IPv6 Features in Windows XP SP2 (PART 2)

IPv6 Features in Windows XP SP2 (PART 2)

(2004.9.21)

Masami Nosaka
Strategic Technology Planning Group, Windows Development
Microsoft Product Development Ltd.



With SP2, application programs can be registered in the list of Windows firewall application exception list. It enables firewall to dynamically open port when the port gets listen() with TCP or bind() with UDP.
There are three ways to register applications to exceptions list.

1. Use API provided by SP2. You need to download Platform SDK (Software Development Kit) at Microsoft Web site in order to develop applications using these APIs.
   
2. Use GUI or netsh. [Windows Firewall] dialog box is used for GUI registration. netsh is a group of commands that offers various network settings with command line interface. Using netsh enables detailed network configuration with scripts.
   
3. When an application is launched and the port is listened, the OS shows a dialog box asking the user if he/she wants to register the application in the exception list. This prompts users to register it in the list.

Method 3 in the above allows easy registration of application to exception list (or refusal to do so). It also offers existing applications to register themselves in the exception list without changing source code. This method is very effective and convenient for the user.

Let's do a simple experiment. Microsoft MSDN Online Web site offers IPv6 server application sample code using WinSock.

Compile this source code and make an execution file "v6test.exe", and launch it.

Launch it with parameter "-f PF_INET6" at command line interface, and the server application starts listening on IPv6 TCP port 5001. But this port is blocked by the firewall, so a dialog box pops up asking if you would like to continue blocking the port (Figure 2).


Figure 2 Firewall asks if you want to allow it when the program attempts communication.

If you choose "Clear blocking", v6test.exe gets registered in the exception list. The process automatically pushes holes to the ports used by the sample program in the firewall.


Figure 3 Once program is registered, no warning is displayed at later application launches.

Let me tell you one trivia. Put your cursor on "Name (N)" in the dialog box shown in Figure 2, and you will see the absolute path of applications in the balloon help, as in Figure 4. If you want to make sure, you can check the path this way.


Figure 4 You can be more assured in setting by confirming absolute path to the program.

Exception registration list can be confirmed with GUI, or use netsh:

netsh firewall show allowedprogram

or

netsh firewall show state

Figure 5 lets you confirm that TCP port 5001 is opened for IPv6.


Figure 5 Firewall state confirmation with netsh.

You can go the old way and specify ports. Configuration through GUI is so easy that you can grasp it just by taking a look. Let me show you an example of configuration with netsh.

List 1 punches hole to TCP port 3333 in the firewall.

List 1 C:\> netsh firewall set portopening protocol = tcp port = 3333 name = sample OK C:\> netsh firewall show portopening STANDARD port setting: Port Protocol Mode Name ------------------------------------------------------------------- 3333 TCP Enable sample

Please be careful that the configured port 3333 is opened to both IPv4 and IPv6 networks. Unfortunately, no method is available to configure IPv4 and IPv6 ports independently. As for application development, the new Platform SDK offers interface to Windows Firewall. In fact, with ICF in SP1 or earlier, you could punch holes in IPv6 Firewall using APIs to Internet Connection Sharing (ICS). Advanced Networking Pack offered APIs to open holes to IPv6 Firewall, but that was only for IPv6. The new API set integrates the IPv6 APIs and offers more detailed configuration. Almost all you can do with netsh can be done with the APIs. For example, INetFwAuthorizedApplication interface is offered for registering applications to exception list. Teredo Support Teredo is the technology for IPv6 tunneling among hosts through one or more IPv4 NAT devices. IPv6 packets are exchanged with IPv4 UDP packet capsuling. Detailed information about Teredo itself can be found in Advanced Network Pack for Windows explained Part 1 Teredo enables more transparent IPv6 connection in IPv6style. Let me stress here that installing SP2 and enabling IPv6 prepares general users to use Teredo. We are hoping that some new interesting IPv6 applications emerge, utilizing such environment. Teredo cannot do without Teredo servers. Microsoft offers teredo.ipv6.microsoft.com as a Teredo server, but it can be changed to other Teredo servers. Currently, Microsoft provides Teredo server evaluation software. Although it's not new in SP2, Windows XP offers other tunneling technologies such as 6to4 and ISATAP. Peer-to-peer Network Component This is a tool integrated in Advanced Networking Pack, as Teredo did. IPv6 is used as transport protocol. Peer-to-peer Network Component is a platform for P2P application developers, and offers the following features: PNRP(Peer Name Resolution Protocol) Graphing Windows Peer-to-Peer network Grouping Windows Peer-to-Peer network ID management of Windows Peer-to-Peer network 3°(threedegrees) offers an example of using these technologies. This is a P2P software offering functions that expand Windows Messenger or NSN Messenger. Currently, beta software is available at http://www.threedegrees.com/. Peer-to-peer Network Component is not installed by default. Install it with Netwrok Service category in [Add or Delete Windows Components] control panel. Afterward Windows XP Service Pack 2 with Advanced Security Technologies does not offer any entirely new features nor dramatic changes with IPv6. But it is given practical improvement, making previously offered features easier to use. IPv4-like firewall will be required when IPv6 networking gets used more extensively. In this sense, SP2 is an important milestone in IPv6 support by Windows platform. Reference IPv6 Guide for Windows Sockets Applications http://msdn.microsoft.com/library/default.asp?url=/ library/en-us/winsock/winsock/ipv6_guide_for_windows_ sockets_applications_2.asp IPv6 Features in the Advanced Networking Pack for Windows XP (The Cable Guy - April 2003) http://www.microsoft.com/technet/community/ columns/cableguy/cg0403.mspx