Overview of Networking in Overview of Networking in Windows VistaWindows Vista

Simon Martyn

Infrastructure Specialist

The IQ Business Group Technology Services Division

Session Objectives

• Key Takeaways:– Windows Vista and Windows Server “Longhorn”

represents the most significant update to Windows networking since the 1990s

– These innovations focus on improving security, reliability and scalability

– This will result in a better Windows experience

Session Agenda

• Introduction to the “Next Generation TCP/IP Stack”

• Drill-down: Performance and Scalability

• Drill-down: IPv6 and Collaboration

• Drill-down: Network Isolation

• Tips for getting ready for Windows Vista and Windows Server “Longhorn”

• Additional Resources

The Next Generation of TCP/IP

Motivations and Focus– Provide more efficient, scalable, high-speed, secure and

manageable networking

– Integrate new capabilities and functionality to meet customer needs

– Giving IT more control over connectivity

– Reduce cost of ownership and operations

– Improve reliability and servicing

The Next Generation of TCP/IP

Benefits to Windows administrators and users– Greater reliability for a more resilient, easy to use and

manage networking experience

– Better scalability to meet growing connectivity demands and maximize server resources in a cost-effective manner

– Fewer connectivity headaches which leads to fewer helpdesk calls

Complete Redesign of TCP/IP

Win

dow

s

Filte

ring

P

latfo

rm A

PI

IPv4

802.3

WSK

WSK Clients TDI Clients

NDIS

WLAN Loop-back

IPv4 Tunnel

IPv6 Tunnel

IPv6

RAWUDPTCP

Next Generation TCP/IP Stack (tcpip.sys)

AFD

TDX

TDI

Winsock User Mode

Kernel Mode

• Dual-IP layer architecture for native IPv4 and IPv6 support• Seamless security through expanded IPsec integration• Improved performance via hardware acceleration• Network auto-tuning and optimization algorithms• Greater extensibility and reliability through rich APIs

A Short List of New FeaturesTechnologies Security Experienc

e Scalabilit

y

IPsec XWindows Filtering Platform (WFP) X XSecure Sockets API XIPv6 XTCP Chimney XTCP-A (I/OAT) XReceive Side Scaling XReceive Window Auto-Tuning X XCompound-TCP (CTCP) – Congestion Control X XWireless Reliability XBlack-Hole Router Detection (BHRD) XDead Gateway Detection XNetwork Diagnostics / Extended TCP Statistics XPolicy-based Quality of Service (eQoS) X X

Drill-down: Performance

The Challenge– Transfer large amount of data over the WAN quickly

Common Scenarios– Limited by Windows TCP/IP system-wide settings:

• TCP Receive Window Size on high-latency links• Packet loss results in congestion control “slow down”

– Network bandwidth is not used efficiently • For example: >5mbps on 100ms latent network

The Solution

– Automatically tune each network connection based on its specific conditions (e.g. latency, available bandwidth,

congestion, connection type)

Drill-down: Performance

Optimized performance without lossIntelligent, automated tuning of TCP receive window sizeBetter packet loss resiliency (e.g. wireless connectivity)Advanced congestion control for better throughput

Automatically adjusts for maximum efficiencyFaster network transfers, especially across WAN linksOptimized use of available network bandwidthReduced packet loss resulting in fewer retransmits

The Receive Window Limitation

North North AmericAmeric

aa

IntercontinentIntercontinentalal

FiberFiber

SatelliteSatellite

Receive Window Auto-Tuning

Application performance with Windows Vista between Redmond and Sydney

Advanced Congestion Control

TCP data transfer using Compound-TCP (green) and vanilla TCP (red) between Bay Area, CA and Tukwila, WA data centers

Microsoft.com and Auto-Tuning

• Replicating data between Tukwila andBay Area

• Default configurations• On Windows ServerTM 2003 SP1

– 100Mbps NICs, 10Mbps throughput• On Windows Vista Beta 1

– 100Mbps NICs, 80Mbps throughput– 1000Mbps NICs, 400Mbps throughput

40X40X

Drill-down: Scalability and QoS

The Challenge– Run more applications on fewer servers and ensure

mission critical applications receive the right network priority

Common Scenarios– High CPU utilization due to TCP/IP processing – Multi-processor servers not efficiently used– Limited ability to classify and manage network apps

