4 years ago | (#30529254)

The main advantage of NAP is to insure that connected computers are up to date and running the approuved corporate software. Your not brigning your home laptop without antivirus and proper certificate on my network.... etc

Re:Another Genuine Advantage ? (0, Flamebait)

LOLLinux (1682094) | more than 4 years ago | (#30529348)

OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

You're an idiot? All this is saying is that it has to pass a bunch of policy settings to connect. What exactly is supposed to be sinister about that?

Re:Another Genuine Advantage ? (2, Informative)

nielsm (1616577) | more than 4 years ago | (#30529446)

This is a server-checks-client-security thing, not a Microsoft-checks-customer-setup thing. Refusing to work with known-broken software.

Re:Another Genuine Advantage ? (1)

VoltageX (845249) | more than 4 years ago | (#30529640)

No, NAP is more like making sure you've deployed the patches from last Tuesday. And from reading about it ages ago, I thought it was fairly configurable

Re:Another Genuine Advantage ? (1)

mystik (38627) | more than 4 years ago | (#30529664)

I read about this feature a few weeks ago.

MS Is touting "this is not a VPN" (even in their marketing for this feature) -- but the parent is right, it's just an ipsec VPN that's initialized early in the boot up process.

I guess it's handy, most vpn clients I've seen are klunky things that have to run after login.

Slashdotted, but regarding VPNs (1)

jimicus (737525) | more than 4 years ago | (#30528930)

.... right now they're a necessary evil. There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access. Though of course that's of limited benefit unless you can configure every application that needs to be accessed remotely to do this, regardless of server or client OS (...or you don't need to care because you only run applications which can be configured like this).

Knowing Microsoft, this is only useful if all your clients are Windows 7 and all your servers are Windows Server 2008. Can any early adopters confirm whether or not this is the case?

Re:Slashdotted, but regarding VPNs (1)

vlm (69642) | more than 4 years ago | (#30529048)

There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access.

And add two factor authentication (pretty much required for a SERIOUS vpn)

Re:Slashdotted, but regarding VPNs (0)

Anonymous Coward | more than 4 years ago | (#30529158)

Meh, ROT13 works for me, and if I want something REALLY secure I just ROT13 it twice.

Re:Slashdotted, but regarding VPNs (1)

jimicus (737525) | more than 4 years ago | (#30529326)

Client and server verifying each others certificates gives you the first factor (something you both have).

Stick a password in front of your applications and there's your second.

Re:Slashdotted, but regarding VPNs (1)

Sancho (17056) | more than 4 years ago | (#30529154)

The key is that with VPN, you can set up those client certs and two factor auth for a single server on your LAN--the VPN server--and all the rest can be used with lower security. Compare to configuring every host on your network in this way. Furthermore, a firewall helps guard against error. Did you accidentally set up a server incorrectly? Well the firewall still prevents everyone from accessing it unless they're using VPN.

VPN/Firewall is still a good portion of the layered security approach, and it would be even if every device on the network supported SSL/client certs.

Re:Slashdotted, but regarding VPNs (1)

houstonbofh (602064) | more than 4 years ago | (#30529412)

With your solution, you have to expose every device to the internet at large, and then filter. With VPN, you do not even know what is behind it. So they are not the same.

Lisa Vaas? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30528938)

What are all these wimmins doing writing about IT stuff? Get back in the kitchen where you belong!

Exactly why we didn't deploy DirectAccess (3, Informative)

Bubba (11258) | more than 4 years ago | (#30529114)

We looked at deploying DirectAccess, but after months of talks and discussions with Microsoft, they finally came out and told us that it wouldn't work unless we rolled out IPV6 (and pushed other MS services (CA, DC) externally). We passed. We decided to stick with SSL VPN for most and Cisco AnyConnect client for our Win7 64 bit rollouts. Maybe next time, Microsoft?

Doesn't require a VPN (1)

CranberryKing (776846) | more than 4 years ago | (#30529150)

Yeah.. I'll just toss out my vpns and start using the MS solution which greatly simplifies remote access security.. I can see lots of people will be running to this.. Yeah..

