locked
Why does DirectAccess uses IPv6 RRS feed

  • Question

  • in reference to the original question here:

    http://social.technet.microsoft.com/Forums/en/windowsserver2008r2networking/thread/2b4c36b2-e265-449b-9264-f2f83447f837

    this topic is now locked and not allowing any other posts, but I need to make a new thread on the subject

    there is an assertion in this thread that IPv6 is being leveraged for its globally routed potential

    however, this is complete nonsence

    this information clearly states that DA with IPv6 on the remote end is a totally unsupported configuration

    http://blogs.technet.com/b/tomshinder/archive/2011/03/23/uag-directaccess-and-the-ipv6-internet.aspx

    So basically there is no discernbile benefit to running DA with a workstation that is lucky enough to have an IPv6 address, then the question remains - why does it use IPv6 transition technology at all.

    Microsoft: here is some information for you:

    1. coroporates are not planning to implement IPv6 any time soon for the reasons below

    - lack of understanding / experitse / knowledge

    - hardware replacement /investment

    - security concerns / potential business disruption

    - no RoI / no compelling business reason of any kind

     

    I'm an infrastructure and network engineer with 12+ years experience, I've evaluated DA and DA and DA with UAG. I really wanted to be convinced. But my considered opinion is that the technologies employed to deliver DA are made unnecessarily complex by ISATAP ovelray.  I can see no reason why this could not work just as well with IPv4 IPsec and UDP or TCP encapsulation technologies.

    Troubleshooting is a nightmare and compare to the VPN RAS technologies that exist today (despite their pain points) the DA proposition is a massive step backwards

    DA is a potentially great idea spoiled but a damned ugly implementation

    conclusion: there is a reason why people dont choose MS for networking products outside of the networking stack that ships in the OS

    You dont know what youre doing.

     

    Go back and redesign this.

     

    It could be great. but unfortunately its sh*t

    Wednesday, June 29, 2011 8:44 PM

Answers

  • http://blogs.technet.com/b/edgeaccessblog/archive/2009/10/13/deep-dive-into-uag-directaccess-ipv6-and-directaccess.aspx

    DirectAccess and IPv6

     

    DirectAccess uses IPv6 for remote access. The reason behind it is that DirectAccess tries to look two steps ahead when thinking about remote access. Given the fact that public IPv4 addresses are running out, let’s consider the following scenario (outlined in the figure below). We have a client that is in one private network (in our case it contains S2 and Client), and it needs to have seamless remote access to another private network (in our case, the other network contains S1). Because both networks are using the same private IPv4 address space, IPv4 traffic is not routable between them, so we have an irresolvable conflict (In a classic IPv4 VPN scenario, the client can manually chose to connect to a VPN to access S1, but that is not seamless access).

     

    image

     

    In DirectAccess since the client is IPv6 based, it can access both S1 and S2. That is possible because from an IPv6 point of view all machines have unique IPv6 addresses. When the private network containing S1 is behind a UAG DirectAccess server (which is acts as a NAT64) the client would access S1 using S1's globally unique IPv6 address (intercepted by the NAT64). Local resources such as S2 would be accessible using IPv4 (or IPv6 if the network is IPv6 compatible). Here as you can see the client seamlessly accesses the network containing S1.

     

    I’m not saying that the world will move instantaneously to IPv6, but when you plan remote connectivity for your organization you might start thinking about integrating IPv6 enabling technologies such as DirectAccess.

     

    This is why today I want to focus on the how DirectAccess relates to IPv6 addresses in your organizational network.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------

    http://technet.microsoft.com/en-us/library/dd637818(WS.10).aspx

    Using IPv6

    DirectAccess requires the use of IPv6 so that DirectAccess clients have globally routable addresses. For organizations that are already using a native IPv6 infrastructure, DirectAccess seamlessly extends the existing infrastructure to DirectAccess client computers, and those client computers can still access Internet resources using IPv4.

    For organizations that have not yet begun deploying IPv6, DirectAccess provides a straightforward way to begin IPv6 deployment without requiring an infrastructure upgrade. You can use the 6to4 and Teredo IPv6 transition technologies for connectivity across the IPv4 Internet and either NAT64 or ISATAP for connectivity across your IPv4-only intranet..

