MCTS 70 – 649 Configuring IP Addressing and Services

Configuring IP Addressing and Services

Configure IPv4 and IPv6 addressing

Useful command: netsh -c interface dump > c:\networkinterfaceconfig.txt

IPv4

Working out slash notation to and from decimal (if anyone has a quicker way please feel free to comment)

Lookup table:

Bits Decimal
1 128
2 192
3 224
4 240
5 248
6 252
7 254

From slash notation to dotted decimal

/14
14 / 8 = 1 remainder 6, so 8 is equal to 255
and 6 is equal to 252 so a /14 is 255.252.0.0

From decimal to slash notation

255.192.0.0 = 8 + 2 = 10, so 255.192.0.0 is a /10

Working out the number of hosts in a particular subnet

/23 would have (2^(32-23) -2) hosts. e.g. 32-23 = 9, 2^9 -2 = 510

Working out if two hosts are on the same subnet

10.10.0.0/21 would have the following subnets. The boundaries for subnets are 8, 16, 24 and 32; divides the network bits by the nearest subnet boundary e.g. /17 would be divided by 24 not 16.

2^(24 - 21) = 8, so 10.10.0.0 would increment in 8's e.g.
10.10.0.0
10.10.8.0
10.10.16.0

knowing the above should help designing IP allocations etc.

Assign IPv4 address

GUI: Network and sharing center > manage network connections > right click appropriate interface > select Internet Protocol Version 4.

Which interface?

NETSH: netsh interface ipv4 show interfaces

netshShowInterfaces

 

Assigning an static IP address or dhcp

NETSH: netsh interface ipv4 set address name="Local Area Connection" 
source=static addr=1.2.3.4 mask=255.0.0.0 gateway=1.2.3.254 gwmetric=20
NETSH: netsh interface ipv4 set address name="Local Area Connection" dhcp

Assigning a DNS server(s)

Primary DNS server

Primary = register under DNS suffix only

Both = register under DNS suffix and connection specific suffix

None = disables DNS registration

NETSH: netsh interface ipv4 set dnsserver name="Local Area Connection" 
static 1.2.3.253 primary|both|none

Secondary DNS server

NETSH: netsh interface ipv4 add dnsserver name ="Local Area Connection" 
static 1.2.3.252 index=2

Checking the IP addresses assigned

NETSH: netsh interface ipv4 show addresses

IPv6

IPv6 is preferred over IPv4 in Windows Server 2008 with the exception of IPv6 teredo addresses; these have the lowest preference.

Global: Equivalent to a publicly routable IPv4 address. The format prefix (first 3 bits) is always 001 (0x2), the top-level aggregator (the next 13 bits) can be 0 0000 0000 0000 to 1 1111 1111 1111 or 0x000 to 0x3FFF.

Link-local: Equivalent to APIPA (169.254.0.0/16); these are automatically assigned to the network card interface. The format prefix (first 10 bits) is always FE8. Link-local addresses have duplicate address detection built into the auto-configuration process; the initial state is tentative until the auto-configuration process can be sure the address is unique; once it is confirmed the state is changed to preferred. The other states are deprecated and invalid; deprecated means the auto-configured address has exceeded its lifetime.

Site-local: Equivalent 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16; these addresses can be assigned manually or via DHCP within a local area network. The format prefix (first 10 bits) is always FEC.

Assign a IPv6 address

GUI: Network and sharing center > manage network connections > right click appropriate interface > select Internet Protocol Version 6.

Which interface?

NETSH: netsh interface ipv6 show interfaces

Assigning an static IP address or dhcp

NETSH: netsh interface ipv6 set address "Local Area Connection" fec0:0:0:fffe::2

Assigning a DNS server(s)

Primary DNS server

NETSH: netsh interface ipv6 add dnsserver "Local Area Connection" fec0:0:0:fffe::1

Secondary DNS server

NETSH: netsh interface ipv6 add dnsserver "Local Area Connection" fec0:0:0:fffe::2 index=2

Checking the IP addresses assigned

NETSH: netsh interface ipv6 show addresses

The standard command line tools such as ping, ipconfig, pathping, tracert, netstat ans route all have full IPv6 functionality.