How Ironic (1)

fat_mike (71855) | more than 4 years ago | (#30529192)

"According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be ,'the year of IPv6' that most of us have stopped listening."

Kind of like Linux on the desktop!

Re:How Ironic (1)

MathiasRav (1210872) | more than 4 years ago | (#30529282)

Nah, more coincidental really, when you think about it

IPV6 is fatally broke (1, Informative)

Anonymous Coward | more than 4 years ago | (#30529218)

I'm not a big fan of djb but he hit this nail right on the head.

http://cr.yp.to/djbdns/ipv6mess.html

Re:IPV6 is fatally broke (0)

Just Some Guy (3352) | more than 4 years ago | (#30529342)

I'm not a big fan of djb but he hit this nail right on the head.

Yes, you are. No one but DJB fanboys would claim that IPv6 is fatally broken and can't work, despite the fact that many of us are using it in production today.

They've invented SSH/SSL! (2, Insightful)

Chris Mattern (191822) | more than 4 years ago | (#30529310)

Except that it doesn't work with the networking you have.

IPv4 Forever!!!! (2, Interesting)

waterlogged (210759) | more than 4 years ago | (#30529340)

BGP filters are hard enough in v4 can you imagine doing this crap?

ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48
ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128

Forget it.

Second link drowned. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30529358)

"Heres the $64,000 question"..."did it make your security senses break out in a cold sweat?"..."IT administrators are champing at the bit "

And that was just by paragraph four. I gave up -- this person can't write. I'm certainly not going trust that this "Expert Voice" can assemble facts correctly.

Misleading Summary (1)

EvilRyry (1025309) | more than 4 years ago | (#30529370)

IPv6 is only required for the VPN side. The Internet connection on both sides may still be IPv4 however. Read TFA for more details. I have a feeling Time Warner will be in no rush to upgrade my neighborhood to IPv6 no matter how many companies start using DirectAccess.

Article is so full of inaccuracies... (4, Informative)

A beautiful mind (821714) | more than 4 years ago | (#30529380)

...that I barely know where to begin.

IPv6 has been "the next generation of TCP/IP protocols" for so long that you can be forgiven for thinking that it will never be useful.

IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.

This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.

Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6.

No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries [potaroo.net] , they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.

Article is so full of Y2K. (0)

Anonymous Coward | more than 4 years ago | (#30529450)

"No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries, they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade."

Another Y2K?

Re:Article is so full of Y2K. (1)

A beautiful mind (821714) | more than 4 years ago | (#30529530)

IPv6 is actually the anti-Y2K. This is a problem mainly ignored by mainstream media that has the potential to affect the global economy, while Y2K was a relatively minor issue compared to this, which got overhyped by the media.

Re:Article is so full of inaccuracies... (1)

lymond01 (314120) | more than 4 years ago | (#30529516)

IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

Yep, like electric whip cream.

Wait, what?

Re:Article is so full of inaccuracies... (1)

key134 (673907) | more than 4 years ago | (#30529638)

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

I'm not really sure where you get the idea that you can only use 30-50 computers on a single public IP. I can guarantee if you use enterprise-grade firewalls to do the NAT'ing you have no problem going into the thousands of clients.

Re:Article is so full of inaccuracies... (1)

A beautiful mind (821714) | more than 4 years ago | (#30529730)

No matter what enterprise level thing you use, you're still going to bump into the limit. With NAT, you're trading ports for ip addresses. The number of ports is finite and nowadays there are things like http keepalive, ajax calls, skype, IMAP, and other programs, so you're ending up with hundreds of open connections per computer. When the NAT translating box runs out of ports, it's game over.

Re:Article is so full of inaccuracies... (0)

Anonymous Coward | more than 4 years ago | (#30529682)

The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet.

That's simply not true, either. I've got around 2300 users behind a single NAT. Yes, some things get complicated but our setup is absolutely usable.

no VPN (0)

Anonymous Coward | more than 4 years ago | (#30529386)

It doesn't require a VPN because IPv6 has IPsec built in.