    A NAT64 device translates IPv6 and IPv4 traffic so that DirectAccess client computers can access resources on your intranet that do not yet support IPv6. DirectAccess with UAG includes a built-in NAT64.

    You can also use the ISATAP IPv6 transition technology so that DirectAccess clients can access IPv6-capable resources across your IPv4-only intranet.

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    http://technet.microsoft.com/en-us/library/ee809084.aspx

    Using IPv6 with Forefront UAG DirectAccess

    Internet Protocol version 6 (IPv6) is the new version of the network layer of the TCP/IP protocol stack, and is designed to replace IPv4 which is widely used on intranets and the Internet. IPv6 provides an address space large enough to allow for end-to-end addressing of nodes on the IPv6 Internet, and can be used on the IPv4 Internet with IPv6 transition technologies.

    Forefront UAG DirectAccess requires the use of IPv6 so that DirectAccess clients have globally routable addresses. For organizations that are already using a native IPv6 infrastructure, Forefront UAG DirectAccess seamlessly extends the existing infrastructure to DirectAccess client computers, and these client computers can still access Internet resources using IPv4. For organizations that have not yet begun deploying IPv6, Forefront UAG DirectAccess uses IPv6 transition technologies to provide a way to begin IPv6 deployment without requiring an infrastructure upgrade. You can use these transition technologies so that DirectAccess clients can access IPv6-capable resources across your IPv4-only intranet, thus simplifying and reducing deployment costs. For more information, see Using transition technologies.

     

     

    http://en.wikipedia.org/wiki/DirectAccess

     


    Sumesh P - Microsoft Online Community Support
    Thursday, July 7, 2011 10:28 AM

All replies

  • Hi JLFranklin,

    It's true that DA require complicated implementation and troubleshooting but in return users will enjoy DA seamless connections to intranet resource.

    why does DA use IPv6 transition technology at all?

    As far as I know, there are two key reasons for DA to use IPv6 listed below:
    1. Use IPv6 tunnel instead of IPv4 NAT
    If users want to connect intranet application without dial-up VPN, We need use IPv4 NAT technology. But NAT technology will break application connection in some scenario like mentioned in this article. IPv6 tunnel provides point to point connection not like NAT need to translate address.

    2. Use IPv6 split tunnel instead of IPv4 split tunnel
    When users connect intranet application via VPN connection, Users will complain that they lose their web-research or pinter access without split tunnel. But if open split tunnel to VPN users, it's not security to intranet network resource and enterprise security policy is not permitted. On the other hand, IPv6 tunnel could provide users split tunnel with end to end security encryption by IPSec.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Thursday, June 30, 2011 9:53 AM
    Moderator
  • Rick provided the reasons why DA needs IPv6. IPv6 provides features that bypasses IPv4's limitations, such as AD communications can't be translated across a NAT (as the one link Rick gave you indicates). Basically NAT can't open/read the packets due to security with RPC, LDAP and Kerberos communications. IPv6 overcomes this. This goes over AD's NAT restrictions, too:

    Description of support boundaries for Active Directory over NAT (AD NAT limitations)
    http://support.microsoft.com/kb/978772

     

    Of course moving to IPv6 to support DA requires an investment and changes to be made. Any new technology needs that. If a company is not prepared to make the changes or investments due to budget including personnel that can implement it, the current solutions available such as VPNs (whether using a Microsoft VPN solution, 3rd party legacy or SSLVPN solution), work fine.

    I have some customers that want to implement DA, but being the cost of upgrading to Windows 2008 R2 with Windows 7 to fully support the feature is prohibitive at this time. After reviewing their current SSLVPN solution seems to be working fine and does the trick, they've decided to keep with it. 

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, June 30, 2011 3:01 PM
  • thanks for the responses chaps. But i dont see the difference between IPv4 and IPv6 to provide either of the two characteristics you mentioned.

