Vista : The Review

The current model of network layers was created in the early 90’s. However, it began showing some weaknesses in terms of extensions and adaptations. NetIO (Next Generation Network Protocol Stack), the new network layer of Vista, has been totally reconceived and recoded.


It offers great improvements concerning reliability, performance and security. Vista includes the sixth version of NDIS (Network Device Interface Specification) which is the layer linking network drivers and the low layers. NDIS integrates a new “Light Weight Filter” (LWF) driver model that is a lot more robust and powerful than its predecessors. This new model will enable drivers to be added and removed from the network pile without breaking the existing connections.

The Receive-Side Scaling technology allows the network traffic to be shared between several processors. This is particularly interesting for servers. With the coming of 10GBits (and more) network adapters, the packet treatment between different network layers can dramatically increase the utilization rate of the processor. Several technologies are used to reduce the processor’s load:

• TCP Chimney offers mechanisms facilitating the TCP and IP (versions 4 and 6) treatment towards the network adapter.
• RDMA Chimney allows the transfer of a data buffer from one computer to another without using the CPU.
• IPSec Chimney unloads the CPU concerning the IPSec protocol intended to secure the IP.
  

These technologies require recent network adapters. NVIDIA had announced their NForce4 chipsets would be Chimney-compliant.

Vista also includes a brand new implementation of the TCP/IP pile: the “TCP/IP Next Generation” pile. Contrary to Windows XP and 2003 Server which manage two separated piles for the IP versions 4 and 6, Vista possesses a unique pile where IPv4 and IPv6 coexist. The IPv6 is now automatically activated, which implies that every first attempt to connect will be using it. For years now, we have been told about the many advantages of this version:

• IP addresses are 128bits long which will authorize a virtually unlimited number of computers to connect to the Internet. Companies will not have to use NAT routers anymore.
• The routing between the different nodes of the network is much better than with version 4. Packets are sent more quickly from one router to another.
• By default, the implementation of the IPv6 requires the IPSec protocol which allows the encryption and authentication of IP connections. On XP and 2003 the implementation of IPSec for IPv6 was incomplete, but this is not the case anymore with Vista.
  

Because users do not have an IPv6 Internet connection yet, it is necessary to be able to access an IPv6 network from an IPv4 connection. The Teredo technology, already available in the advanced network pack of Windows XP Service Pack 1, is now integrated and activated by default. Teredo makes it possible for IPv6 packets to be sent as IPv4-based UDP messages. These packets are sent to a Teredo NAT server that allows the connection to the IPv6 network. Microsoft already proposes a Teredo server by default on Windows clients (teredo.ipv6.microsoft.com) but alternatively it is available with other companies. On Vista, Teredo will manage the symmetric NAT and the domain members.

Several formerly static TCP preferences will be automatically set up. For example, the size of the TCP window will dynamically be determined according to the network’s activity and will constantly be readjusted. Of note, this option is already available on Linux.

The Compound TCP (CTCP) protocol was made for servers with large bandwidth that send a considerable quantity of data. During internal tests, Microsoft noticed that the time required for sending large files on a 1Gb/s connection with a 50ms RTT (round-trip delay time) was reduced by half when using this protocol.

Between the multi-user connections and the different networks, it is preferable to know where the traffic is relayed, and this is why Vista supports compartmentalized routing. A compartment is a combination of network interfaces, with a login having its own IP routing table. Compartments are isolated from each other. It is thus possible to separate the partial connectivity between the Internet access and the intranet network while being connected to a VPN for example.

XP was integrating a generic QOS (Quality Of Service) to manage the network traffic and to best exploit the bandwidth. Vista also integrates a QOS for companies. The configuration policies make it possible to adjust a bandwidth or to give priority to a type of network utilization. The threshold can be fixed for an application or an IP address, and a specific TCP/UDP port. For example, QWAVE (Quality Windows Audio-Video Experience) uses advanced techniques to automatically manage the bandwidth for VoIP, streaming, etc.


The Vista firewall also benefits from consequential improvements that no one will complain about. From now on it manages inbound and outbound connections. By default, it blocks inbound connections and authorizes outbound ones (apart from some exceptions). These new exceptions can be configured according to several criteria:

• IP source and destination
• TCP / UDP ports, source and destination
• Network interfaces
• ICMP and ICMPv6
• Active Directory Accounts
  

Exceptions can also be configured for services. As well as this, the solution is used by the Windows Service Hardening mentioned previously. The firewall is based on the Windows Filtering Platform (WFP) which was discussed in the first part of this review. This technology allows, amongst other things, to replace or make several firewalls coexist without any risk of conflict. The WFP gives a very thin access to the TCP/IP layer.


