940 ■ Authority For secure clients (which have their name records signed by a certifying authority), the authority is identified by an SHA-1 hash of an associated public key, while for unsecured clients, it is zero. If a client is secure, PNRP validates the name record before publishing it. ■ Classifier The classifier uses a simple string to identify a service provided by a peer, which allows multiple services to be provided by the same device. To create a PNRP ID, PNRP hashes the P2P ID and combines it with a unique 128-bit ID called the service location, as shown in Figure 12-21. The service location identifies different instances of the same P2P ID in the same cloud. (PNRP uses two clouds: a global cloud, which corresponds to all IPv6 addresses on the Internet, and the link-local cloud, which corresponds to IPv6 addresses within a single subnet.) PNRP Resolution and Publication PNRP name resolution occurs in two phases: ■ Endpoint determination In this phase, the requesting peer determines the IPv6 address associated with the peer responsible for publishing the PNRP ID of the desired service. ■ PNRP ID resolution In this phase, once the requesting peer has located and confirmed the availability of the peer associated with the IPv6 address, it sends a PNRP request message for the PNRP ID of the service being requested. The peer providing the service replies to confirm the PNRP ID and can supply a comment and up to 4 KB of additional data, such as context information related to the service. During the first phase, PNRP iterates over nodes while locating the publishing node, such that the node performing name resolution will be responsible for contacting nodes that are successively closer to the desired PNRP ID. Each iteration works as follows: Once a peer receives a request message, it performs a lookup in its cache for the requested PNRP ID. If a match is found, the request message is sent directly; otherwise, it is sent to the next closest PNRP ID (by seeing how much of the ID matches). When a node receives a request message for which it cannot find a PNRP ID, it checks the distance of any other IDs in the cache to the target ID. If it finds a node that is closer, the requested node sends a reply to the requesting node, where the reply contains the IPv6 address of the peer that most closely matches the target PNRP ID. The requesting node can then use the IPv6 address to send another query to that address’s node. If no node is closer, the requesting node is Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 941 notified, and that node sends the request to the next closest node. Assuming PNRP IDs of 200, 350, 450, 500, and 800, Figure 12-22 depicts a possible endpoint determination phase for an example in which peer A is trying to find the endpoint for PNRP 800 (peer E). To publish its PNRP ID(s), a peer first sends PNRP publication messages to its closest neighbors (entries in its cache that have IDs that are in the lowest levels) to seed their caches. It then randomly chooses nodes in the cloud that are not neighbors and sends them PNRP name resolution requests for its own PNRP ID. Through the mechanism described earlier, the endpoint determination phase will result in the seeding of the PNRP ID across the caches of the random nodes that were chosen in the cloud. . 12.5 Location and Topology Today’s networked computers often move between networks that require different configuration settings, for example, a corporate LAN and a home-based wireless network. Additionally, today’s networks are complex, often spanning multiple devices across different topologies. Windows includes the Network Location Awareness (NLA) service to enable the dynamic configuration of network applications and settings based on location, and Link-Layer Topology Discovery (LLTD) to enable the intelligent discovery and mapping of networked devices. Network Location Awareness (NLA) The NLA service provider is implemented as a Winsock Namespace Provider (NSP) and provides the necessary framework for allowing computers and devices that move across different networks to select the most appropriate configuration settings. For example, an application taking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 942 advantage of NLA can detect when the user moves from a high-speed LAN to a high-latency wireless network and fine-tune its bandwidth use appropriately. NLA can also detect when a home computer on a LAN may also have a secondary VPN connection to the office and select the proper configuration options. Instead of having developers rely on manual network interface information to figure out the type of network, and the IP addresses or DNS names associated with them, NLA provides a standardized query API for enumerating all the local network attachment information and correlating it