The Solution– Enable highly scalable networking through hardware

offloading and host-based, policy-driven quality of service

Drill-down: Scalability and QoS

Centralized management of host bandwidth useNew Group Policy provides QoS markings at the hostLeverage standard DSCP settings and/or Throttle ratesRich policy targeting and support for IPsec encapsulation

Adopt hardware acceleration and offloadingReceive-side scaling optimizes multi-processor systemsArchitected to support latest TCP offload hardwareOffload hardware less expensive than new high-end PCs

Cost-effectively scale networking up and outSpecialized hardware frees CPU(s) for applicationsEase consolidation with support for multiple GbpsMore efficient use of large server resources

Finance users (Windows Vista)

-Desktop Finance-Bulk-traffic

Servers hosting ERP application (Windows Server “Longhorn”)

-Bulk-traffic Policy

-Server-Finance-Bulk-traffic

Other Desktops (Windows Vista)

Policy-based QoS Example

Policy Name: DSCPvalue:

Throttlerate:

Deployed to PCs (Organization Units):

Description:

(None) 0 None (None) Best-effort treatment

Bulk-traffic 1 None Domain-wide Applies a low-priority DSCP value

Desktop Finance Mission Critical

12 None Finance Users (user OU) Applies high-priority DSCP for Finance client traffic

Server Finance Mission Critical

20 None Servers (machine OU) Applies high-priority DSCP for Finance server traffic

Problem – Congestion over WAN• Customer-facing Finance users • Mission critical LOB application

Drill-down: IPv6

The Challenges– Support a rapidly increasing number of networking devices while

enabling new ad hoc and collaborative work styles

Common Scenarios– Public, globally routable IP addresses are scarce or costly to manage– Alternative solutions like Network Address Translation (NAT) often

prevent peer to peer computing (ex. remote administration)– Corporations and ISVs operating proxies or “in the cloud” relays to

restore end-to-end connectivity

The Solution– Next generation Internet support enables scalable IP addressing,

restores end-to-end connectivity thereby reducing costs while enabling new capabilities

Drill-down: IPv6

Enabling “seamless networking” benefits everyoneService providers: Improve management & lower costsEnd users: Apps just work on any network, anytimeEnterprises: Employees more productive w/ less cost

Full support for next generation networkingOn by default facilitates faster deployment (IPv4/IPv6)Complete management and diagnostic toolsReady for IPv6-only networking (AD, DNS, DHCP, etc.)

Enable new applications and experiencesFlexibility of direct connectivity or peer-to-peer networkingIncrease productivity while improving network hygieneNew applications in Windows (Windows Meeting Space)

Transitioning to IPv6

• Deployment happening over next 5+ years– Consumer:

• Automatic deployment using Teredo/6to4– Enterprise:

• Application driven deployment• Transition solutions (ISATAP)• Full deployments

– Service providers:• Full scale services available now

• Windows platform support available

Infrastructure Phase options

Deployment option Solution(s) *Cost Availability

Automatic transition Teredo, 6to4 $Windows XP, Vista Beta

Microsoft-hosted Teredo service

Managed transition ISATAP $ Windows Server 2003 ISATAP

Dual native IPv4, IPv6

Network update or upgrade

$$$ All production routers

IPv6-onlyNetwork upgrade plus Access to legacy IPv4 via Proxy

$$$$

Windows 2003 Server Port-proxy

*Relative cost; not based on study

Drill-down: Network Isolation using IPsec

The Challenges– Giving IT more control over network connectivity to

prevent worms & Viruses, to protect Intellectual Property and to have additional layer of defense

The Solution– Server & Domain Isolation & Network Access Protection

using IPsec provide rich capability to isolate traffic based on health state, user, active directory security groups