There are IPv6 specific commands within the netsh command shell; netsh interface ipv6 e.g. netsh interface ipv6 show neighbors.

IPv4 to IPv6

ISATAP

ISATAP is a tunnelling protocol that allows IPv6 networks to communicate with IPv4 networks. ISATAP addresses start with either a unicast link-local (fe8), site-local (fec), global (2000 – 3fff) or 6to4 global prefix, the next 32 bits are always the ISATAP identifier 0:5efe, the final 32 bits hold the dotted decimal IPv4 address; this is sometimes represented as hexadecimal. ISATAP is disabled by default but every adapter with a IPv4 address will have an ISATAP IPv6 address.

6to4

6to4 allows you to tunnel IPv6 over an IPv4 network using 6to4 routers e.g. an IPv6 only client could connect to the IPv6 portion of the internet using a 6to4 router over the IPv4 internet. 6to4 is disabled by default and has a prefix of 2002::/16

Teredo

Teredo servers allow teredo clients access to the IPv6 internet; the teredo clients will be using IPv4 addresses which are not publicly routable such as 192.168.1.1 and fec0::1/64 (you need a site-local IPv6 address for teredo to work). The teredo address has a prefix of 2001::32, the next 32 bits are the public address of the teredo server (teredo.ipv6.microsoft.com), the next 16 bits are the teredo flag i.e. the NAT flag; full, restricted or port restricted. The next 16 bits store an obscured version of the external UDP port that corresponds to that teredo client interface; the port is obscured with XOR 0xffff, the final 32 bits store an obscured version of the IPv4 address; the IPv4 address is obscured with XOR 0xffffffff.

To enable teredo assign a IPv6 site-local address e.g.

netsh interface ipv6 set address "Local Area Connection" fec0::1
netsh interface teredo set state client

browse to http://test-ipv6.com/

Configure dynamic host configuration protocol (DHCP)

Installing DHCP

GUI installation: servermanagercmd -install dhcp or server manager > roles > dhcp

CLI: start /w ocsetup DHCPServerCore

If you have installed the service via the command line you need to configure the service to start automatically e..g sc config dhcpserver start= auto

To start the service net start dhcpserver

The fundamentals of DHCP in Windows Server 2003 still apply e.g. you still have centralised and decentralised models, DHCP relay agents are needed to bridge broadcast domains, leases still expiry and renew, the 80:20 rules still apply for balancing distribution of IP ranges. Scopes and options apply too and so does the inheritance i.e.

Server options > scope options > reservation options, though explicit option definitions override inherited option definitions.

Multicast: MADCAP to assign multicast addresses but no support for DHCP options.

Superscopes allow you to group scopes together on the same DHCP server; these scopes provide address leases to clients on different subnets.

DHCPv6:

A router on the subnet address range being leased by DHCP must be advertising the route e.g.

NETSH: netsh interface ipv6 set route fec0:0:0:fffe::/64 "{interface ID}" Publish=Yes

Stateless: no host address configuration this is autoconfigured based on ipv6 prefixes from router advertisements; DNS servers and search domains can be deployed via DHCPv6 in this mode.

Stateful: leases host addresses and DHCP options.

Each client will need to be configured as follows:

NETSH: netsh interface ipv6 set interface # managed=enable other=enable

PXE boot address leases do not need to be authorised unless DHCP authorisation is enabled within WDS; this is generally  are on different servers; PXE uses UDP port 67.

