Windows Server 2008 R2 Overview Part 2 Technical
2
Doug Spindler’s Background
24 years in IT as a Technology ConsultantMCT, MCITP, MCTS
President of Pacific IT ProfessionalsA professional association for IT Professionals Join today at www.pacitpros.org
Technology Instructor AuthorSpeakerLecturerIT Pro Hero
3
Why IT Pros will want to deploy Win 7 and Server 2008R2 NOW!No I do not work for Microsoft.
This is NOT a marketing presentation.
4
Customer top security concerns
Security
Network Performance
Reliability
Ease of use for users
5
IT Pro “got to” haves
Bitlocker – whole drive encryptionUser Access Control (UAC)Secure Socket Tunneling ProtocolTerminal Services RemoteAppApplication virtualization - SoftGridGranular password policyRe-startable AD without a reboot
6
Enhancements to Network Security Network Level
Network Access ProtectionServer IsolationDomain IsolationGPO managed
Quality of Server - QoSHost based firewallFirewall and IPSEC integration
7
LabsUnmanaged
guests
NAPNAPProtects network & gets clients up to dateProtects network & gets clients up to date
8
LabsUnmanaged
guests
Server IsolationServer IsolationIsolates high-valued servers and data Isolates high-valued servers and data
from the rest of the network.from the rest of the network.
9
LabsUnmanaged
guests
Domain IsolationDomain IsolationIsolates high-valued servers and Isolates high-valued servers and
clients from the rest of the network.clients from the rest of the network.
10
‘Policy-based’ QoS EnablesManagement of Hosts’ Bandwidth
`
``
`
BE
Queue
`
``
`
High
BE
Low
Queues
BEFORE
AFTER
11
Enhancements to Network Security Operating system
New network stack – New codeImpervious to existing attacks New attack code is require
Windows Firewall with Advanced Security – Protects hosts
12
Conclusion
New code in the network stack =
Your Network is more secure
13
Windows history
Network stack used in XP and Server 2003 (and prior) was written for Windows 95
Pentium I – 100MHz10 Mb/sec networkModems
Only minor enhancements and fixes sinceStack is inefficient – Lots of latency
Code (by today’s standards) is inefficient
14
Network Performance Enhancements
TCP ChimneyTCP-A (I/OAT)Receive Window Auto-TuningSMB2 ProtocolReceive side scaling (RSS)Compound TCP – cTCP Congestion ControlPolicy-based Quality of Service (QoS)Black-Hole Router detection (BHRD)Dead Gateway Detection
15
Network Performance Enhancements
TCP Chimney
TCP-A (I/OAT) Intel
Ideal for iSCSI implementations
16
Network Performance EnhancementsReceive Window Auto-Tuning
Dynamic allocated packet receive bufferMore in flight data – up to 16MBIf too much data, use QoS.
Max 16MB window @ 100ms ~ 1.34Gbps
17
Win 7 Performance – Auto Tuning
Testing between Windows 2K3 server to Win 7 clientAverage latency is 180 ms round trip
Applications tested - TTCP, FTP, XcopyTTCP - 3259 KB/sec (26.07 Mbps*) 869% increase FTP - 633 KB/sec (5.06 Mbps) 85% increaseXcopy - 604 KB/sec (4.83 Mbps) 109% increase
18
Network Performance EnhancementsReceive Window Auto-Tuning
Server Client
The application layer passes a block of data down to the Transport Layer (TCP). The transport layer then sends the data to the client.
Transport layer breaks the data up into blocks equal to the maximum segment size (MSS) for the link. For Ethernet this is 1460 bytes.
Data
19
Network Performance EnhancementsReceive Window Auto-Tuning
Let’s assume the advertised Window Size of the Client is 8760 bytes and the MSS is 1460 bytes.
Outstanding Packets = Window Size / MSSOutstanding Packets = 8760 / 1460Outstanding Packets = 6
The sender (Server in this case) can only have 6 outstanding packets on the network at one time. It must stop sending until it receives an acknowledgement for some or all of the packets before sending more.
20
Server Client
Once the transport layer has sent the 6th packet, it must stop until it receives an acknowledgement for one or more of the transmitted packets.Data
123456
Network Performance EnhancementsReceive Window Auto-Tuning
21
ServerClient
The client receives packets 1 and 2. Once it receives packet number 2 it sends an Acknowledgement back to the server indicated that it successfully received the packets.
Data
3456
Acknowledge 1 and 2
Network Performance EnhancementsReceive Window Auto-Tuning
22
Cost of the delays in XP and Server 2003?
Only way to get Gig out of Gig is to maintain a sending a gig sending rate. Which is a 1.21 microsecond gap between packets.Any delays in sending decreases throughput or “dead air”
23
The cost of a delay
195 microseconds 195/1.21 = 160 packets.180 microseconds 180/1.21 = 150 packets.
