Windows Server 2008 R2 Overview Part 2 Technical

2

Doug Spindler’s Background

24 years in IT as a Technology ConsultantMCT, MCITP, MCTS

President of Pacific IT ProfessionalsA professional association for IT Professionals Join today at www.pacitpros.org

Technology Instructor AuthorSpeakerLecturerIT Pro Hero

3

Why IT Pros will want to deploy Win 7 and Server 2008R2 NOW!No I do not work for Microsoft.

This is NOT a marketing presentation.

4

Customer top security concerns

Security

Network Performance

Reliability

Ease of use for users

5

IT Pro “got to” haves

Bitlocker – whole drive encryptionUser Access Control (UAC)Secure Socket Tunneling ProtocolTerminal Services RemoteAppApplication virtualization - SoftGridGranular password policyRe-startable AD without a reboot

6

Enhancements to Network Security Network Level

Network Access ProtectionServer IsolationDomain IsolationGPO managed

Quality of Server - QoSHost based firewallFirewall and IPSEC integration

7

LabsUnmanaged

guests

NAPNAPProtects network & gets clients up to dateProtects network & gets clients up to date

8

LabsUnmanaged

guests

Server IsolationServer IsolationIsolates high-valued servers and data Isolates high-valued servers and data

from the rest of the network.from the rest of the network.

9

LabsUnmanaged

guests

Domain IsolationDomain IsolationIsolates high-valued servers and Isolates high-valued servers and

clients from the rest of the network.clients from the rest of the network.

10

‘Policy-based’ QoS EnablesManagement of Hosts’ Bandwidth

`

``

`

BE

Queue

`

``

`

High

BE

Low

Queues

BEFORE

AFTER

11

Enhancements to Network Security Operating system

New network stack – New codeImpervious to existing attacks New attack code is require

Windows Firewall with Advanced Security – Protects hosts

12

Conclusion

New code in the network stack =

Your Network is more secure

13

Windows history

Network stack used in XP and Server 2003 (and prior) was written for Windows 95

Pentium I – 100MHz10 Mb/sec networkModems

Only minor enhancements and fixes sinceStack is inefficient – Lots of latency

Code (by today’s standards) is inefficient

14

Network Performance Enhancements

TCP ChimneyTCP-A (I/OAT)Receive Window Auto-TuningSMB2 ProtocolReceive side scaling (RSS)Compound TCP – cTCP Congestion ControlPolicy-based Quality of Service (QoS)Black-Hole Router detection (BHRD)Dead Gateway Detection

15

Network Performance Enhancements

TCP Chimney

TCP-A (I/OAT) Intel

Ideal for iSCSI implementations

16

Network Performance EnhancementsReceive Window Auto-Tuning

Dynamic allocated packet receive bufferMore in flight data – up to 16MBIf too much data, use QoS.

Max 16MB window @ 100ms ~ 1.34Gbps

17

Win 7 Performance – Auto Tuning

Testing between Windows 2K3 server to Win 7 clientAverage latency is 180 ms round trip

Applications tested - TTCP, FTP, XcopyTTCP - 3259 KB/sec (26.07 Mbps*) 869% increase FTP - 633 KB/sec (5.06 Mbps) 85% increaseXcopy - 604 KB/sec (4.83 Mbps) 109% increase

18

Network Performance EnhancementsReceive Window Auto-Tuning

Server Client

The application layer passes a block of data down to the Transport Layer (TCP). The transport layer then sends the data to the client.

Transport layer breaks the data up into blocks equal to the maximum segment size (MSS) for the link. For Ethernet this is 1460 bytes.

Data

19

Network Performance EnhancementsReceive Window Auto-Tuning

Let’s assume the advertised Window Size of the Client is 8760 bytes and the MSS is 1460 bytes.

Outstanding Packets = Window Size / MSSOutstanding Packets = 8760 / 1460Outstanding Packets = 6

The sender (Server in this case) can only have 6 outstanding packets on the network at one time. It must stop sending until it receives an acknowledgement for some or all of the packets before sending more.

20

Server Client

Once the transport layer has sent the 6th packet, it must stop until it receives an acknowledgement for one or more of the transmitted packets.Data

123456

Network Performance EnhancementsReceive Window Auto-Tuning

21

ServerClient

The client receives packets 1 and 2. Once it receives packet number 2 it sends an Acknowledgement back to the server indicated that it successfully received the packets.

Data

3456

Acknowledge 1 and 2

Network Performance EnhancementsReceive Window Auto-Tuning

22

Cost of the delays in XP and Server 2003?

Only way to get Gig out of Gig is to maintain a sending a gig sending rate. Which is a 1.21 microsecond gap between packets.Any delays in sending decreases throughput or “dead air”

23

The cost of a delay

195 microseconds 195/1.21 = 160 packets.180 microseconds 180/1.21 = 150 packets.

