DOC

Internet-connected

By Martha Payne,2014-01-25 08:34
5 views 0
Internet-connected

    APPENDIX G

    IPv6 and IIS 6.0

    Internet Information Services (IIS) 6.0 provides Internet services to clients connecting over the

    next generation of Internet Protocol (IP) known as IP version 6 (IPv6). When you use IPv6

    with IIS on a server running the Microsoft? Windows? Server 2003 operating system, your sites

    can respond to both IPv6 requests and Internet Protocol version 4 (IPv4) requests. Although

    current demand for IPv6 is limited, the adoption of new Internet-connected devices, such as

    phones and handheld computers, is expected to quickly exhaust the remaining IPv4 address space

    and speed the transition to IPv6.

    In This Appendix

    Summary of Protocol Changes from IPv4 to IPv6 ........................................................ 1

    Comparing IPv4 and IPv6 Addresses ............................................................................ 3

    How IIS 6.0 Supports IPv6 ............................................................................................. 8

    Securing IPv6 Networks .............................................................................................. 12

    Installing or Removing IPv6 ........................................................................................ 14

    Additional Resources ................................................................................................... 15

    Related Information

    ; For more information about IIS 6.0 architecture, including HTTP.sys, see “IIS 6.0

    Architecture” in this book.

    Summary of Protocol Changes from IPv4 to IPv6

    In response to concern about the finite number of IPv4 addresses, the Internet Engineering Task

    Force (IETF) developed a suite of protocols and standards known as Internet Protocol version 6

    (IPv6). IPv6 was designed to replace IPv4, which is more than 20 years old. Because IPv6 is

    expected to become increasingly important as the Internet continues to grow, IPv6 functionality

    is included in the Microsoft? Windows? XP and the Microsoft? Windows? Server 2003,

    2 Appendix G IPv6 and IIS 6.0

Standard Edition; Windows? Server 2003, Enterprise Edition; Windows? Server 2003,

    Datacenter Edition; and Windows? Server 2003, Web Edition operating systems.

    The Internet Protocol (IP) is the network-layer protocol used by TCP/IP for addressing and routing packets of data between hosts. The current version of the IP, IPv4, has remained primarily unchanged since RFC 791 was published in 1981. IPv4 is robust, easily implemented, and interoperable, and it scales well. However, continued dramatic growth of the Internet is pushing the limits of IPv4 design. Concerns with IPv4 include the scarcity of public IPv4 addresses for use on the Internet, the size and complexity of its backbone routing tables, and the need for simpler, more automatic configuration.

    IPv6, previously named IP Next Generation (IPng), was developed primarily to allow for larger (128-bit) IP addresses. Additional enhancements include the following:

    ; A more efficient routing infrastructure that allows backbone routers to maintain much

    smaller routing tables.

    ; A new header format that reduces header overhead and provides more efficient processing at

    intermediate routers.

    ; A simplified host configuration that uses both stateful and stateless address configuration. ; Built-in security provided by Internet Protocol security (IPSec). (In IPv4, IPSec is optional.) ; Better support for Quality of Service (QoS), which is the set of methods or processes that a

    service-based organization uses to maintain a specific level of quality.

    ; A way to efficiently manage the interaction of neighboring nodes by using multicast and

    unicast messaging.

    ; Extension headers for adding new features to IPv6.

    Table G.1 lists pertinent IPv6 RFCs and serves as a useful reference to the source documents. Table G.1 Summary of Useful Source Documents for Migrating from IPv4 to IPv6 Version Date RFC RFC Title

    IPv4 September, 1981 RFC 791 “Internet Protocol”

    (Protocol specification)

    January, 1995 RFC 1752 “The Recommendation for the IP Next Generation

    Protocol”

    (Standards track for IPv6 General RFCs)

    1December, 1995 RFC 1883 “Internet Protocol, Version 6 (IPv6) Specification” IPv6

    (Proposed standard made obsolete by RFC 2460)

    December, 1995 RFC 1886 “DNS Extensions to support IP version 6”

    (IPv6 applications RFCs)