Tec Laziness? (0)

Anonymous Coward | more than 4 years ago | (#30529470)

I was under the impression that it was the cost of new hardware that was holding back the adoption of IPv6... turns out it was just the laziness of tecs... who would of guessed.

So..... (1)

mortal-geek (1697010) | more than 4 years ago | (#30529476)

....are we cool with Microsoft now, hmm?

Or DirectAccess may just sink it for good... (3, Interesting)

BobMcD (601576) | more than 4 years ago | (#30529482)

From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:

Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:

. set specific policies (no split tunneling)
. force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
. ensure proper key and credential management, including two-factor or challenge/response
. audit activities while user is connected to the VPN.

The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.

What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.

As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.

Re:Or DirectAccess may just sink it for good... (1)

Spad (470073) | more than 4 years ago | (#30529722)

DirectAccess is actually much more VPNy than Microsoft like to claim, it's just more transparent to the user. Authentication can be simply an AD username/password if you want or two-factor authentication like any other VPN and it's not like users can just connect into your network without any control on your part (unless you're an incompetent admin, ditto on the auditing). I'm not sure about the split tunnelling aspect; I would be very surprised if you *can't* disable it when authenticated, but I haven't dug into it in enough detail to say for sure.

Microsoft have somewhat shot themselves in the foot by making all the "it's not a VPN" claims; it *is* a VPN really, just without the need for a dedicated concentrator and additional software on the clients.

Re:Or DirectAccess may just sink it for good... (1)

Spad (470073) | more than 4 years ago | (#30529828)

To answer my own questions:

Although split-tunnel routing is the default configuration for DirectAccess, IT professionals can disable the feature to send all traffic through the enterprise network.

DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. You can use any IPsec encryption method, including DES, which uses a 56-bit key, and 3DES, which uses three 56-bit keys...IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES

Re:Or DirectAccess may just sink it for good... (1)

Daltorak (122403) | more than 4 years ago | (#30529854)

From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit

Oh come on. You're a professional (right?), you should know better than to say this kind of crap. You know what your problem is? You think NAT is a security mechanism -- it's not. Just because we have spent the last ten-plus years having the Firewall also perform network address translation, doesn't mean the two roles have anything to do with eachother -- they don't. NAT is a workaround for the problem of limited IP address spaces; it says so right in the freakin' abstract of the original NAT RFC (1631), which was published in 1994! Don't assign it responsibilities it wasn't designed to have!

IPv6 can (and should) be firewalled just as IPv4 can (and should). It's always a good idea to have a device between your Internet connection(s) and your in-house systems that makes decisions about whether or not packets going to & from certain IP addresses+ports should be allowed through. But, seriously, who cares if the source or destination address is IPv4 or IPv6?

Re:Or DirectAccess may just sink it for good... (0)

girlintraining (1395911) | more than 4 years ago | (#30529964)

Oh come on. You're a professional (right?), you should know better than to say this kind of crap. You know what your problem is?

His "problem" is nothing more than the fact that a new operating system was just released to the public with a flotilla of new technologies which few people thoroughly understand. He is understandably unwilling to implement or allow a technology to run on his network that is not well-understood by himself or any of his staff. As to assigning "responsibilities it wasn't designed to" -- that's the working definition of most IT jobs. The right tool for the job is the tool you have that gets the job done.

Next time, use more exclamation points. It makes you sound more... professional.

Re:Or DirectAccess may just sink it for good... (1)

BobMcD (601576) | more than 4 years ago | (#30530032)

You know what your problem is? You think NAT is a security mechanism -- it's not.

In fact that's not my problem. My problem, from your point of view, is that I'm not an elitist. That would be the best definition of your pejorative of my point of view.

I'm not specifically advocating NAT as a security mechanism. The actual use for NAT (working around limited space) doesn't actually present itself to the argument. Imagine instead a firewall that did one-to-one address mapping if it makes you feel better. It doesn't really matter. In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world. If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.

