Date post: | 13-Jan-2016 |
Category: |
Documents |
Upload: | lester-wheeler |
View: | 212 times |
Download: | 0 times |
Overview of Networking in Overview of Networking in Windows VistaWindows Vista
Simon Martyn
Infrastructure Specialist
The IQ Business Group Technology Services Division
Session Objectives
• Key Takeaways:– Windows Vista and Windows Server “Longhorn”
represents the most significant update to Windows networking since the 1990s
– These innovations focus on improving security, reliability and scalability
– This will result in a better Windows experience
Session Agenda
• Introduction to the “Next Generation TCP/IP Stack”
• Drill-down: Performance and Scalability
• Drill-down: IPv6 and Collaboration
• Drill-down: Network Isolation
• Tips for getting ready for Windows Vista and Windows Server “Longhorn”
• Additional Resources
The Next Generation of TCP/IP
Motivations and Focus– Provide more efficient, scalable, high-speed, secure and
manageable networking
– Integrate new capabilities and functionality to meet customer needs
– Giving IT more control over connectivity
– Reduce cost of ownership and operations
– Improve reliability and servicing
The Next Generation of TCP/IP
Benefits to Windows administrators and users– Greater reliability for a more resilient, easy to use and
manage networking experience
– Better scalability to meet growing connectivity demands and maximize server resources in a cost-effective manner
– Fewer connectivity headaches which leads to fewer helpdesk calls
Complete Redesign of TCP/IP
Win
dow
s
Filte
ring
P
latfo
rm A
PI
IPv4
802.3
WSK
WSK Clients TDI Clients
NDIS
WLAN Loop-back
IPv4 Tunnel
IPv6 Tunnel
IPv6
RAWUDPTCP
Next Generation TCP/IP Stack (tcpip.sys)
AFD
TDX
TDI
Winsock User Mode
Kernel Mode
• Dual-IP layer architecture for native IPv4 and IPv6 support• Seamless security through expanded IPsec integration• Improved performance via hardware acceleration• Network auto-tuning and optimization algorithms• Greater extensibility and reliability through rich APIs
A Short List of New FeaturesTechnologies Security Experienc
e Scalabilit
y
IPsec XWindows Filtering Platform (WFP) X XSecure Sockets API XIPv6 XTCP Chimney XTCP-A (I/OAT) XReceive Side Scaling XReceive Window Auto-Tuning X XCompound-TCP (CTCP) – Congestion Control X XWireless Reliability XBlack-Hole Router Detection (BHRD) XDead Gateway Detection XNetwork Diagnostics / Extended TCP Statistics XPolicy-based Quality of Service (eQoS) X X
Drill-down: Performance
The Challenge– Transfer large amount of data over the WAN quickly
Common Scenarios– Limited by Windows TCP/IP system-wide settings:
• TCP Receive Window Size on high-latency links• Packet loss results in congestion control “slow down”
– Network bandwidth is not used efficiently • For example: >5mbps on 100ms latent network
The Solution
– Automatically tune each network connection based on its specific conditions (e.g. latency, available bandwidth,
congestion, connection type)
Drill-down: Performance
Optimized performance without lossIntelligent, automated tuning of TCP receive window sizeBetter packet loss resiliency (e.g. wireless connectivity)Advanced congestion control for better throughput
Automatically adjusts for maximum efficiencyFaster network transfers, especially across WAN linksOptimized use of available network bandwidthReduced packet loss resulting in fewer retransmits
The Receive Window Limitation
North North AmericAmeric