The firewall uses the functionalities of the IPSec protocol which allows the authentication and encryption of user connections to avoid data interception. The IPSec protocol, acting at the same level as the IP layer, remains transparent for applications. The Vista firewall thus becomes an authenticator. Administrators can also manage the IPSec security policies as they want, and there is only one common security policy left for the firewall and IPSec. On Windows XP and 2003 Server, the policies were separated and could give way to duplicated or contradictory preferences.

Also on Windows XP and 2003 Server, the WIFI infrastructure had been created to emulate an Ethernet connection which greatly limited its evolution. Vista features a native WIFI infrastructure that should enable a greater flexibility by supporting the advanced functionalities of the IEEE 802.11 norm. The fact that Vista controls a large part of the WIFI functionalities should make driver development easier for manufacturers. It should also manage the security protocol WPA 2. The native architecture will provide an API so that third parties can extend existing functionalities. These extensible components could also propose a personalized configuration interface integrated in Windows.

Users often spend hours trying to configure a network and find a breakdown. The Network Diagnostics Framework (NDF) is a component of Vista that could solve a great deal of problems. This network module is capable of detecting any kind of event or breakdown. NDF gets maximum information feedback and analyses it to find the potential causes. Users then answer a set of questions with a series of choices to help them solve the problem. Problems can sometimes also be solved automatically by the system.

On Windows XP, a “dirty trick” was used to intercept network packets of a protocol. Firewalls were using this method for example. We discussed this in the first review: Windows Filtering Platform (WFP) proposes a complete API to filter network packets. It will be the only available method on Vista because the network pile has been entirely rewritten.

Windows Connect Now is a group of components aiming to connect network peripherals to Windows. It uses the PnP-X protocol that detects network peripherals like Plug & Play detects physical peripherals. In order to find these peripherals, it can use the UPNP (Universal Plug & Play) protocol, but also the Devices Profile for Web Services (DPWS) which is a type of Web Services offering the use of a peripheral. Web Services use Web norms such as SOAP and they are already frequently used on the Internet. PnP-X encrypts data transiting between Vista and the peripheral on the network for security reasons.


Windows Connect Now should play an important role in the “ultra-connected” Vista system. Moreover, numerous new WIFI peripherals are expected. At the CES 2006 for example, some WIFI screens were presented. Vista is said to be able to connect itself to a great deal of the usual high-tech peripherals.
An API for RSS and Atom feeds will also be integrated to allow applications to offer live content. Windows Communication Foundation (WCF), formerly known as Indigo, is a very high level framework that will give developers the opportunity to create network applications very quickly.

WCF is built according to a unified model which allows access to a great deal of former Windows technologies, but also to numerous open protocols. It integrates a Web service model that should make the development of distributed applications easier. WCF was conceived to simplify the interoperability with other operating systems. Its design model is extensible and must allow the management of upcoming new types of protocols. It can also be used with several different network topologies such as P2P.


In everyday life we have to handle all sorts of identities; when registering on a website, or when buying a movie or a book online for example. InfoCard is an identity management system for WCF on Vista. You can create digital certificates which are automatically signed. They contain both a public identity part and another part with private information such as a credit card number. InfoCard can work in two modes:

• The first one enables you to connect to a standard website. The site asks for your email address in order to register you. InfoCard will automatically start a card selector which will present all the cards having the required characteristics. The user selects a compatible one, and InfoCard sends the required piece of information instead of sending all of them. The site receives the information and validates the registration allowing the connection.
• The second mode works with a third party identity provider. Let’s say you buy a DVD online: InfoCard will ask for the information required by the store. The identity selector is displayed onscreen and the user selects a compatible credit card. The information is then sent to a banking site that will check and attest its validity to the store. The store can never access any essential information.
  

InfoCard can also be used by a third party, such as Verisign, to authenticate a site. Regarding security, the card selector is displayed in an isolated zone of the desktop. Indeed, a standard attack technique is to retrieve what is displayed onscreen to steal information. In order to avoid these kind of attacks, the information on the hard disk is encrypted and communications are also authenticated and encrypted according to the WS-* and SAML protocols (W3C norms). InfoCard can also use several certificate systems like X509 or Kerberos.

Microsoft had to learn from Passport’s failure. Passport was a system of prioritized and centralized identity that failed to impose itself. InfoCard relies entirely on web standards and does not require any centralization. On identityblog.com, you will find a paper explaining how to implement this technology on non-Microsoft systems. For example, we know that PHP should integrate InfoCard.

Page précédente Page suivante

Tweeter