    错误?使用“开始”选项卡将 Heading 1,First Level Topic,h1 应用于要在此处显示的文字。 3

    July, 1998 RFC 2373 “IP Version 6 Addressing Architecture”

    2RFC 3513 “Internet Protocol Version 6 (IPv6) Addressing

    Architecture”

    (Standards track for IPv6 addressing RFCs)

    December, 1998 RFC 2460 “Internet Protocol, Version 6 (IPv6) Specification”

    (Standards track for the Network Layer RFCs and Internet

    drafts)

    1 IPv5 was an experimental non-IP real-time stream protocol called ST, which was never widely used. 2 RFC 3513 supercedes RFC 2373; however Windows Server 2003 does not implement its changes with regard to site-local addresses.

    In RFC 2460, “Internet Protocol, Version 6 (IPv6) Specification,” IPv6 is described as a

    connectionless, unreliable datagram protocol that is used primarily for addressing packets and routing them between hosts. Connectionless means that a session is not established before data

    exchange begins. Unreliable means that delivery is not guaranteed. IPv6, like IPv4, always makes a best-effort attempt to deliver a packet, but an IPv6 packet might be lost, delivered out of sequence, duplicated, or delayed. IPv6 itself does not attempt to recover from these types of errors; the acknowledgment of packet delivery and the recovery of lost packets is done by a higher-layer protocol, such as TCP. TCP performs reliably over both IPv4 and IPv6. For more information about the design changes needed by IPv4 to accommodate the increasing demands of network traffic, see “Introduction to IPv6” in Help and Support Center for Windows

    Server 2003. For more information about IPv6, see “IPv6 features” in Help and Support Center for Windows Server 2003.

    For more information about RFCs, see the Request For Comments (RFC) link on the Web

    Resources page at www.microsoft.com/windows/reskits/webresources.

    Comparing IPv4 and IPv6 Addresses The size of an IPv6 address is 128 bits, which is four times larger than an IPv4 address. In theory, the 32-bit address space that IPv4 uses provides 4,294,967,296 possible addresses; however, previous and current allocation practices limit the number of public IPv4 addresses to a few 38hundred million. By contrast, the 128-bit address space that IPv6 uses provides 3.4 × 10

    possible addresses.

    The size of the IPv6 address allows for subdividing the address into a hierarchical routing structure that reflects the current topology of the Internet. This structure provides great flexibility for hierarchical addressing and routing, which the IPv4-based Internet lacks.

    Comparing Address Formats

    IPv4 addresses are represented in a dotted-decimal format, in which the 32-bit address is divided

    into four 8-bit sections. Each set of 8 bits is converted into its decimal equivalent and is separated

    4 Appendix G IPv6 and IIS 6.0

    from adjacent 8-bit decimal equivalents by periods. The following is an example of an IPv4 address:

    131.107.16.200

    In IPv6, the 128-bit address is divided into eight 16-bit blocks, each of which is converted to a 4-digit hexadecimal number that is separated from adjacent blocks by colons. The resulting representation is called colon-hexadecimal format.

    The following is an IPv6 address in binary form:

    0010000111011010000000001101001100000000000000000010111100111011

    0000001010101010000000001111111111111110001010001001110001011010

First, the 128-bit address is divided into eight 16-bit blocks, as follows:

    0010000111011010 0000000011010011 0000000000000000 0010111100111011

    0000001010101010 0000000011111111 1111111000101000 1001110001011010

    Then, each of the eight 16-bit blocks is converted to hexadecimal and delimited with colons. The result is the following:

    21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A

    An IPv6 address can be further simplified by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address used in this example becomes the following:

    21DA:D3:0:2F3B:2AA:FF:FE28:9C5A

    Compressing Zeros in IPv6 Addresses to the Double-Colon Format

    IPv6 addressing conventions also allow you to simplify an address that contains long sequences of zeros. If an address contains consecutive groups of 16-bit blocks that are set to 0 in the colon-hexadecimal format, you can compress the consecutive blocks to :: (known as double-colon) to simplify the address. To avoid ambiguity, use zero compression only once within any one address. Otherwise, you cannot determine the number of 0 bits represented by each instance of a double-colon (::).