160,000packets = 242,880,000 Bytes or 240 MB

24

What is the right Window Size?Receive Window Auto-Tuning

TCP Window Size =

Bandwidth * Roundtrip Delay

In previous version of Windows the buffer size was fixed

25

Server Client

Data

345678

Win 7 and Server 2008R2 Advantage – More data, less “dead air”

9101112

Network Performance EnhancementsReceive Window Auto-Tuning

26

Network Performance EnhancementsReceive Window Auto-Tuning

Green Win 7Orange XPXP

Win 7-Server 2008R2 advantage,

more initial in-flight data

27

Network Performance EnhancementsReceive Window Auto-Tuning

Green Win 7Orange XP

XP & Server 2003Less in-flight data,

resulting in less throughput.

Win 7 & Server 2008R2 advantage,

More efficient use of the network.

28

Network Performance EnhancementsSMB2 Protocol

Combined control messagesMore efficient use of the network

SMB 2 only availableServer 2008R2 – Server 2008R2Server 2008R2 – Win 7Win 7 – Win 7

No error correction in SMB

29

Network Performance Enhancements

Receive side scaling (RSS)

Allows packet receive-processing to scale with the number of available computer processors.

30

Network Performance Enhancements

Compound TCP – cTCP Congestion Control

0

500000

1000000

1500000

2000000

2500000

3000000

3500000

4000000

4500000

5000000

1 8 15 22 29 36 43 50 57 64 71 78 85 92 99 106 113 120 127 134 141 148 155 162 169 176 183 190

CTCP

NewReno

Congestion

Faster recoveryLess time to transfer data

In this example 80 minutes

31

What do all of these things give you?

TCP ChimneyTCP-A (I/OAT)Receive side scaling (RSS)Receive Window Auto-TuningCompound TCP – cTCP Congestion ControlPolicy-based Quality of Service (QoS)Black-Hole Router detection (BHRD)Dead Gateway Detection

The Win 7 – Server 2008R2

advantage

Faster transfer of data

32

33

Blast some data through

34

35

MythA Microsoft 2000, XP, Server 2000,

2003 host on a gigabit network will transfer data at gigabit speed.

36

Conclusion

New network stack =Dramatic improvements in network performance

Win 7 – Server 2008R2

advantage

Faster data transfers with

less CPU utilization.

37

38

History of Internet Protocols

Network Control Protocol (NCP)First protocol used on the Internet

IPv4Second generation protocol NCP and IPv4 were run concurrentlyFlag day January, 1, 1983

IPv6Interplanetary Protocol

39

IPv6 Myths

IPv6 is experimental

No one is using IPv6 in production

My network won’t run IPv6

Microsoft is making a big mistake with IPv6

IPv6 is less secure than IPv4

IPv6 causes Win 7 to run slower

40

FACTS

We are running out of IPv4 addressesIPv6 is the preferred protocol in Win 7 and Server2008R2 and can not be removedYou been assigned an IPv6 address (Publicly assigned)

It can be used today

Linux and Apple already support IPv6Microsoft’s implementation of IPv6 is feature rich (compared to Apple and Linux)

41

Available IPv4 address by year

Grey – available IP address

Orange – Allocated IPv4

42

IPv6 is 2 128 addresses

340,282,366,920,938,000,000,000,000,000,000,000,000 addresses

Are your ready to

43

IPv6 is 2 128 addresses

340,282,366,920,938,000,000,000,000,000,000,000,000 addresses

IP on everything

44

How big is 2 128 or 340,282,366,920,938,000,000,000,000,000,000,000,000?

If the IPv4 address space is size of one atomic nucleus big, the IPv6 address space would require a month of light-speed travel to reach.

Thanks to Sean Siler at Microsoft for this clever way of to explain just how large the address space is.

45

Think Global…Microsoft was brilliant for implementing IPv6

Thanks to Microsoft for doing thisIPv6 in Win 7 and Server 2008R2

Ipv6 addressing and routing is easierNo need for NATMost Application just workMicrosoft has made a commitment to IPv6

New MS software will support IPv6

46

New network stack design in Server 2008R2 and Win 7

AFD

Inspection API

IPv4

802.3

WSK

WSK Clients TDI Clients

NDIS

WLAN 1394 Loop-back

IPv4 Tunnel

IPv6 Tunnel

IPv6

RAWUDPTCPWin 7 and Server 2008R2 tcpip.sys

TDX

TDI

Winsock User Mode

Kernel Mode

47

IPv6 can not be removed from tcpip.sys

IPv4

802.3 WLAN 1394 Loop-back IPv4 Tunnel IPv6 Tunnel

IPv6

RAWUDPTCP

Win 7 and Server 2008R2 tcpip.sys

48

Win 7 and Server 2008R2R2

49

Market forces pushing IPv6 adoption

Mobile Internet Services - Internet Multimedia Services (IMS)

Next gen cell phonesIPTV Cable companies

End to end security requirementsAuto configuration for home and mobile devicesForeign countries2008 Olympics

50

IPv4 had no security, IPSec and L2TP were “bolt-ons”

Physical

Data Link

Network

Transport

Session

Presentation

App

Physical

Data Link

Network

Transport

Network

Transport

Session

Presentation

App

IPSec VPN

L2TP VPN

51

In IPv6 IPSEC is “built” in

Physical

Data Link

Network

Transport

Session

Presentation

App

52

Why IPv6?