IP reservations are available, use getmac /s 0.0.0.0 | clip

Add authorised DHCP server to Active Directory

NETSH: netsh dhcp add server [server name]

create ipv4 scope

NETSH: netsh dhcp server v4 add scope 192.168.100.0 255.255.255.0 "IPv4 Scope"

or create ipv6 scope and address range

NETSH: netsh dhcp server v6 add scope fec0:0:0:fffe:: "Ipv6 Scope"

create ipv4 address range

NETSH: netsh dhcp server scope 192.168.100.0 add iprange 192.168.100.1 192.168.100.99

create ipv4 reservation

NETSH: netsh dhcp server scope 192.168.100.0 add reservedip 192.168.100.100 0021704FE6E3

create ipv6 reservation

NETSH: netsh dhcp server v6 scope fec0:0:0:fffe:: add reservedip fec0:0:0:fffe::a 0021704FE6E3 123

Manually renewing an IP address

IPv4

ipconfig /renew

IPv6

ipconfig /renew6

Configure routing

NOTE: Windows Server 2008 Core editions does not allow the installation of RRAS.

RRAS

(RRAS is now part of the Network Policy and Access Services role)

Routing and Remote Access Service has several new features in Server 2008, they are:

  • (SSTP) Secure Socket Tunnelling protocol; this allows you to create VPNs for PPTP and L2TP where normally firewalls would block these type of VPNs. This functionality is more remote access than routing.
  • Quarantine network for VPN clients; (NAP) Network Access Protection places unhealthy clients into a quarantine subnet where they can get access to Anti Virus software, Windows Updates, Virus definitions etc to become healthy.
  • IPv6 support; dial-up, PPPoE, RADIUS and L2TP over IPv6.
  • RRAS now supports 128Bit RC4, IPSEC phase 1 supports AES(256), (192), (128), 3DES, SHA1 and DH(19) & (20), IPSEC phase 2 supports AES(256), (192),(128), 3DES and SHA1.
  • 40Bit RC4, 56bit RC4 and DES have been disabled by default but can be enabled via the registry if needed.

RC4 = Rivest Cipher

AES = Advanced Encryption Standard

3DES = Triple Data Encryption Standard

SHA1 = Secure Hash Algorithm

DH = Diffie-Helleman

The following RRAS functionality has been removed from Windows Server 2008:

  • BAP – Broadband connectivity is now commonplace; BAP was developed for bonding dial-up connections.
  • x.25 – this protocol has been replaced with modern protocols such as MPLS.
  • SLIP – less secure than PPP; SLIP connections are automatically upgraded to PPP in Windows Server 2008.
  • ATM – IP and Ethernet is more commonplace.
  • IP over IEEE1394 – firewire; Microsoft could not identify any dependencies for this so it was removed.
  • Novell and MAC services now use TCP/IP
  • (OSPF) Open Shortest Path First – this is considered an enterprise protocol where routers numbers tens if not hundreds; in this scenario you would have dedicated router hardware not Windows Server running RRAS.
  • Basic firewall – newer and more features advanced Windows firewall.
  • Static IP filtering APi – replaced with Windows Filtering Platform API.
  • SPAP, MS-CHAP and EAP-CHAP – no longer considered secure enough for PPP connections.

Routing options

Static routing

For dual-homed computers where no routing protocol is being employed.

Example routes:

netsh interface ipv4 add route 192.168.254.0/29 "Local Area Connection" 192.168.254.1 persistent
netsh interface ipv6 add route fec0:1::/64 "Local Area Connection" fec0:1::1 persistent

(RIP) Routing Information Protocol

Best used when there are at least five or more routers with frequent changes.

RIP has versions 1 and 2; RIPv1 uses IP broadcasts and RIPv2 uses multicast or broadcast announcements. RIPv2 also have authentication and subnetting features.

RIP works by updating it neighbour routers which in turn update their neighbours; RIP has a maximum hop count of 15.

The Windows Server 2008 version of RIP has the following features:

  • RIP versions can differ per interface
  • faster recovery of network changes
  • mechanisms to avoid routing loops
  • announcement filters
  • route aging
  • password authentication
  • can disable subnet summarisation

Routing diagnostic tools

Tracert -used to determine the route taken to the destination

pathping does the same but also collects statistics along the way such as packet lost

How does tracert work? – tracert works by incrementing the TTL until is receives an ICMP echo reply from the destination host.

Installing RRAS

Server Manager > Roles > Network Policy and Access Services > Routing and Remote Access > Custom configuration > LAN routing.