    Table G.2 provides two examples of IP addresses and shows how zero compression changes each address.

    Table G.2 Effect of Zero Compression on Sample IP Addresses

    Address Before Zero Compression Address After Zero Compression

    FE80:0:0:0:2AA:FF:FE9A:4CA2 FE80::2AA:FF:FE9A:4CA2

    FF02:0:0:0:0:0:0:2 FF02::2

    To determine how many 0 bits are represented by the double-colon in a compressed address, count the number of blocks in the address, subtract this number from 8, and then multiply the

    错误?使用“开始”选项卡将 Heading 1,First Level Topic,h1 应用于要在此处显示的文字。 5

    result by 16. For example, the address FF02::2 contains two blocks (the FF02 block and the 2 block). Therefore, the number of bits expressed by the double-colon is 96 (96 = (8 - 2) × 16).

    Understanding Prefixes

    IPv4 implementations commonly use a dotted-decimal representation of the network prefix length, which is called the subnet mask. IPv6 does not use subnet masks; it supports only prefix length notation.

    The prefix is the part of an IP address where the bits have fixed values or are the bits of a route or subnet identifier. Prefixes for IPv6 routes and subnet identifiers are expressed in the same way as classless inter-domain routing (CIDR) notation is expressed for IPv4, that is, address/prefix

    length. The prefix length specifies the number of left-most bits that make up the subnet prefix. For example, an IPv6 prefix can be represented as follows:

    3FFE:2900:D005:F28B::/64

    In this example, the first 64 bits of the global unicast address are the prefix, and the remaining 64 bits (128 - 64 = 64) are the interface ID.

    For more information about the architecture of IPv6 addresses, see RFC 2373, “IP Version 6

    Addressing Architecture.”

    Comparing Address Types

    If you install IPv6 on a computer that is not connected to a network in which an IPv6 router is present, the computer automatically configures a link-local IPv6 address, which is a type of address that allows you to communicate with computers on your subnet. If you connect your computer to a subnet in which an IPv6 router is present, the router assigns your computer an IPv6 global or site-local address. The site-local address allows your computer to communicate within

    your intranet. The global address allows your computer to communicate with computers on the

    IPv6 Internet.

    The left-most bits of an IP address are called the format prefix (FP), which indicates the specific

    type of IPv6 address. IPv6 accommodates many address types, including the following: ; Unicast addresses. Provide point-to-point, directed communication between two hosts on a

    network.

    ; Multicast addresses. Provide a method for sending a single IP packet to multiple hosts in a

    group. A multicast address is used for one-to-many communication.

    ; Anycast addresses. Provide a method of delivering a packet to the nearest member of a

    group. Currently, anycast addresses are used only as destination addresses and are assigned

    only to routers. An anycast address is used for one-to-one-of-many communication. Table G.3 compares some basic elements of IPv4 and IPv6 addressing.

    Table G.3 Comparison of IPv4 and IPv6 Addressing Elements

    Address Space Element IPv4 Address IPv6 Address

    6 Appendix G IPv6 and IIS 6.0

Unspecified address 0.0.0.0 0:0:0:0:0:0:0:0: or ::

    Loopback address 127.0.0.1 0:0:0:0:0:0:0:1: or ::1

    Address types Public IPv4 addresses Global addresses (aggregatable global

    unicast addresses)

    Private IPv4 addresses, such Site-local addresses, which always begin

    as: with FEC0::/48)

     10.0.0.0/8

     172.16.0.0/12

     192.168.0.0/16

    Automatic Private IP Link-local addresses, which always begin

    Addressing (APIPA), which uses with FE80::/64

    the 169.254.0.0/16 prefix

    Text representation Dotted-decimal format Colon-hexadecimal format with

    suppression of leading zeros and zero

    compression. IPv4-compatible addresses

    are expressed in dotted-decimal

    notation.

    Network bits representation Prefix-length notation only Subnet mask in dotted-decimal

    format or prefix-length notation

    DNS name resolution IPv4 host address (A) resource IPv6 host address (AAAA) resource 12record record

    1 An A resource record, which is stored on your DNS servers, enables mapping from a host name to an IPv4 32-bit address.

    2 AAAA (quad-A) resource records enable mapping from a host name to an IPv6 128-bit address.

    Unicast Addresses

    Unicast addresses identify a single interface within the scope of a particular type of unicast

    address. The scope of an address is the region of the IPv6 network over which the address is

    unique. With the appropriate unicast routing topology, packets addressed to a unicast address are

    delivered only to a single interface.

    The following are types of unicast IPv6 addresses:

    ; Aggregatable global unicast addresses. Identified by the format prefix (FP) of 001, these

    addresses are equivalent to public IPv4 addresses.

    ; Local-use unicast addresses. Provide two types of addresses:

    ; Link-local addresses. Identified by the FP of 1111 1110 10, these addresses are used by

    nodes when they are communicating with neighboring nodes on the same link.

    ; Site-local addresses. Identified by the FP of 1111 1110 11, these addresses are

    equivalent to the IPv4 private address space. Use these addresses between nodes that

    communicate with other nodes in the same site.

    错误?使用“开始”选项卡将 Heading 1,First Level Topic,h1 应用于要在此处显示的文字。 7

    ; Unspecified address. Used only to indicate the absence of an address; this type of address

    cannot be assigned to a node. The IPv6 unspecified address, 0:0:0:0:0:0:0:0 or ::, is

    equivalent to the IPv4 unspecified address of 0.0.0.0.

    ; Loopback address. Used to identify a loopback interface, which enables a node to send

    packets to itself. The IPv6 loopback address, 0:0:0:0:0:0:0:1 or ::1, is equivalent to the IPv4

    loopback address of 127.0.0.1.

    ; Transition, or compatibility, addresses. Provided to help you migrate from IPv4 to IPv6;

    these addresses allow both types of hosts to coexist on your network.

    Types of Transition IPv6 Addresses

    To help you transition from IPv4 to IPv6 and to facilitate the coexistence of both types of hosts, IPv6 defines the following transition IPv6 addresses.

    IPv4-compatible addresses

    IPv4-compatible addresses are used by IPv6/IPv4 nodes that communicate with IPv6 over an

    IPv4 infrastructure. IPv6/IPv4 nodes are nodes that run both the IPv4 and IPv6 protocols. The

    format for an IPv4-compatible address is 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z (where w.x.y.z is the dotted-decimal representation of a public IPv4 address). The IPv6 protocol for Windows XP and Windows Server 2003 provides support for IPv4-compatible addresses, but support is not enabled by default.

    IPv4-mapped addresses

    IPv4-mapped addresses are used to represent an IPv4-only node to an IPv6 node. The IPv4-

    mapped address is never used as a source or destination address for an IPv6 packet. It is used only for internal representation. The format for an IPv4-mapped address is

    0:0:0:0:0:FFFF:w.x.y.z or ::FFFF:w.x.y.z. The IPv6 protocol for Windows XP and Windows Server 2003 does not support IPv4-mapped addresses.

    6to4 addresses

    6to4 addresses are used for communicating between two nodes that are running both IPv4 and IPv6 over the Internet. The 6to4 address is formed by combining the prefix 2002::/16 with the 32 bits of the public IPv4 address of the node or the site of the node, thus forming a 48-bit prefix. For example, for the IPv4 address of 131.107.0.1, the 6to4 address prefix is 2002:836B:1::/48 (where 836B:1 is the colon hexadecimal notation for 131.107.0.1). Support for 6to4 addresses is provided by the IPv6 Helper service (known as the 6to4 service) that is included with the IPv6

    protocol for Windows XP and Windows Server 2003.

    Global Addresses

    Global addresses, which are identified by an FP of 001, and which are also called aggregatable global unicast addresses, are equivalent to public IPv4 addresses. Global addresses are globally routable and reachable on the IPv6 Internet.