with network interface information. The NLA API also includes notifications that enable applications to respond to changes when they occur. NLA provides applications two pieces of location information: ■ Logical network identity This identity is based on the logical network’s DNS domain name. If one does not exist, NLA uses custom static information stored in the registry together with the network’s subnet address as the identity. ■ Logical network interfaces For each network that a device is attached to, NLA creates an adapter name that identifies interfaces such as NICs or RAS connections in a unique fashion. Applications use adapter names with the IP Helper API (%SystemRoot%\System32\Iphlpapi.dll) to query interface information and characteristics. Each logical network is implemented as a service class with an associated GUID and properties. NLA creates instances of that service class when it returns information about a logical network. Service classes are schemas that describe a namespace; they define the name, identifier, and namespace-specific information that is common to all instances. These classes are then used in combination with the WSALookupService* API when performing name resolution. Link-Layer Topology Discovery (LLTD) The LLTD protocol operates over both wired and wireless networks and enables applications to discover the topology of a network. For example, the Network Map functionality in Windows uses LLTD to draw the local network topology for the connected devices that support the LLTD protocol. Additionally, LLTD supports Quality of Service (QoS) extensions, which allow applications to diagnose network problems such as low signal strength on a wireless network and bandwidth constraints on home networks. Because it operates on the OSI Data-link layer (2), LLTD works only on a single subnet, and therefore can’t cross routers, but its capabilities make it suitable for most home and small-office networks. The LLTD Mapper I/O and the LLTD Responder components implement LLTD. The former is responsible for the discovery process and for generating network maps. Because it uses a protocol different from IP, the LLTD Mapper uses NDIS APIs to directly send commands to the network via the network adapter. The LLTD Responder listens for and responds to discovery commands with information about the computer. As mentioned earlier, only devices that have a responder are shown in the network map. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 943 12.6 Protocol Drivers Networking API drivers must take API requests and translate them into low-level network protocol requests for transmission across the network. The API drivers rely on transport protocol drivers in kernel mode to do the actual translation. Separating APIs from underlying protocols gives the networking architecture the flexibility of letting each API use a number of different protocols. The Internet’s explosive growth and reliance on the TCP/IP protocol has made TCP/IP the preeminent protocol in Windows. The Defense Advanced Research Projects Agency (DARPA) developed TCP/IP in 1969 specifically as the foundation for the Internet; therefore, TCP/IP has WAN-friendly characteristics such as routability and good WAN performance. TCP/IP is the preferred Windows protocol and is installed by default, although it can be removed. However, the 4-byte network addresses used by the IPv4 protocol on the legacy TCP/IP stack limits the number of public IP addresses to roughly 4 billion, which is a limit that will be pressed as more and more devices, such as cell phones and PDAs, acquire an Internet presence. For that reason, the IPv6 protocol, which has 16-byte addresses, is gaining adoption. Windows includes a combined TCP/IP stack, called the Next Generation TCP/IP Stack, which supports both IP and IPv6. When operating on IPv6 networks, the stack also supports coexistence with IPv4 networks through the use of tunneling. The Next Generation TCP/IP Stack offers several advanced features to improve network performance, some of which are outlined in the following list: ■ Receive Window Auto Tuning. The TCP protocol defines a receive window size, which determines how much data a receiver can accept before the server requests an acknowledgment. A higher size favors low-latency networks with high throughput, while lower values work better on networks such as Wi-Fi. The Windows TCP/IP stack is capable of analyzing the conditions of a network and choosing the optimal receive window size, adjusting it as needed if the network conditions change. ■ Compound TCP (CTCP). While automatically changing the receive window size allows more data to be received, CTCP aggressively increases the amount of data that can be sent by a machine, while monitoring bandwidth, latency, and packet loss. Using CTCP on a