    - split tunneling is completely achievable with IPv4 stack and has been for more than 10 years

    - Also, IPv6 tunnelling doesnt do anything that IPv4 tunneling doesnt in regards to enabling NAT traversal

    Yes NAT can break applications, if we send app data directly through a NAT device that cant handle the payload for whatever reason. The packet can be mangled. But thats why we 'tunnel' or encapsulate this traffic instead... then it is protected from being broken by NAT because we add new headers that get rewritten without touching the original.

    A tunnel protocol like ESP, or GRE, can be wrapped in TCP (HTTPS for example) and can then move through any number of NAT devices. It doesnt affect the application data payload in any way. The original packet(data and headers) arrive at their destination intact and unmodifed and unbroken. This is the nature of encapsulation. whether we use IPv4 or IPv6... it makes no difference. With the original frame encapsulated, NAT wont break it. We could happily subject this packet to as much NAT punishment as we like with no worries that the original is intact.

    With DA we have an IPsec ESP encapsulated packet with IPv6 headers. Now we have to move that through a largely IPv4 based infrastructure so we have to encapsulating it again in IPv4. whats the point !

     

    Its unnecessary.

     

    Sure, an IPv6 tunnel enables us to transport application traffic through NAT without breaking. But the same is true of an IPv4 Tunnel. IPv6 is not speacial in this regard.

     

    I could understand it the point was to leverage the increased address space of the public internet, but actually IPv6 to IPv6 on the public side is not supported as i indicated.

     

    IPv6 is not coming to most LANs any time soon.

     

    Thursday, June 30, 2011 6:32 PM
  • I believe the main difference is IPv6 has built in NAT traversal where IPv4 needs additional devices/overhead for NAT.

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, June 30, 2011 6:41 PM
  • whether you are referring to NAT in general or "NAT-T" specifically (the method for an application to identify the presence of a nat NAT device in the communication path) ....

    .....neither of these are built in to IPv6, beyond their use in the transition technologies (like Teredo) that run over IPv4. IPv6 has no native use for NAT

    NAT-T in Teredo has the same expense as NAT-T anywhere. But if were talking about overhead, what about the overhead or Teredo itself

     

    But this is all academic

    i really like the idea of DirectAccess. but i dont like the implementation. I would still like to understand - i mean really understand what compelled MS to build this around IPv6. i can see no reason.

     

    maybe it was a project or excercise to get some network developers the write code that used Teredo and ISATAP


    Thursday, June 30, 2011 9:13 PM
  •   Probably because, unlike you, they are looking to the future, not the past/present.

     


    Bill
    Thursday, June 30, 2011 11:19 PM
  • As far as what compelled Microsoft, or any other company for introducing new features using new technology, I'll have to side with Bill with moving towards new technology, like many other companies.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    • Edited by Ace Fekay [MCT]MVP Friday, July 1, 2011 4:42 AM _ removed previous portion of post, shortened it.
    Friday, July 1, 2011 3:44 AM
  •   Probably because, unlike you, they are looking to the future, not the past/present.

     


    Bill


    thats quite funny :)

     

    glib responses aside, I quite like the idea of IPv6. I'm actively deploying it in labs while learning and researching it, because obviously its the future.

     

    .....but IPv6 has been 'coming' since about 2002. Every year we're told that this is the year it will happen, and every year it doesnt.

     

    The greatest need for IPv6 is on the public internet, because of is massive address space. DA's implementation is a vain attempt to impose it on corporate LAN's where arguably its needed the least.

     

    There are a great many problems and inherent insecurities that still need to be overcome before IPv6 makes it into the enterprise. The standard is still evolving, and network engineers in the IETF are still arguing about the basics.

     

    For example. Read like this and maybe you learn something:

    http://samsclass.info/ipv6/proj/flood-router6a.htm

     

    So to correctly inform you I am very much looking forward to IPv6 - when its ready - which im sad to say in its current form, it is not. And there are a good few years before this problem is solved

     

     

    Friday, July 1, 2011 8:11 PM
  • DA is a potentially great new feature - i agree. Thats my basic complaint here

    the feature is spoiled by its reliance on IPv6 transition technologies when IPv6 barely exists in real.

     

    i would have thought it would make more sense to build a solution around IPv4 - the current standard - and add IPv6 when IPv6 is acutally starting to achieve some kind of adoption.

