Wednesday, April 29, 2009

How do Enable or Disable APIPA in the TCP/IP stack for Windows Server 2008 ?


Key: Tcpip\Parameters

Value Type: REG_DWORD—Boolean

Valid Range: 0, 1 (false, true)

Default: 1 (true)

Description: This value enables or disables IPv4 autoconfiguration using APIPA.


Note: This value is generally setup globally and not locally

How do I change the default APIPA range from 169.254.xx.xx or the one stored by DHCP to a custom IP Address range in the TCP/IP stack for Windows Server 2008?


Key: Tcpip\Parameters\Interfaces\interfaceGUID

Value Type: REG_SZ—String

Valid Range: Change to a valid IPv4 address

Default: None

Description: This value stores the APIPA autoconfiguration IPv4 address chosen by the DHCP client.


Note: “This value should not be altered unless there is a specific requirement”

Wednesday, April 22, 2009

How to enable Multicast Forwarding in the TCP/IP stack for Windows Server 2008


Key: Tcpip\Parameters

Value Type: REG_DWORD—Boolean

Valid Range: 0, 1 (false, true)
Default: 0 (false)
Description: The routing service uses this value to control whether or not IP multicasts are forwarded. This value is created by the Routing and Remote Access service.

Monday, April 20, 2009

How to Disable IP Source Routing in Windows Server 2008 ?


Key:  Tcpip\Parameters, Tcpip6\Parameters

Value Type: REG_DWORD—Boolean

Valid Range: 0, 1, 2

0 - forward all packets
1 - do not forward source routed packets
2 - drop all incoming source routed packets

Default: 1 for IPv4 and 0 for IPv6

Description: IP source routing is a mechanism that allows the sender to determine the IP route that a packet should take through the network. The Ping and Tracert tools have command-line options to specify source routing

Changes in TCP/IP stack for Windows Server 2008 “netsh interface set interface” commands

Many of the TCP/IP registry values supported in Windows XP and Windows Server 2003 are not supported by TCP/IP in Windows Vista and Windows Server 2008. You can configure additional TCP/IP settings with command-line parameters for the following Netsh commands at a Windows command prompt with administrator-level permissions:

  • netsh interface ipv4 set interface
  • netsh interface ipv4 set global
  • netsh interface ipv6 set interface
  • netsh interface ipv6 set global

Thursday, April 16, 2009

Why IPv6 in TCP/IP stack now for Windows Server 2008 ?

  • Large address space

- The 128-bit address space for IPv6 provides ample room to provide every device on the present and foreseeable future Internet with a globally reachable address.

  • Efficient routing

- With a streamlined IPv6 header and addressing that supports hierarchical routing infrastructures, IPv6 routers on the Internet can forward IPv6 traffic faster than their IPv4 counterparts.

  • Ease of configuration

- IPv6 hosts can configure themselves by either interacting with a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server or by interacting with their local router and using stateless address autoconfiguration.

  • Enhanced security

- The IPv6 standards solve some of the security issues of IPv4 by providing better protection against address and port scanning attacks and by requiring that all IPv6 implementations support Internet Protocol security (IPSec) for cryptographic protection of IPv6 traffic.



Dual IP layer architecture for IPv6 in the TCP/IP stack for Windows Server 2008

The implementation of IPv6 in Windows XP and Windows Server 2003 is a dual stack architecture. For IPv6 support, you have to install a separate protocol through the Network Connections folder. The separate IPv6 protocol stack had its own Transport layer that included Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) and its own Framing layer. Changes to protocols in either the Transport or Framing layers had to be done to two Windows drivers; Tcpip.sys for the IPv4 protocol stack and Tcpip6.sys for the IPv6 protocol stack.

The Next Generation TCP/IP stack supports the dual IP layer architecture in which the IPv4 and IPv6 implementations share common Transport and Framing layers. The Next Generation TCP/IP stack has both IPv4 and IPv6 enabled by default. There is no need to install a separate component to obtain IPv6 support.

PUG Windows 7 Day - IT Pro Track - Hope to see you ALL there

Register now free

Seminar Location:
Capgemini India
A-1, Technology Park
MIDC Talwade
Pune -412114

Friday, April 10, 2009

Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) and Challenge-Handshake Authentication Protocol (CHAP)

The Challenge Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity.

RFC 1994: PPP Challenge Handshake Authentication Protocol (CHAP) defines the protocol.

CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link, and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).

After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
The peer responds with a value calculated using a one-way hash function, such as an MD5 checksum hash.
The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.
CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.

Microsoft has implemented a variant of the Challenge-handshake authentication protocol, called MS-CHAP, which does not require either peer to know the plaintext.

MS-CHAP is the Microsoft version of the Challenge-handshake authentication protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with Windows 2000 and was added to Windows 98 in the "Windows 98 Dial-Up Networking Security Upgrade Release" and Windows 95 in the "Dial Up Networking 1.3 Performance & Security Update for MS Windows 95" upgrade. Windows Vista drops support for MS-CHAPv1.

Compared with CHAP, MS-CHAP:

is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocol
provides an authenticator-controlled password change mechanism
provides an authenticator-controlled authentication retry mechanism
defines failure codes returned in the Failure packet message field
MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.

Memories - MCT Summit 2009, Hyderabad


Days Well Spent !!

Thursday, April 9, 2009

Shiva Password Authentication Protocol (SPAP) now included in the TCP/IP stack for Windows Server 2008

Shiva Password Authentication Protocol (SPAP) now included in Windows Server 2008 which works in co-ordination with RADIUS and encrypts the password so that it transferred securely within the Network

Shiva Password Authentication Protocol (SPAP) is a simple encrypted password authentication protocol supported by Shiva remote access servers. With SPAP, the remote access client sends an encrypted password to the remote access server. SPAP uses a two-way encryption algorithm. The remote access server decrypts the password and uses the plaintext form to authenticate the remote access client.

Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. A computer running Windows XP Professional, when connecting to a Shiva LAN Rover, uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than Challenge Handshake Authentication Protocol (CHAP) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

To enable SPAP-based authentication, you must do the following:

  1. Enable SPAP as an authentication protocol on the RADIUS client. SPAP is disabled by default.
  2. Enable SPAP on the appropriate network policy. SPAP is disabled by default.
  3. Enable SPAP on the access client


Wednesday, April 8, 2009

Enabling ECN (Explicit Congestion Notification) which is now included in the TCP/IP stack for Windows Server 2008

What is ECN?
Explicit Congestion Notification (ECN) is an extension to the Internet Protocol and is defined in RFC 3168 (2001). ECN allows end-to-end notification of network congestion without dropping packets.The Addition of Explicit Congestion Notification (ECN) to IP, states that with the addition of active queue management (for example, WRED) to the Internet infrastructure, routers are no longer limited to packet loss as an indication of congestion.

ECN and Windows Operating Systems
ECN has now been added to the TCP/IP stack in the following Windows Operating Systems:
  1. Windows Vista
  2. Windows 7
  3. Windows Server 2008

How do we enable ECN is Windows Operating System?

  1. Open a command prompt as an adminstrator
  2. Type "netsh int tcp show global"this will show your current TCP/IP state
  3. To enable ECN, in command prompt type:"netsh int tcp set global ecncapability=enabled"
  4. To enable CTCP (Compound TCP)in command prompt type:"netsh int tcp set global congestionprovider=ctcp"
  5. To verify changes Type "netsh int tcp show global"