160,000packets = 242,880,000 Bytes or 240 MB
24
What is the right Window Size?Receive Window Auto-Tuning
TCP Window Size =
Bandwidth * Roundtrip Delay
In previous version of Windows the buffer size was fixed
25
Server Client
Data
345678
Win 7 and Server 2008R2 Advantage – More data, less “dead air”
9101112
Network Performance EnhancementsReceive Window Auto-Tuning
26
Network Performance EnhancementsReceive Window Auto-Tuning
Green Win 7Orange XPXP
Win 7-Server 2008R2 advantage,
more initial in-flight data
27
Network Performance EnhancementsReceive Window Auto-Tuning
Green Win 7Orange XP
XP & Server 2003Less in-flight data,
resulting in less throughput.
Win 7 & Server 2008R2 advantage,
More efficient use of the network.
28
Network Performance EnhancementsSMB2 Protocol
Combined control messagesMore efficient use of the network
SMB 2 only availableServer 2008R2 – Server 2008R2Server 2008R2 – Win 7Win 7 – Win 7
No error correction in SMB
29
Network Performance Enhancements
Receive side scaling (RSS)
Allows packet receive-processing to scale with the number of available computer processors.
30
Network Performance Enhancements
Compound TCP – cTCP Congestion Control
0
500000
1000000
1500000
2000000
2500000
3000000
3500000
4000000
4500000
5000000
1 8 15 22 29 36 43 50 57 64 71 78 85 92 99 106 113 120 127 134 141 148 155 162 169 176 183 190
CTCP
NewReno
Congestion
Faster recoveryLess time to transfer data
In this example 80 minutes
31
What do all of these things give you?
TCP ChimneyTCP-A (I/OAT)Receive side scaling (RSS)Receive Window Auto-TuningCompound TCP – cTCP Congestion ControlPolicy-based Quality of Service (QoS)Black-Hole Router detection (BHRD)Dead Gateway Detection
The Win 7 – Server 2008R2
advantage
Faster transfer of data
32
33
Blast some data through
34
35
MythA Microsoft 2000, XP, Server 2000,
2003 host on a gigabit network will transfer data at gigabit speed.
36
Conclusion
New network stack =Dramatic improvements in network performance
Win 7 – Server 2008R2
advantage
Faster data transfers with
less CPU utilization.
37
38
History of Internet Protocols
Network Control Protocol (NCP)First protocol used on the Internet
IPv4Second generation protocol NCP and IPv4 were run concurrentlyFlag day January, 1, 1983
IPv6Interplanetary Protocol
39
IPv6 Myths
IPv6 is experimental
No one is using IPv6 in production
My network won’t run IPv6
Microsoft is making a big mistake with IPv6
IPv6 is less secure than IPv4
IPv6 causes Win 7 to run slower
40
FACTS
We are running out of IPv4 addressesIPv6 is the preferred protocol in Win 7 and Server2008R2 and can not be removedYou been assigned an IPv6 address (Publicly assigned)
It can be used today
Linux and Apple already support IPv6Microsoft’s implementation of IPv6 is feature rich (compared to Apple and Linux)
41
Available IPv4 address by year
Grey – available IP address
Orange – Allocated IPv4
42
IPv6 is 2 128 addresses
340,282,366,920,938,000,000,000,000,000,000,000,000 addresses
Are your ready to
43
IPv6 is 2 128 addresses
340,282,366,920,938,000,000,000,000,000,000,000,000 addresses
IP on everything
44
How big is 2 128 or 340,282,366,920,938,000,000,000,000,000,000,000,000?
If the IPv4 address space is size of one atomic nucleus big, the IPv6 address space would require a month of light-speed travel to reach.
Thanks to Sean Siler at Microsoft for this clever way of to explain just how large the address space is.
45
Think Global…Microsoft was brilliant for implementing IPv6
Thanks to Microsoft for doing thisIPv6 in Win 7 and Server 2008R2
Ipv6 addressing and routing is easierNo need for NATMost Application just workMicrosoft has made a commitment to IPv6
New MS software will support IPv6
46
New network stack design in Server 2008R2 and Win 7
AFD
Inspection API
IPv4
802.3
WSK
WSK Clients TDI Clients
NDIS
WLAN 1394 Loop-back
IPv4 Tunnel
IPv6 Tunnel
IPv6
RAWUDPTCPWin 7 and Server 2008R2 tcpip.sys
TDX
TDI
Winsock User Mode
Kernel Mode
47
IPv6 can not be removed from tcpip.sys
IPv4
802.3 WLAN 1394 Loop-back IPv4 Tunnel IPv6 Tunnel
IPv6
RAWUDPTCP
Win 7 and Server 2008R2 tcpip.sys
48
Win 7 and Server 2008R2R2
49
Market forces pushing IPv6 adoption
Mobile Internet Services - Internet Multimedia Services (IMS)
Next gen cell phonesIPTV Cable companies
End to end security requirementsAuto configuration for home and mobile devicesForeign countries2008 Olympics
50
IPv4 had no security, IPSec and L2TP were “bolt-ons”
Physical
Data Link
Network
Transport
Session
Presentation
App
Physical
Data Link
Network
Transport
Network
Transport
Session
Presentation
App
IPSec VPN
L2TP VPN
51
In IPv6 IPSEC is “built” in
Physical
Data Link
Network
Transport
Session
Presentation
App
52
Why IPv6?