The following NETSH contexts can be used for configuring routing via the command line

netsh routing ip
netsh routing ipv6

Configure IPsec

IPSEC services

Data authentication ensures that the packets you receive originate from a trusted party and are not spoofed. Anti-replay ensures you do not receive duplicate packets.

Encryption ensures ensures the data data in the packet is unreadable if captured in transit.

IPSEC can be configured via IPSEC policies or connection security rules; IPSEC policies attempt to negotiate authentication and encryption by default whereas connection security rules only negotiate authentication by default. However both can be configured to provide authentication or encryption or both.

IPSEC is generally configured via group policy objects, connection security rules within the Windows Advanced Firewall or the IP Security policies MMC.

Connection rules do not filter traffic types such as TCP port #, they apply to all IP traffic originating or destined for certain IP addresses, subnets, etc whereas IP Security policies do filter on ports.

The Windows Firewall with Advanced Security (WFAS) allows you to manage firewall rules and configure connection security rules; you can use netsh advfirewall too.

For connection security rules

netsh advfirewall consec

NOTE: upgraded computer will maintain the firewall state of the previous version.

IPSEC policies

IPSEC policies can be configured via the IP Security policy management mmc console.

IPSEC polices can have multiple rules. The IPSEC policy rule…

Rules

…determines when and how IP traffic is protected. Each rule is associated with one filter list and one filter action. The filter list…

Filter list

…contains one or more IP filters that define IP traffic affected by the policy e.g. the source and or destination address, protocol and source and or destination port. The filter action…

Filter action

…determines whether the traffic matching the filter list is blocked, permitted or encrypted and or authenticated.

Examples using netsh

create a filter list:

netsh ipsec static add filter filterlist="Any IP TCP Port 80" srcaddr= any dstaddr=any 
protocol= tcp srcport= 0 dstport= 80 mirrored= yes description= "All Http traffic"

create a filter action:

netsh ipsec static add filteraction name= "Negotiate Security always" description= "Negotiate security, if client does not support IPSEC deny access" 
soft= no action= negotiate qmsec="AH[SHA1]:100000k/3600s ESP[3DES,SHA1]:256000k/480s"

or

netsh ipsec static>add filteraction name= "Negotiate Security always" description= "Negotiate security, if client does not support IPSEC deny access" 
soft= no action= negotiate qmsec="AH[SHA1]+ESP[3DES,SHA1]:100000k/3600s"

create a policy:

netsh ipsec static add policy name= "Secure traffic between client and web servers" mmsec= "3DES-SHA1-3" mmlifetime=480 assign= no

create a policy rule:

netsh ipsec static add rule name= "secure traffic between clients and web servers" policy= "Secure traffic between clients and webservers" 
filterlist = "Any IP TCP Port 80" filteraction= "Negotiate Security always" conntype= all kerberos =yes

Security associations

The source and destination computers negotiate how the data will be authenticated and or encrypted; Authentication Headers (AH) are secured using SHA1 or DES; AH provides data origin authentication, data integrity and anti-relay protection. Encapsulating Security Payload (ESP) are secured using SHA1/MD5, 3DES/DES; ESP provides data encryption, data integrity and anti-replay protection.

Tunnel mode

Transport mode provides end-to-end security whereas tunnelling mode protects the entire packet between two end points and is used when intermediary routers do not support L2TP/IPSEC.

Authentication methods

Kerberos

Only supported if the two IPSEC endpoints can be authenticated by AD DS; kerberos realm outside of AD DS are supported too. If kerberos is not available then the next best thing is certificates…

Certificates

…can authenticate IPSEC endpoints; the certificates must be from a public or private CA and each host must trust the certificate issuer. The certificate mapping option can only be used with domain joined computers.

Preshared Key

This is a secret known by both IPSEC endpoints. The authentication method is weaker than certificates or kerberos but data is still encrypted.

Advertisements

One comment

  1. Pingback: MCTS 70-646 Plan infrastructure services server roles | Notes from stuff I'm working on

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.