     

    but i think my point is made in that nobody has really given a compelling option as to why it needs IPv6

    ... it doesnt.

    Friday, July 1, 2011 8:19 PM
  • http://blogs.technet.com/b/edgeaccessblog/archive/2009/10/13/deep-dive-into-uag-directaccess-ipv6-and-directaccess.aspx

    DirectAccess and IPv6

     

    DirectAccess uses IPv6 for remote access. The reason behind it is that DirectAccess tries to look two steps ahead when thinking about remote access. Given the fact that public IPv4 addresses are running out, let’s consider the following scenario (outlined in the figure below). We have a client that is in one private network (in our case it contains S2 and Client), and it needs to have seamless remote access to another private network (in our case, the other network contains S1). Because both networks are using the same private IPv4 address space, IPv4 traffic is not routable between them, so we have an irresolvable conflict (In a classic IPv4 VPN scenario, the client can manually chose to connect to a VPN to access S1, but that is not seamless access).

     

    image

     

    In DirectAccess since the client is IPv6 based, it can access both S1 and S2. That is possible because from an IPv6 point of view all machines have unique IPv6 addresses. When the private network containing S1 is behind a UAG DirectAccess server (which is acts as a NAT64) the client would access S1 using S1's globally unique IPv6 address (intercepted by the NAT64). Local resources such as S2 would be accessible using IPv4 (or IPv6 if the network is IPv6 compatible). Here as you can see the client seamlessly accesses the network containing S1.

     

    I’m not saying that the world will move instantaneously to IPv6, but when you plan remote connectivity for your organization you might start thinking about integrating IPv6 enabling technologies such as DirectAccess.

     

    This is why today I want to focus on the how DirectAccess relates to IPv6 addresses in your organizational network.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------

    http://technet.microsoft.com/en-us/library/dd637818(WS.10).aspx

    Using IPv6

    DirectAccess requires the use of IPv6 so that DirectAccess clients have globally routable addresses. For organizations that are already using a native IPv6 infrastructure, DirectAccess seamlessly extends the existing infrastructure to DirectAccess client computers, and those client computers can still access Internet resources using IPv4.

    For organizations that have not yet begun deploying IPv6, DirectAccess provides a straightforward way to begin IPv6 deployment without requiring an infrastructure upgrade. You can use the 6to4 and Teredo IPv6 transition technologies for connectivity across the IPv4 Internet and either NAT64 or ISATAP for connectivity across your IPv4-only intranet..

    A NAT64 device translates IPv6 and IPv4 traffic so that DirectAccess client computers can access resources on your intranet that do not yet support IPv6. DirectAccess with UAG includes a built-in NAT64.

    You can also use the ISATAP IPv6 transition technology so that DirectAccess clients can access IPv6-capable resources across your IPv4-only intranet.

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    http://technet.microsoft.com/en-us/library/ee809084.aspx

    Using IPv6 with Forefront UAG DirectAccess

    Internet Protocol version 6 (IPv6) is the new version of the network layer of the TCP/IP protocol stack, and is designed to replace IPv4 which is widely used on intranets and the Internet. IPv6 provides an address space large enough to allow for end-to-end addressing of nodes on the IPv6 Internet, and can be used on the IPv4 Internet with IPv6 transition technologies.

    Forefront UAG DirectAccess requires the use of IPv6 so that DirectAccess clients have globally routable addresses. For organizations that are already using a native IPv6 infrastructure, Forefront UAG DirectAccess seamlessly extends the existing infrastructure to DirectAccess client computers, and these client computers can still access Internet resources using IPv4. For organizations that have not yet begun deploying IPv6, Forefront UAG DirectAccess uses IPv6 transition technologies to provide a way to begin IPv6 deployment without requiring an infrastructure upgrade. You can use these transition technologies so that DirectAccess clients can access IPv6-capable resources across your IPv4-only intranet, thus simplifying and reducing deployment costs. For more information, see Using transition technologies.

     

     

    http://en.wikipedia.org/wiki/DirectAccess

     


    Sumesh P - Microsoft Online Community Support
    Thursday, July 7, 2011 10:28 AM
  • Sumesh,

    That was a great explanation. :-)

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, July 7, 2011 12:49 PM