aa
IntercontinentIntercontinentalal
FiberFiber
SatelliteSatellite
Receive Window Auto-Tuning
Application performance with Windows Vista between Redmond and Sydney
Advanced Congestion Control
TCP data transfer using Compound-TCP (green) and vanilla TCP (red) between Bay Area, CA and Tukwila, WA data centers
Microsoft.com and Auto-Tuning
• Replicating data between Tukwila andBay Area
• Default configurations• On Windows ServerTM 2003 SP1
– 100Mbps NICs, 10Mbps throughput• On Windows Vista Beta 1
– 100Mbps NICs, 80Mbps throughput– 1000Mbps NICs, 400Mbps throughput
40X40X
Drill-down: Scalability and QoS
The Challenge– Run more applications on fewer servers and ensure
mission critical applications receive the right network priority
Common Scenarios– High CPU utilization due to TCP/IP processing – Multi-processor servers not efficiently used– Limited ability to classify and manage network apps
The Solution– Enable highly scalable networking through hardware
offloading and host-based, policy-driven quality of service
Drill-down: Scalability and QoS
Centralized management of host bandwidth useNew Group Policy provides QoS markings at the hostLeverage standard DSCP settings and/or Throttle ratesRich policy targeting and support for IPsec encapsulation
Adopt hardware acceleration and offloadingReceive-side scaling optimizes multi-processor systemsArchitected to support latest TCP offload hardwareOffload hardware less expensive than new high-end PCs
Cost-effectively scale networking up and outSpecialized hardware frees CPU(s) for applicationsEase consolidation with support for multiple GbpsMore efficient use of large server resources
Finance users (Windows Vista)
-Desktop Finance-Bulk-traffic
Servers hosting ERP application (Windows Server “Longhorn”)
-Bulk-traffic Policy
-Server-Finance-Bulk-traffic
Other Desktops (Windows Vista)
Policy-based QoS Example
Policy Name: DSCPvalue:
Throttlerate:
Deployed to PCs (Organization Units):
Description:
(None) 0 None (None) Best-effort treatment
Bulk-traffic 1 None Domain-wide Applies a low-priority DSCP value
Desktop Finance Mission Critical
12 None Finance Users (user OU) Applies high-priority DSCP for Finance client traffic
Server Finance Mission Critical
20 None Servers (machine OU) Applies high-priority DSCP for Finance server traffic
Problem – Congestion over WAN• Customer-facing Finance users • Mission critical LOB application
Drill-down: IPv6
The Challenges– Support a rapidly increasing number of networking devices while
enabling new ad hoc and collaborative work styles
Common Scenarios– Public, globally routable IP addresses are scarce or costly to manage– Alternative solutions like Network Address Translation (NAT) often
prevent peer to peer computing (ex. remote administration)– Corporations and ISVs operating proxies or “in the cloud” relays to
restore end-to-end connectivity
The Solution– Next generation Internet support enables scalable IP addressing,
restores end-to-end connectivity thereby reducing costs while enabling new capabilities
Drill-down: IPv6
Enabling “seamless networking” benefits everyoneService providers: Improve management & lower costsEnd users: Apps just work on any network, anytimeEnterprises: Employees more productive w/ less cost
Full support for next generation networkingOn by default facilitates faster deployment (IPv4/IPv6)Complete management and diagnostic toolsReady for IPv6-only networking (AD, DNS, DHCP, etc.)