high-bandwidth, low-latency network can significantly improve transfer speeds. CTCP is disabled by default. ■ Explicit Congestion Notification (ECN). Whenever a TCP packet is lost, the TCP protocol assumes that the data was dropped because of router congestion and enforces congestion control, dramatically lowering the sender’s transmission rate. ECN allows routers to explicitly mark packets as being forwarded during congestion, which is read by the Windows TCP/IP stack as a sign that transmission rates should be lowered. Lowering rates in this manner results in better performance than relying on congestion control. ECN is disabled by default. ■ High-loss throughput improvements, including the NewReno Fast Recovery Algorithm, Enhanced Selective Acknowledgment (SACK), Forward RTO-Recovery (F-RTO), and Limited Transit. These algorithms reduce the overall retransmission of acknowledgments or TCP segments during high-loss scenarios while still maintaining the integrity of the TCP stream. This allows for greater bandwidth in these environments and preserves TCP’s reliable transport semantics. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 944 The Next Generation TCP/IP Stack (\%SystemRoot%\Drivers\Tcpip.sys), shown in Figure 12-23, implements TCP, UDP, IP, ARP, ICMP, and IGMP. To support legacy protocols such as NetBIOS, which make use of the deprecated TDI interface, the network stack also includes a component called TDX, which creates device objects that represent particular protocols so that clients can obtain a file object representing a protocol and issue network I/O to the protocol using TDI IRPs. The TDX component creates several device objects that represent various TDI client–accessible protocols: \Device\Tcp6, \Device\Tcp, \Device\Udp6, \Device\Udp, \Device\Rawip, and \Device\Tdx. eXPeriMeNT: Looking at TCP/iP’s Device Objects Using the kernel debugger to look at a live system, you can examine TCP/IP’s device objects. After performing the !drvobj command to see the addresses of each of the driver’s device objects, execute !devobj to view the name and other details about the device object. 1. kd> !drvobj tdx 2. Driver object (861d9478) is for: 3. \Driver\tdx 4. Driver Extension List: (id , addr) 5. Device Object list: 6. 861db310 861db440 861d8440 861d03e8 7. 861cd440 861d2318 861d9350 8. lkd> !devobj 861cd440 9. Device object (861cd440) is for: 10. Tcp6 \Driver\tdx DriverObject 861d9478 11. Current Irp 00000000 RefCount 7 Type 00000012 Flags 00000050 12. Dacl 8b1bc54c DevExt 861cd4f8 DevObjExt 861cd500 13. ExtensionFlags (0x00000800) 14. Unknown flags 0x00000800 15. Device queue is not busy. 16. lkd> !devobj 861db440 17. Device object (861db440) is for: 18. RawIp \Driver\tdx DriverObject 861d9478 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 945 19. Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000050 20. Dacl 8b1bc54c DevExt 861db4f8 DevObjExt 861db500 21. ExtensionFlags (0x00000800) 22. Unknown flags 0x00000800 23. Device queue is not busy. 24. lkd> !devobj 861d8440 25. Device object (861d8440) is for: 26. Udp6 \Driver\tdx DriverObject 861d9478 27. Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000050 28. Dacl 8b1bc54c DevExt 861d84f8 DevObjExt 861d8500 29. ExtensionFlags (0x00000800) 30. Unknown flags 0x00000800 31. Device queue is not busy. 32. lkd> !devobj 861d03e8 33. Device object (861d03e8) is for: 34. Udp \Driver\tdx DriverObject 861d9478 35. Current Irp 00000000 RefCount 6 Type 00000012 Flags 00000050 36. Dacl 8b1bc54c DevExt 861d04a0 DevObjExt 861d04a8 37. ExtensionFlags (0x00000800) 38. Unknown flags 0x00000800 39. Device queue is not busy. 40. lkd> !devobj 861cd440 41. Device object (861cd440) is for: 42. Tcp6 \Driver\tdx DriverObject 861d9478 43. Current Irp 00000000 RefCount 7 Type 00000012 Flags 00000050 44. Dacl 8b1bc54c DevExt 861cd4f8 DevObjExt 861cd500 45. ExtensionFlags (0x00000800) 46. Unknown flags 0x00000800 47. Device queue is not busy. 48. lkd> !devobj 861d2318 49. Device object (861d2318) is for: 50. Tcp \Driver\tdx DriverObject 861d9478 51. Current Irp 00000000 RefCount 167 Type 00000012 Flags 00000050 52. Dacl 8b1bc54c DevExt 861d23d0 DevObjExt 861d23d8 53. ExtensionFlags (0x00000800) 54. Unknown flags 0x00000800 55. Device queue is not busy. 56. lkd> !devobj 861d9350 57. Device object (861d9350) is for: 58. Tdx \Driver\tdx DriverObject 861d9478 59. Current Irp 00000000 RefCount 0 Type 00000021 Flags 00000050 60. Dacl 8b0649a8 DevExt 00000000 DevObjExt 861d9408 61. ExtensionFlags (0x00000800) 62. Unknown flags 0x00000800 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 946 63. Device queue is not busy. Windows Filtering Platform (WFP) Windows includes a rich and extensible platform for monitoring, intercepting, and processing network traffic at all levels in the network stack. Other Windows networking services