Maybe you can get that on IPv6 and maybe you can't. I don't really know. I haven't researched it because there's not really any great need to do so. The inherent design behind IPv6 is that there are enough addresses so that everything can be set to route to everything else. Not only is this not necessary in any way, it is also the opposite of what is desired.

So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing. I understand that this control was delivered due to a gap in the design purpose, but again I don't really care about the 'why'. Convince me to allow that traffic to route inbound without being mapped. Please.

Re:Or DirectAccess may just sink it for good... (0)

Anonymous Coward | more than 4 years ago | (#30529974)

Do you actually know what are you talking about or just going WTF WTF WTF WTF???? OMG?!

http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#directaccess

And for people that actually block microsoft.com,

Enhance mobility and manageability with DirectAccess

        * Working outside the office is easier than ever. DirectAccess in Windows 7 and Windows Server 2008 R2 enhances the productivity of mobile workers by connecting them seamlessly and more securely to their corporate network any time they have Internet access—without the need to VPN. When your IT department enables DirectAccess, the corporate network’s file shares, intranet websites, and line-of-business applications remain accessible wherever you have an Internet connection.

        * Manage remote machines more effectively. Flexibility gives IT the opportunity to service remote machines on a regular basis and ensure that mobile users stay up to date with company policies. With DirectAccess, IT administrators can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on.

        * Enhance security and access control. To keep data safer as it travels public networks, DirectAccess uses IPv6-over-IPsec to encrypt communications transmitted across the Internet. DirectAccess is designed to reduce unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server (running Windows Server 2008 R2), or the administrator can choose to send all traffic through the corporate network. In addition to authenticating the computer, DirectAccess can also authenticate the user and supports multifactor authentication, such as a smart card. IT administrators can configure which intranet resources specific users can access using DirectAccess.

So what is DirectAccess? How about a better VPN that's been integrated into native windows network topology (thing Active Record, Domain controller, and related fluff)

But then, why are you freaking about about IPv6? MS could have done similar stuff with IPv4, but chose not to because IPv4 solutions are kludges that must work over NAT and worse. IPv6 only makes this service simpler on the programming side as *some* of the features required to make DirectAccess work are part of the protocol.

      http://en.wikipedia.org/wiki/DirectAccess

Anyway, congratulations on being the dumbass of the week.

Hehe, I didn't even know I had native ipv6 (1)

_GNU_ (81313) | more than 4 years ago | (#30529592)

until I installed windows 7 and it got an ipv6 adress automatically without a hitch.. (only used straight XP boxes and a FreeBSD with static ipv4 ip before)

Apparently my isp has been doing native ipv6 for almost a year now and it works like a charm.. for ipv6 enabled sites and services that is. ;)

(Bahnhof in Sweden)

Will ISP give more then one IPv6 IP? or will they (1)

Joe The Dragon (967727) | more than 4 years ago | (#30529702)

Will ISP give more then one IPv6 IP? or will they make you pay? comcast may want $5 per pc.

also how many DSL and cable modems even can do IPv6? how many rented ones? routers? cable phone and HSI modems (that are forced rented?)

Re:Will ISP give more then one IPv6 IP? or will th (1)

orospakr (715849) | more than 4 years ago | (#30529954)

The modems are layer 2 and below devices. They don't know or care.

Routers are the real problem as far as customer premise equipment goes; however, the relevant functionality is typically in software on most consumer routers. Ostensibly this means that manufacturers can release a firmware upgrade.

I find that the turnover on those router boxes is rather high, so I suspect that newer routers will ship with it and the problem will slowly go away.

Either that... (3, Insightful)

roc97007 (608802) | more than 4 years ago | (#30529848)

...or DirectAccess will be a dead feature because it requires a protocol that few want to support.

Might as well rename Slashdot -- (1)

dwiget001 (1073738) | more than 4 years ago | (#30529932)

-- three Microsoft related stories out of four.

I hereby dub Slashdot "Microdot!"

Oh, wait....

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?