Xbox One: P2P IPv6, Teredo, and IPsec

Xbox One: P2P IPv6, Teredo, and IPsec
Teredo @ Microsoft
Present and Future
[email protected]
Program Manager
Networking Core – Operating System Group
IETF 88
1
Overview
• Teredo is an IPv6 transition technology that provides IPv6
addressability and connectivity for capable hosts which are on an IPv4
network but with no native connection to an IPv6 network.
• RFC 4380, 5991, and 6081
• Microsoft has included Teredo functionality in a default configuration
in Windows Vista, 7, and 8/8.1.
• We are simultaneously:
• Sunsetting Teredo service for Windows Vista and Windows 7 hosts.
• Extending Teredo support for Xbox One gaming scenarios.
IETF 88
2
Teredo – Servers and Relays
Network Infrastructure
End user
device
Teredo relay is the gateway for
Teredo clients to access the
IPv6 Internet. This is
unreliable.
Teredo Relay
Teredo clients can
communicate directly
with one another, this
generally works.
End user
device
IPv6 Internet
Teredo servers configure
clients (their addresses) and
aid in port mapping
management (bubbling).
IETF 88
Teredo Server
3
Teredo – Two Sides of the Coin
The Bad
The Good
• Teredo as a technology to reach the
IPv6 native Internet lacks operational
reliability.
• Geoff Huston has considerable
data on this reality.
• http://www.potaroo.net/ispcol/20
11-04/teredo.html
• 40%+ effective failure rate
• Should not affect users because of
RFC 3484/6724.
Teredo with relays != Reliable
• As a technology for enabling
connectivity between IPv4 peers,
Teredo is pretty good.
• With basic matchmaking, able to
achieve connectivity between Teredo
clients about 90% of the time.
• Teredo has seen successful usage in
“controlled” environments such as
DirectAccess (a Microsoft remote
access technology).
Teredo without relays = Usable
IETF 88
4
The Teredo Service
• We don’t have very specific telemetry on Teredo usage (privacy is
important).
• We do know that Teredo server load had a dramatic increased correlated to a popular BitTorrent client activating Teredo/IPv6
support.
IETF 88
5
Worldwide Teredo Server Traffic (Monthly Average - UDP Datagrams/Second)
9,000,000
8,000,000
7,000,000
6,000,000
5,000,000
4,000,000
3,000,000
2,000,000
1,000,000
-
IETF 88
6
The Overall Value of Teredo
• Teredo’s value is best realized when coupled with supporting
infrastructure for peer discovery, selection, and security.
• As in, the infrastructure and API support we have for Xbox One.
• Having a tunneled IPv6 address, by itself, provides little value and
causes pain for developers and end-users (because of random bad
app behavior).
IETF 88
7
Proposed Sunset Plan
• We plan to deactivate our Teredo servers
for Windows clients in the first half of
2014 (exact date TBD).
• Aligned to that, we encourage the
deactivation of publically operated Teredo
relays.
• We will maintain separate Teredo services
for special-purpose scenarios that do not
require public Teredo relays – like Xbox
One.
• We deactivated the Teredo service earlier
this year for a test. (see IETF 87
presentation)
• Folks in the technical community
seemed quite happy.
• There were some app compat issues
that we are following-up on.
IETF 88
8
Xbox One and Teredo
(and IPv6)
IETF 88
9
Xbox One and Teredo
• Teredo provides an IPv6 abstraction for peers.
• Combined with IPsec, this can provide straightforward,
application-transparent, secure P2P connectivity.
• Xbox One uses Teredo for this purpose.
IETF 88
10
Quickly…
Going to review Xbox One behavior
IETF 88
11
IPv6 Networks: IPsec and Transparent Operation
IPsec Transport Mode Traffic (ESP Option)
IKEv2 Traffic
Peers
Home Network
[Xbox One]
Network Infrastructure
Allow users to disable
firewall capabilities
(transparent operation)
Allow unsolicited inbound IPsec and IKE
IETF 88
12
Sometimes Teredo is more reliable for P2P than
native IPv6
Xbox will consider the following peer pairs:
Teredo Client -> Teredo Client
IPv6 -> IPv6
IPv4-> IPv4
NO Teredo Client -> Native
IETF 88
13
IPv4 Networks: Allow Teredo
Support outbound UDP with long port mapping
refresh intervals (60 seconds +)
Teredo traffic will prefer port 3074 for peer
traffic. Port forwarding for 3074 is helpful but
not necessary (usually).
The more “open” the NAT behavior, the better.
Address-Independent > Address-Dependent >
Address-and-Port Dependent > UDP Blocked
with older nomenclature
Open > Address Restricted > Port Restricted >
Symmetric > UDP Blocked
Outbound UDP for configuration and port mapping management
Inbound UDP, with reasonable refresh intervals on port mappings
Peers
Home Network
[Xbox One]
Network Infrastructure
IETF 88
14
IPv4 Networks: Be Mindful of Hairpinning
With CGN, multiple peers may be
behind the same NAT device
Hairpinning allows those peers to
communicate
Hairpinning Teredo traffic
Home Network
[Xbox One]
Network Infrastructure
Peers
IETF 88
15
Packet Format and Native IPv4
• P2P traffic will use the ESP option for IPsec
• Native IPv4 will be used if available, generally for link-local peers.
IETF 88
16
• More detailed documentation aligned to
this presentation is available at
www.microsoft.com/IPv6.
Questions?
We will send
v6ops/NANOG notice
about exact Teredo
service dates.
• Relevant RFC’s
• RFC 6092 for IPv6 security
recommendations
• RFC 4380, 5991, and 6081 for more
information on Teredo
• RFC 4787 and 6888 have recommendations
for NAT behavior
IETF 88
17
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement