One nice new features in Windows 7 is Direct Access. With this system whereby system administrators can help maintain the remote workforce computers while they are on the go. There has always been challenges around supporting remote workers who may never be able to come to a local office to attach to the corporate network and get their updates or allow their computers to be fully supported. Direct Access will use a VPN to allow remote workers to securely gain access to corporate resources while on the road and allow their computers to be maintained by the IT department domain group policies. The cool think about Direct Access is that is uses IPv6 over IPSec.

One of most controversial IPv6 features in Windows Vista, Windows Server 2008, and Windows 7 is that it uses random interface identifiers when creating its IPv6 addresses. Typically, an IPv6-capable computer performs autoconfiguration with the Neighbor Discovery Protocol (NDP) to determine their network and interface identifier and form the computer’s 128-bit IPv6 address. The IETF’s RFC 2373 “IP Version 6 Addressing Architecture” describes in Appendix A how a computer should go about creating its EUI-64 based interface identifier using its MAC address. The IETF’s RFC 2464 “Transmission of IPv6 Packets over Ethernet Networks” describes in Section 4 how stateless address autoconfiguration should take place using a computer’s MAC address. Because of the privacy concerns about using hardware MAC addresses as interface identifiers the IETF created RFC 4941 “Privacy Extensions for Stateless Address Autoconfiguration in IPv6”. This RFC defines how an interface identifier can be created so that the privacy of the user can be preserved.

Unfortunately, Windows 7 doesn’t use the EUI-64 technique by default when forming its interface identifier. Microsoft has blurred the lines between these two address autoconfiguration concepts with their temporary addresses and now their randomly-generated interface identifiers. However, thankfully Microsoft has given us the ability to disable or enable this feature as needed with the following commands.

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=enabled

There are a few things missing from Windows 7 that I was hopeful would be in this operating system by default. I was hoping to see Mobile IPv6 (MIPv6) support in Windows 7 because MIPv6 is not fully supported in Vista or Server 2008, yet.

Microsoft claims that Windows 7 does have Correspondent Node (CN) capability and can therefore communicate with other devices that are MIPv6 capable. However, Microsoft’s implementation does not have Return Routability (Route Optimization). That means that a Windows 7 computer will communicate with a Mobile Node (MN) through its Home Address (HoA) through the Home Agent (HA). I sure wish there was more robust MIPv6 support but I can see Microsoft’s view also. It is sometimes difficult to create a business case to justify the development time to create a reliable MIPv6 implementation. However, we all know that mobility is the way of the future. That is certainly true for Windows Mobile and any laptop system that helps support our nomadic lifestyles.

Windows 7 currently, also doesn’t have any support for SEcure Neighbor Discovery (SEND) (IETF RFC 3971). Cisco has been working on incorporating SEND functionality into their routers but Microsoft operating systems do not support SEND. SEND is a method for securing the weaknesses in the Neighbor Discovery Protocol. The weaknesses in NDP can be likened to the weaknesses of ARP on an IPv4 subnet. SEND provides a protocol and an addressing technique that helps verify which computers and routers are legitimate on a LAN segment. I hope that more vendors embrace SEND and turn it into an industry-standard mechanism for providing NAC-like functionality at the access-layer.