Server and Domain Isolation

Dynamically segment your Windows® environment into more secure and isolated logical networksbased on policy

LabsUnmanaged guests

Server IsolationServer Isolation Protect specific high-valued servers and dataProtect specific high-valued servers and data

Domain IsolationDomain IsolationProtect managed computers from unmanaged or Protect managed computers from unmanaged or rogue computers and usersrogue computers and users

NAPNAP Gets clients to healthy state, protects networkGets clients to healthy state, protects network

Policy-based Dynamic Segmentation

UntrusteUntrustedd

Unmanaged/Rogue Computer

Domain Domain IsolationIsolation

Active Directory Domain Controller

X

Server Server IsolationIsolation

Servers with Sensitive Data

Finance Computer

Managed Computer

X

Managed Computer

Trusted Resource Server

Corporate Network

Define the logical isolation boundariesDistribute policies and credentials

Managed computers can communicateBlock inbound connections from untrusted

Enable tiered-access to sensitive resources

Benefits of Server and Domain Isolation

Extend the value of existing investmentsNo additional hardware or software requiredMore value from Active Directory and Group PolicyComplements existing network security solutions

Safeguard sensitive data and intellectual propertyAuthenticated, end-to-end network communicationsScalable, tiered access to trusted networked resources Protect the confidentiality and integrity of data

Reduce the risk of network security threatsAn additional layer of defense-in-depthReduced attack surface areaIncreased manageability and integration with NAP

What’s new in VistaMajor Investments Status

Administration of Policy & managing exceptions is difficult

Scenario Optimized UI in Vista

Windows Firewall & IPsec UI fully integrated

Updated IKE to allow seamless fallback to no IPsec

Interoperability Updated IKE makes request IPsec policy work

UI & Scripting easier to exempt by IP address or certificate

Reduce the time for Microsoft Clustering & NLB failover

Longhorn server will failover at the same time as TCP/IP timeout

Extend IPsec capability to protect Client to Domain Controller

Able to protect domain join and all client to DC traffic

Extended flexibility of solution to include additional segmentation options (user & health)

Customers can now author policy that includes user groups and health credentials for NAP and support 2 credentials as part of policy

IPsec Driver & Offload GB offload cards available

New Crypto support (AES), IPv4 & IPv6 support

X XB

SecureNet

Clients, Servers,Home LANs,Trustworthy Labs(240,000)

Untrustworthy

Internet ServersBusiness PartnersExtranet(1,800)

External ExclusionsExternal Exclusions

PermittedInfrastructure

Microsoft Corporate Network

Boundary Machines (5,000)

UU11 UU22 UU33

LabsLabs75,00075,000

Pocket PCPocket PCXBoxXBox18,00018,000

MACMAC2,0002,000

DTaps(no connectivity to CorpNet)

ACL ControlledInfrastructure (500)Infrastructure (500)

DHC

P

DNS

WINS

DC

IAS

Microsoft IT Implementation

Session Summary

• Windows Vista and Windows Server “Longhorn” represents the most significant update to Windows networking since the 1990s

• Windows Vista and Windows Server “Longhorn” offers more secure, reliable and scalable networking than ever before, resulting in a better overall experience

• Windows Vista and Windows Server “Longhorn” introduces and supports new and advanced networking scenarios (e.g. IPv6)

• For maximize benefit, start planning and evaluating the “Next Generation TCP/IP” stack today

Additional Resources• “The Cable Guy” articles

http://www.microsoft.com/technet/community/columns/cableguy/cgarch.mspx

• Windows Platform Networking whitepapershttp://www.microsoft.com/networking

• Windows Vista Networking TechNet Site:http://www.microsoft.com/technet/windowsvista/network/default.mspx

• IPv6 guidance and whitepapershttp://www.microsoft.com/ipv6

• Security: Server and Domain Isolationhttp://www.microsoft.com/sdisolation

• Network Access Protection Informationhttp://www.microsoft.com/nap

Thank you to our Partners for their support of TechDays

2007