    As the name implies, you can aggregate, or summarize, global addresses to produce an efficient routing infrastructure. Unlike the current IPv4-based Internet, which has a mixture of both flat and hierarchical routing, the IPv6-based Internet is designed to support efficient hierarchical addressing and routing. The scope of a global address, which is the region of the IPv6

    internetwork over which the address is unique, is the entire IPv6 Internet.

    8 Appendix G IPv6 and IIS 6.0

Figure G.1 illustrates the structure of an IPv6 global address.

    Figure G.1 Structure of an IPv6 Global Address

    Indicates the Top Level Aggregation Identifier (TLA ID) for the address. The size of TLA ID field

    this field is 13 bits. The TLA ID identifies the highest level in the routing hierarchy. TLA IDs are administered by the Internet Assigned Numbers Authority (IANA) and allocated to local Internet registries that, in turn, allocate individual TLA IDs to large, global Internet service providers (ISPs). A 13-bit field allows up to 8,192 different TLA IDs. Routers in the highest level of the IPv6 Internet routing hierarchy (called default-free routers) do not have a default route only

    routes with 16-bit prefixes corresponding to the allocated TLA IDs and additional entries for routes based on the TLA ID assigned to the routing region where the router is located.

    Reserves space for future expansion of either the TLA ID or the NLA ID field. The Res field

    size of this field is 8 bits.

    Indicates the Next Level Aggregation Identifier (NLA ID) for the address. The NLA ID field

    NLA ID identifies a specific customer site. The size of this field is 24 bits. The NLA ID allows an ISP to create multiple levels of addressing hierarchy to organize addressing and routing and to identify sites. The structure of the ISP's network is not visible to default-free routers.

    Indicates the Site Level Aggregation Identifier (SLA ID) for the address. The SLA SLA ID field

    ID is used by an individual organization to identify subnets within its site. The size of this field is 16 bits. An organization can use this field to create 65,536 subnets or multiple levels of addressing hierarchy. Being assigned an SLA Id is equivalent to being allocated an IPv4 Class A network ID (assuming that the last octet is used for identifying nodes on subnets). The structure of the customer's network is not visible to the ISP.

    Identifies the interface of a node on a specific subnet. The size of this field is Interface ID field

    64 bits.

    For more information about IPv6 addressing, see RFC 2373, “IP Version 6 Addressing

    Architecture.” For more information about IETF, including a repository of RFCs, see the Internet

    Engineering Task Force (IETF) link on the Web Resources page at

    http://www.microsoft.com/windows/reskits/webresources.

    How IIS 6.0 Supports IPv6

    Except for the differences in functionality outlined in this section, IIS 6.0 provides the same Web services to clients that connect by using IPv6 as it does for clients that connect by using IPv4.

    错误?使用“开始”选项卡将 Heading 1,First Level Topic,h1 应用于要在此处显示的文字。 9

    Differences in IIS Functionality Between IPv4 and IPv6

    IIS 6.0 provides the same core functionality for users of IPv6 as it does for users of IPv4. However, only a subset of IIS 6.0 functionality is available for users of IPv6. The following are the most significant differences:

    ; The IIS Manager user interface does not support IPv6 addresses. IIS Manager does not

    display IPv6 addresses as it does IPv4 addresses; that is, the IIS user interface does not

    provide a way to work with or manipulate IPv6 addresses. However, manipulating literal

    hexadecimal IPv6 addresses is usually not recommended, so lack of this functionality is

    unlikely to prevent you from installing and using IPv6.

    ; The IP Address Restrictions feature is not supported. The IP Address Restrictions feature

    in IIS 6.0 does not support IPv6 addresses or IPv6 prefixes.

    ; Bandwidth throttling is not supported for responses sent over IPv6 addresses. If you

    change the MaxBandwidth and MaxGlobalBandwidth metabase properties, you do not

    affect IPv6 network traffic. However, connection limits and connection time-outs, which are

    related IIS 6.0 features, are supported.

    ; The ServerBindings and SecureBindings metabase properties do not support IPv6

    addresses. Both properties specify strings that IIS 6.0 uses to determine which network

    endpoints are used by the server instance. The string format for the ServerBindings property

    is IPAddress:Port:HostName. Both the IPAddress and HostName parameters of the string

    are optional; however, the IPAddress component of the string is limited to storing an IPv4

    address. Any unspecified parameters default to an all-inclusive wildcard.