SecurityIPv4 security was an add-in IPv6 has IPSEC integrated

Any IPv6 communication can automatically do authentication, message integrity and encryption or any combination of those

Easier – saves time

53

Saves time No network

IPv6 the following settings are optionalSubnet masks

No need for a subnet calculatorDefault GatewaysDNS ServersDHCP ServersPrivate IP addressRouting table

IPv6 is easier to configure –

saves time

54

Unicast IPv6 AddressesHosts will have multiple addresses

Global addresses (Public IPv4)Link-local addresses (192.168.1.1)Unique local addresses (10.10.1.1)Special addressesCompatibility addresses

55

Win 7 and Server 2008R2 New Protocols

Native IPv6 – Preferred6to4ISATAP Intrasite automatic tunneling address protocolTeredo

56

Win 7 - ipconfig /all

Teredo

ISATAP

Native IPv6

57

Windows Win 7 and Server 2008R2 Native IPv6 Global address

Native IPv6:Native IPv6 addresses start with the prefix 2000::/3 (Subject to change)

A native IPv6 address looks like: 2001:0470:1F00:FFFF:0000:0000:0000:0FF3 /127| prefix | host | subnet |

58

Windows Win 7 and Server 2008R2 6to4

It is a standard: IETF RFC 3056

6to4 is a tunneling technology

Allows communication across the IPv4 Internet by tunneling IPv6 inside IPv4 packets to get to the IPv6 Internet through gateways

59

Windows Win 7 and Server 2008R2 6to4

IPv4 address: 207.213.246.1 is represented as cfd5:f601 (convert decimal to hex)Its 6to4 address is: 2002:cfd5:f601:0000:0000:0000:cfd5:f601|pref|IPv4| :: | IPv4|

60

Windows Win 7 and Server 2008R2 ISATAP

It is a standard: IETF RFC 4214

Intrasite Automatic Tunnel Addressing Protocol

ISATAP is a tunneling technology

Allows communication across an IPv4 intranet by tunneling IPv6 inside IPv4 packets

61

IPv6 Header ExtensionHeaders

Upper Layer Protocol Data Unit

IPv6 Header ExtensionHeaders

Upper Layer Protocol Data UnitIPv4 Header

IPv6 Packet Min MTU 1280

IPv4 Packet Max Ethernet MTU 1500

IPv4 header Protocol field is set to 41 for isatap and 6to4 tunnels

Encapsulation For ISATAP and6to4 packets

Windows Win 7 and Server 2008R2 ISATAP and 6to4 packet encapsulation

62

Windows Win 7 and Server 2008R2 Teredo

Teredo provides IPv4 NAT traversal capabilities by tunneling IPv6 inside of IPv4 using UDP

Teredo provides IPv6 connectivity when behind an Internet IPv4 NAT device

Is designed to be a universal method for NAT traversal for most types of NAT use

63

Something to think about….

With Teredo can boarder firewalls offer protection needed for today’s networks?

Or do they offer a false sense of security?

What about IPv6 bot Nets?

64

Windows Win 7 and Server 2008R2 Preferred order of communication

Native IPv6 – Preferred6to4ISATAP Intrasite automatic tunneling address protocol

TeredoIPv4 …. last resort

65

Does all this work?Yes! I've been running it for 4 years

Native IPv6, 6to4, ISATAP, Teredo, IPv4

Global IPv6 address

66

Watching for IPv6 traffic on your network Use a packet Analyzers – NetMon or Wireshark

67

Router Venders Support for IPv6

Native IPv6:IPv6 native routing protocolsCisco, Juniper

Most are providing software upgrades to support native IPv6 deployments on existing hardware

Cisco IOS 12.3+ mainline code has IPv6 support

68

If I can do it, so can MicrosoftIPv6 Infrastructure In Redmond

ISATAP available in all buildings world-wide Native v6 connectivity in all development buildings world-wide

69

Impact on IT ProfessionalsIPv6 only hardware/software is on the way

Smart cell phonesPDAsWeb camerasLaw enforcementCarsMP3 playersNext generation operating systems

Win 7 – Server 2008R2 advantage

More secure, faster data transfers with

less CPU processing and ready for the

future, IPv6. $ OPPERTUNITIES

$

70

Impact on Customer Networks

Test firewalls, are they IPv6 aware? Many allow IPv6 traffic to pass un-checked

Is this the end of boarder firewalls? Teredo was designed to pass through NAT

71

72

© 2008R2 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Win 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.