Enable new applications and experiencesFlexibility of direct connectivity or peer-to-peer networkingIncrease productivity while improving network hygieneNew applications in Windows (Windows Meeting Space)
Transitioning to IPv6
• Deployment happening over next 5+ years– Consumer:
• Automatic deployment using Teredo/6to4– Enterprise:
• Application driven deployment• Transition solutions (ISATAP)• Full deployments
– Service providers:• Full scale services available now
• Windows platform support available
Infrastructure Phase options
Deployment option Solution(s) *Cost Availability
Automatic transition Teredo, 6to4 $Windows XP, Vista Beta
Microsoft-hosted Teredo service
Managed transition ISATAP $ Windows Server 2003 ISATAP
Dual native IPv4, IPv6
Network update or upgrade
$$$ All production routers
IPv6-onlyNetwork upgrade plus Access to legacy IPv4 via Proxy
$$$$
Windows 2003 Server Port-proxy
*Relative cost; not based on study
Drill-down: Network Isolation using IPsec
The Challenges– Giving IT more control over network connectivity to
prevent worms & Viruses, to protect Intellectual Property and to have additional layer of defense
The Solution– Server & Domain Isolation & Network Access Protection
using IPsec provide rich capability to isolate traffic based on health state, user, active directory security groups
Server and Domain Isolation
Dynamically segment your Windows® environment into more secure and isolated logical networksbased on policy
LabsUnmanaged guests
Server IsolationServer Isolation Protect specific high-valued servers and dataProtect specific high-valued servers and data
Domain IsolationDomain IsolationProtect managed computers from unmanaged or Protect managed computers from unmanaged or rogue computers and usersrogue computers and users
NAPNAP Gets clients to healthy state, protects networkGets clients to healthy state, protects network
Policy-based Dynamic Segmentation
UntrusteUntrustedd
Unmanaged/Rogue Computer
Domain Domain IsolationIsolation
Active Directory Domain Controller
X
Server Server IsolationIsolation
Servers with Sensitive Data
Finance Computer
Managed Computer
X
Managed Computer
Trusted Resource Server
Corporate Network
Define the logical isolation boundariesDistribute policies and credentials
Managed computers can communicateBlock inbound connections from untrusted
Enable tiered-access to sensitive resources
Benefits of Server and Domain Isolation
Extend the value of existing investmentsNo additional hardware or software requiredMore value from Active Directory and Group PolicyComplements existing network security solutions
Safeguard sensitive data and intellectual propertyAuthenticated, end-to-end network communicationsScalable, tiered access to trusted networked resources Protect the confidentiality and integrity of data
Reduce the risk of network security threatsAn additional layer of defense-in-depthReduced attack surface areaIncreased manageability and integration with NAP
What’s new in VistaMajor Investments Status
Administration of Policy & managing exceptions is difficult
Scenario Optimized UI in Vista
Windows Firewall & IPsec UI fully integrated
Updated IKE to allow seamless fallback to no IPsec
Interoperability Updated IKE makes request IPsec policy work
UI & Scripting easier to exempt by IP address or certificate
Reduce the time for Microsoft Clustering & NLB failover
Longhorn server will failover at the same time as TCP/IP timeout
Extend IPsec capability to protect Client to Domain Controller
Able to protect domain join and all client to DC traffic
Extended flexibility of solution to include additional segmentation options (user & health)
Customers can now author policy that includes user groups and health credentials for NAP and support 2 credentials as part of policy
IPsec Driver & Offload GB offload cards available
New Crypto support (AES), IPv4 & IPv6 support
X XB
SecureNet
Clients, Servers,Home LANs,Trustworthy Labs(240,000)
Untrustworthy
Internet ServersBusiness PartnersExtranet(1,800)
External ExclusionsExternal Exclusions
PermittedInfrastructure
Microsoft Corporate Network
Boundary Machines (5,000)
UU11 UU22 UU33
LabsLabs75,00075,000
Pocket PCPocket PCXBoxXBox18,00018,000
MACMAC2,0002,000
DTaps(no connectivity to CorpNet)
ACL ControlledInfrastructure (500)Infrastructure (500)
DHC
P
DNS
WINS
DC
IAS
Microsoft IT Implementation
Session Summary
• Windows Vista and Windows Server “Longhorn” represents the most significant update to Windows networking since the 1990s
• Windows Vista and Windows Server “Longhorn” offers more secure, reliable and scalable networking than ever before, resulting in a better overall experience
• Windows Vista and Windows Server “Longhorn” introduces and supports new and advanced networking scenarios (e.g. IPv6)
• For maximize benefit, start planning and evaluating the “Next Generation TCP/IP” stack today
Additional Resources• “The Cable Guy” articles
http://www.microsoft.com/technet/community/columns/cableguy/cgarch.mspx
• Windows Platform Networking whitepapershttp://www.microsoft.com/networking
• Windows Vista Networking TechNet Site:http://www.microsoft.com/technet/windowsvista/network/default.mspx
• IPv6 guidance and whitepapershttp://www.microsoft.com/ipv6
• Security: Server and Domain Isolationhttp://www.microsoft.com/sdisolation
• Network Access Protection Informationhttp://www.microsoft.com/nap
Thank you to our Partners for their support of TechDays
2007