extend basic networking features of the TCP/IP protocol driver by relying on the WFP. These include network address translation (NAT), IP filtering, IP inspection, and Internet Protocol Security (IPSec). Figure 12-24 shows how the different components of the WFP are integrated with the TCP/IP stack. These include: ■ Filter engine The filter engine is implemented in both user mode and kernel mode and performs all the filtering operations on the network. Each filter engine component consists of filtering layers, one for each component of the network stack. The user-mode engine, responsible for RPC and IPSec keying policy, among other things, contains approximately 10 filters, while the kernel-mode engine, which performs the network and transport layer filtering of the TCP/IP stack, contains around 50. ■ Shims Shims are the kernel-mode components that reside between the network stack and the filter engine. They are responsible for making the decision to allow or block network traffic based on their filtering behavior, which is defined by the filter engine. A shim operates in three steps: it parses the incoming data to match incoming values with entries in the filter engine, calls the filter engine to return an action based on the incoming values, and then interprets the action (drop the packet, for example). ■ Base filtering engine (BFE) The BFE is a user-mode service (%SystemRoot%\System32 \Bfe.dll) that manages all WFP operations. It is responsible for adding and removing filters from the WFP stack, managing the filter configuration, and enforcing security on the filter database. ■ Callout drivers Callout drivers are kernel-mode components that add custom filtering functionality outside the basic support provided by the WFP. Callout drivers associate callout functions with one or more kernel-mode filtering layers, and the WFP enables callout functions to perform deep packet inspection and modification. Network address translation (described next) and IPSec, are implemented as callout drivers, for example. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 947 Network Address Translation Network address translation (NAT) is a routing service that allows multiple private IP addresses to map to a single public IP address. Without NAT, each computer of a LAN must be assigned a public IP address to communicate across the Internet. NAT allows one computer of the LAN to be assigned an IP address and the other computers to use private IP addresses and be connected to the Internet through that computer. NAT translates between private IP addresses and the public IP address as necessary, routing packets between LAN computers and the Internet. NAT components on Windows consist of a NAT device driver, \%SystemRoot%\System32 \Drivers\Ipnat.sys, that interfaces with the WFP stack as a callout driver, as well as editors that can perform additional packet processing beyond address and port translation. NAT can be installed as a routing protocol component with the Routing And Remote Access MMC snapin or by configuring Internet Connection Sharing (ICS), although NAT is much more configurable when installed using the Routing And Remote Access MMC snap-in. IP Filtering Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 948 Windows includes a very basic IP filtering capability with which a user can choose to allow only certain ports or IP protocols into or out of the network. While this capability can serve to protect a computer from unauthorized network accesses, its drawback is that it is static and does not automatically create new filters for traffic initiated by applications running on the computer. Windows also includes host firewall capability, called Windows Firewall, that goes beyond the basic filtering just described. Windows Firewall uses WFP to provide a stateful firewall, which is one that keeps track of traffic flow so that it distinguishes between TCP/IP traffic that originates on the local LAN and unsolicited traffic that originates on the Internet. When Windows Firewall is enabled on an interface, one of three profiles can be applied—public, private, and domain. By default, when the public profile is chosen (or until a profile is selected), all unsolicited incoming and outgoing traffic received and sent by the computer is discarded, other than traffic from network services and other system applications. A user or application can define exceptions so that services running on the computer, such as file and printer sharing or a Web site, can be accessed from other computers. The Windows Firewall service, which executes in a Svchost process, uses the BFE to pass exception rules defined in the configuration user interface to the IPNat driver. The WFP filter engine executes the callback functions of each registered callout driver as it processes both inbound and