SecurityIPv4 security was an add-in IPv6 has IPSEC integrated
Any IPv6 communication can automatically do authentication, message integrity and encryption or any combination of those
Easier – saves time
53
Saves time No network
IPv6 the following settings are optionalSubnet masks
No need for a subnet calculatorDefault GatewaysDNS ServersDHCP ServersPrivate IP addressRouting table
IPv6 is easier to configure –
saves time
54
Unicast IPv6 AddressesHosts will have multiple addresses
Global addresses (Public IPv4)Link-local addresses (192.168.1.1)Unique local addresses (10.10.1.1)Special addressesCompatibility addresses
55
Win 7 and Server 2008R2 New Protocols
Native IPv6 – Preferred6to4ISATAP Intrasite automatic tunneling address protocolTeredo
56
Win 7 - ipconfig /all
Teredo
ISATAP
Native IPv6
57
Windows Win 7 and Server 2008R2 Native IPv6 Global address
Native IPv6:Native IPv6 addresses start with the prefix 2000::/3 (Subject to change)
A native IPv6 address looks like: 2001:0470:1F00:FFFF:0000:0000:0000:0FF3 /127| prefix | host | subnet |
58
Windows Win 7 and Server 2008R2 6to4
It is a standard: IETF RFC 3056
6to4 is a tunneling technology
Allows communication across the IPv4 Internet by tunneling IPv6 inside IPv4 packets to get to the IPv6 Internet through gateways
59
Windows Win 7 and Server 2008R2 6to4
IPv4 address: 207.213.246.1 is represented as cfd5:f601 (convert decimal to hex)Its 6to4 address is: 2002:cfd5:f601:0000:0000:0000:cfd5:f601|pref|IPv4| :: | IPv4|
60
Windows Win 7 and Server 2008R2 ISATAP
It is a standard: IETF RFC 4214
Intrasite Automatic Tunnel Addressing Protocol
ISATAP is a tunneling technology
Allows communication across an IPv4 intranet by tunneling IPv6 inside IPv4 packets
61
IPv6 Header ExtensionHeaders
Upper Layer Protocol Data Unit
IPv6 Header ExtensionHeaders
Upper Layer Protocol Data UnitIPv4 Header
IPv6 Packet Min MTU 1280
IPv4 Packet Max Ethernet MTU 1500
IPv4 header Protocol field is set to 41 for isatap and 6to4 tunnels
Encapsulation For ISATAP and6to4 packets
Windows Win 7 and Server 2008R2 ISATAP and 6to4 packet encapsulation
62
Windows Win 7 and Server 2008R2 Teredo
Teredo provides IPv4 NAT traversal capabilities by tunneling IPv6 inside of IPv4 using UDP
Teredo provides IPv6 connectivity when behind an Internet IPv4 NAT device
Is designed to be a universal method for NAT traversal for most types of NAT use
63
Something to think about….
With Teredo can boarder firewalls offer protection needed for today’s networks?
Or do they offer a false sense of security?
What about IPv6 bot Nets?
64
Windows Win 7 and Server 2008R2 Preferred order of communication
Native IPv6 – Preferred6to4ISATAP Intrasite automatic tunneling address protocol
TeredoIPv4 …. last resort
65
Does all this work?Yes! I've been running it for 4 years
Native IPv6, 6to4, ISATAP, Teredo, IPv4
Global IPv6 address
66
Watching for IPv6 traffic on your network Use a packet Analyzers – NetMon or Wireshark
67
Router Venders Support for IPv6
Native IPv6:IPv6 native routing protocolsCisco, Juniper
Most are providing software upgrades to support native IPv6 deployments on existing hardware
Cisco IOS 12.3+ mainline code has IPv6 support
68
If I can do it, so can MicrosoftIPv6 Infrastructure In Redmond
ISATAP available in all buildings world-wide Native v6 connectivity in all development buildings world-wide
69
Impact on IT ProfessionalsIPv6 only hardware/software is on the way
Smart cell phonesPDAsWeb camerasLaw enforcementCarsMP3 playersNext generation operating systems
Win 7 – Server 2008R2 advantage
More secure, faster data transfers with
less CPU processing and ready for the
future, IPv6. $ OPPERTUNITIES
$
70
Impact on Customer Networks
Test firewalls, are they IPv6 aware? Many allow IPv6 traffic to pass un-checked
Is this the end of boarder firewalls? Teredo was designed to pass through NAT
71
72
© 2008R2 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Win 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.