    Because of the limitations in IPv6 functionality for these metabase properties, IIS 6.0

    functionality for IPv6 is affected as follows:

    ; Site routing is limited to host headers only. You cannot configure sites to route on an

    IPv6 address or on a combination of an IPv6 address and host header. This limitation

    also affects sites that are configured to route based on an IPv4 address. When you install

    IPv6, sites that are already specifically configured for IPv4 site-based routing do not

    respond to requests that come in over IPv6.

    ; The number of Secure Sockets Layer (SSL) sites is limited to one. Due to the IP

    routing restriction for IPv6, IIS deployments designed for IPv6 addresses are limited to

    one SSL site per computer.

    ; File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Network

    News Transfer Protocol (NNTP) services are not supported. IPv6 is supported only for

    the WWW service. The FTP, SMTP, and NNTP services do not have IPv6 support in IIS 6.0. ; If you install IPv6 on a computer that is running IIS 6.0, all sites on the computer

    respond to IPv6 clients. You cannot configure individual sites or virtual directories to

    respond to IPv6 traffic while others on the same server respond to IPv4 traffic. ; Logging tools must support IPv6 address formats in order to function correctly. IIS

    writes IPv6 addresses to the log file when IPv6 is enabled and client computers connect to

    the server by using IPv6 addresses. Log parsing tools that are to be used with log files for

    IPv6 sites must support IPv6 address formats.

    10 Appendix G IPv6 and IIS 6.0

; The EnableReverseDnsLookup property is not supported. For IPv4, a value of true for

    the EnableReverseDnsLookup metabase property allows reverse DNS lookup to determine

    the DNS name of the client computer. For IPv6, however, this functionality is not enabled.

    Note

    Setting the EnableReverseDnsLookup metabase property to true does not

    cause the REMOTE_HOST server variable to return the DNS name of the

    client, as it does for IPv4. REMOTE_HOST always contains the IPv6 address,

    regardless of the EnableReverseDNSLookup property setting.

    Using the IPv6-Aware ISAPI Server Variables

    When you install IPv6 on a server running IIS 6.0, Internet Server API (ISAPI) server variables provide support for IPv6. The ISAPI framework provides the appropriate local-host and remote-host server variables for IPv6 network addresses: LOCAL_ADDR and REMOTE_ADDR. When clients connect over IPv6, these variables store the IPv6 address.

    It is important to note that IPv6 addresses can be longer than IPv4 addresses, so you need to take steps to prevent buffer overruns when you install IPv6.

    Important

    Buffer overruns are one of the most common causes of security breaches.

    Preventing buffer overruns helps protect your server from being attacked.

    To prevent buffer overruns, you must allocate more space to hold the string representation of IPv6 addresses. For example, the longest possible IPv4 string looks something like “123.123.123.123” (16 characters, including the trailing zero required to express the string in some programming languages), whereas the longest IPv6 string looks like

    “1111:2222:3333:4444:5555:6666:123.123.123.123%1234567890,” which is 57-characters long,

    including the trailing zero. Therefore, when you allocate buffers, use 16 characters for IPv4 addresses and 57 characters for IPv6 addresses.

    Note

    The "%1234567890" portion of the string indicates the zone ID, which is an

    integer that specifies the scope, or zone, of the destination. The zone ID is

    needed when you are specifying a link-local destination address or a site-

    local destination address (if you are using multiple sites). For link-local

    addresses, the zone ID is typically equal to the interface index of the desired

    sending interface. For site-local addresses, the zone ID is equal to the site

    number.

    Both ISAPI server variables (LOCAL_ADDR and REMOTE_ADDR) use the typical IP address format for the applicable IP version (IPv4 or IPv6). For example, for an IPv6 request, both server variables use an IPv6 IP address in the colon-hexadecimal format; for an IPv4 request, both server variables use an IPv4 IP address in the dotted-decimal format. Note that the IPv6 address

Report this document

For any questions or suggestions please email
cust-service@docsford.com