outbound IP packets. A callback function can provide NAT functionality by modifying source and destination addresses in a packet, or as a firewall by returning a status code to TCP/IP that requests that TCP/IP drop the packet and cease processing for it. In kernel mode, Windows Firewall uses a driver (%SystemRoot%\System32\Drivers\Mpsdrv.sys) that provides support for PPTP and FTP filtering, since those protocols provide their own Network Address Translation Network address translation (NAT) is a routing service that allows multiple private IP addresses to map to a single public IP address. Without NAT, each computer of a LAN must be assigned a public IP address to communicate across the Internet. NAT allows one computer of the LAN to be assigned an IP address and the other computers to use private IP addresses and be connected to the Internet through that computer. NAT translates between private IP addresses and the public IP address as necessary, routing packets between LAN computers and the Internet. NAT components on Windows consist of a NAT device driver, \%SystemRoot%\System32 \Drivers\Ipnat.sys, that interfaces with the WFP stack as a callout driver, as well as editors that can perform additional packet processing beyond address and port translation. NAT can be installed as a routing protocol component with the Routing And Remote Access MMC snapin or by configuring Internet Connection Sharing (ICS), although NAT is much more configurable when installed using the Routing And Remote Access MMC snap-in. IP Filtering Windows includes a very basic IP filtering capability with which a user can choose to allow only certain ports or IP protocols into or out of the network. While this capability can serve to protect a computer from unauthorized network accesses, its drawback is that it is static and does not automatically create new filters for traffic initiated by applications running on the computer. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 949 Windows also includes host firewall capability, called Windows Firewall, that goes beyond the basic filtering just described. Windows Firewall uses WFP to provide a stateful firewall, which is one that keeps track of traffic flow so that it distinguishes between TCP/IP traffic that originates on the local LAN and unsolicited traffic that originates on the Internet. When Windows Firewall is enabled on an interface, one of three profiles can be applied—public, private, and domain. By default, when the public profile is chosen (or until a profile is selected), all unsolicited incoming and outgoing traffic received and sent by the computer is discarded, other than traffic from network services and other system applications. A user or application can define exceptions so that services running on the computer, such as file and printer sharing or a Web site, can be accessed from other computers. The Windows Firewall service, which executes in a Svchost process, uses the BFE to pass exception rules defined in the configuration user interface to the IPNat driver. The WFP filter engine executes the callback functions of each registered callout driver as it processes both inbound and outbound IP packets. A callback function can provide NAT functionality by modifying source and destination addresses in a packet, or as a firewall by returning a status code to TCP/IP that requests that TCP/IP drop the packet and cease processing for it. In kernel mode, Windows Firewall uses a driver (%SystemRoot%\System32\Drivers\Mpsdrv.sys) that provides support for PPTP and FTP filtering, since those protocols provide their own Internet Protocol Security Internet Protocol Security (IPSec), which is integrated with the Windows TCP/IP stack, helps protect unicast (IPSec itself supports multicast, but the Windows implementation does not) IP data against attacks such as eavesdropping, sniffer attacks, data modification, IP address spoofing, and man-in-the-middle attacks (as long as the identity of the remote machine can be verified, such as a VPN). You can use IPSec to provide defense-in-depth against network-based attacks from untrusted computers; certain attacks that can result in the denial-of- service of applications, services, or the network; data corruption, data theft, and user-credential theft; and the administrative control over servers, other computers, and the network. IPSec helps defend against network-based attacks through cryptography-based security services, security protocols, and dynamic key management. IPSec provides the following properties for unicast IP packets sent between trusted hosts: ■ Data origin authentication, which verifies the origin of an IP packet and ensures that unauthenticated parties cannot access data. ■ Data integrity, which protects an IP packet from being modified in transit without being detected. ■ Data confidentiality, which encrypts the payload of IP packets before transmission. Data confidentiality ensures that only the IPSec peer with which a computer is communicating can read and interpret the contents of the packets. This property is optional. ■ Anti-replay (or replay protection), which ensures that each IP packet is unique and can’t be reused. This property prevents an attacker from intercepting IP packets and inserting modified packets into a data stream between a source computer and a destination computer. When Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... which is available with Windows Server with the Routing and Remote Access service, allows remote access clients to connect to remote access servers and access 962 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark network resources such as files, printers, and network services as if the client were physically connected to the remote access server s network Windows provides two... the BCD 971 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 972 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 973 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 974 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 975 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark... allows an application to specify minimum bandwidth and maximum latencies, which can be satisfied only if every networking software and hardware component between a sender and a receiver supports QoS standards such as IEEE 802.1P, an industry standard that specifies the format of QoS packets and how OSI layer 2 devices (switches and network adapters) respond to them Windows supports QoS through a policy-based... registry and then passes IP address filters to the IPSec driver and authentication and security settings to IKE These policies are honored for compatibility with older versions of Windows, which implement IPSec management through Active Directory 950 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark ■ IKE and AuthIP IKE is a protocol that supports the authentication and key... with Windows Vista SP1 and Windows Server 2008 is NDIS 6.1 The NDIS library (\%SystemRoot%\System32\Drivers\Ndis.sys) implements the NDIS boundary that exists between network transports, such as the TCP/IP driver, and NDIS drivers The NDIS library is a helper library that NDIS driver clients use to format commands they send to NDIS drivers NDIS drivers interface with the library to receive requests and. .. the !miniports and !miniport commands, which let you list the loaded miniports using a kernel debugger and, given the address of a miniport block (a data structure Windows uses to track miniports), see detailed information 953 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark about the miniport driver The following example shows the !miniports and !miniport commands being used... admission control checks to be bypassed if similar usage patterns occurred in the past and the calculation result was already cached ■ Monitoring and probing, which keep track of available bandwidth and notify applications during low-bandwidth or high-latency situations ■ Traffic tagging and shaping, which uses the 802.11p and DSCP technologies mentioned earlier to tag packets with the appropriate priority... messages mirror the NDIS interface and include messages for initializing and resetting a device, transmitting and receiving packets, setting and querying device parameters, and indicating media link status The Remote NDIS architecture, in Figure 12-29, relies on a Microsoft-supplied NDIS miniport driver, \%SystemRoot%\System32\Drivers\Rndismp.sys, that translates NDIS commands and forwards them to a bus transport... Split-Merge on www.verypdf.com to remove this watermark This way, each host handles its portion of incoming client requests and every client request always gets handled by one and only one host The cluster host that determines it should handle a client request allows the request to propagate up to the TCP/IP protocol driver and eventually a server application; the other cluster hosts don’t If a cluster host... the protocol on Windows Similarly, new APIs can interface to existing Windows protocol drivers Finally, the range of networking APIs implemented on Windows affords network application developers a range of possible implementations, each with different programming models and protocol support 967 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 13 Startup and Shutdown In this . NDIS miniport drivers. The version of NDIS that ships with Windows Vista SP1 and Windows Server 2008 is NDIS 6.1. The NDIS library (\%SystemRoot%System32DriversNdis.sys). interface and include messages for initializing and resetting a device, transmitting and receiving packets, setting and querying device parameters, and indicating