Thursday, March 19, 2009

While digging through some search results on forcing IPSec features on IPv6 connections, I found out a few things about the arm-flailing method(s) of IPv6 compatibility offered by Microsoft. XP never had a default stack so the Advanced Networking Services pack had to be downloaded and installed. There were a lot of issues with it. The main ones were: no GUI for IPv6 configurations (MS's way of saying "go learn 'netsh'"), the firewall it claimed to have apparently was poo for IPv6, and my favorite, it apparently caused a nice memory leak when loaded. Every client I have ever installed it on started losing memory fairly rapidly (10-20 MB a day minimum) without fail. Oh, did I mention my favorite? Every client I ever loaded the Advanced Networking Services on seemed to randomly create new global IPv6 IP addresses. After a few days, ipconfig would list 5 or 6 (or more) global IPv6 addresses for the interface IPv6 was bound to. I have no idea where the hell these came from. And hard-coding an address was of no help. It seemed a reboot or uninstalling/reinstalling IPv6 was the only thing that would clear them out. Enough of my XP bitching.

2003 was a bit better in behavior. Still no GUI although there was a third-party GUI on some .jp site I saw way back which I never got to work. We still had the onerous netsh command with which to mess with IPv6 configuration. The IPv6 address 'generation' was much more stable, too. From testing, I know (despite reading otherwise somewhere) that Windows 2003 DNS had some support because a test XP system I had in an AD environment registered its link local address to DNS on one of the DCs - an IPv4-only DC at that. The main issue I had with server 2k3 is it had the old stacks and not the interesting stack tweaks MS put in Vista and Server 2k8. Not a huge issue because I am not sure the stack tweaks were made for anything but IPv4.

Server 2k8 does have a GUI for IPv6 and some interesting command-line tools as well. One I saw today (it was available in 2k3, too) which goes back to the IPSec issue is the ipsec6.exe tool. My server didn't have it anywhere on the system, though. Why? Well, despite the server defaulting to enabling IPv6, the ipsec6.exe executable apparently is sitting on the installation DVD. Nevermind I might need it since, well, IPv6 is installed. Thanks, MS. According to an IPv6 FAQ from MS (it currently shows it was last updated in 2008), a few items I would be interested in don't appear to be available features:

Q. Does the IPv6 protocol for Windows support Internet Protocol security (IPsec)?

A. IPsec for the IPv6 protocol for Windows Vista and Windows Server 2008 has full support for IPsec.

IPsec for the IPv6 protocol for Windows Server 2003 and Windows XP is supported, with the following limitations:
• The Authentication Header (AH) and Encapsulating Security Payload (ESP) are supported for both transport and tunnel modes. However, ESP for the IPv6 protocol for Windows does not support data encryption.
• IPsec in the IPv6 protocol for Windows does not support the use of Internet Key Exchange (IKE) to negotiate security associations (SAs). IPsec policies, SAs, and the keys to calculate the Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1) keyed hash for AH or ESP must be manually configured.


The first tells me there are no host-to-host encryption options in Windows IPv6. That would have been nice to test. Maybe the article is out-of-date but I will have to look into that further. The second just means MS is still making the IPv6 process overly manual. Again, possibly out-of-date...and I don't know if anyone offers IKE support for such SAs anyway.

Oh, and I found another 'proof that you have IPv6 working' site. Everyone seems to use kame.net but this one has a funnier animation: OCN (after all, the Japanese are pretty well know for animation).

No comments:

Post a Comment