Photo of stones in a bowl
Common Solutions Group: StoneSoup.org Common Solutions Group: StoneSoup.org

TCPIP Issues:

NT 5.0 Security - IPSec (handout)

Issues: Is there an API for IPSec for NT 5.0?

NT 5.0 QOS (Tim Moore)

MS saw only 2 things to look at: RSVP & differentiate services

TCPIP Enhancements

MS enhancements fall into 3 areas:

  1. ease of use & manageability
  2. protocol enhancements
  3. performance

Ease of use: Changed the Control Panel Network interface. Now organized network configuration around the notion of "connections", created tool called "Connection Manager" to which you can add services. Also created an API that allows you to query network stack and to perform all the functions of ipconfig.

MS also adding a firewall API to aid in the creation & implementation of NT based firewalls. MS claims you can write a "tcpwrapper" using the firewall API. MS added support to set permissions on a port range (like Unix, where you have to be root to get to ports below 1024). MS also added exclusive control mechanism of a port - for multi-user machines.

A new feature is "Autonet", which allows you to just plug NT 5.0 into the network, and if it cannot find a DHCP service, it will self configure itself to a MS Class B network. This allows you to create a home network of NT & Win98 machines easily. It has other implications in an existing network!

Protocol enhancements:

Performance:

Much of the current hardware is not fast enough to support gigabit ethernet (ISA bus limitations). MS added native ATM support in NT 5.0, either LANE or TCPIP over ATM. MS also added support to offload functions to network card (like checksums, IPSec stuff).

Ip6 available on research.microsoft.com but will not be available with NT 5.0. You can download it and install it into NT 4.0. (this is probably true for NT 5.0 also)

Louis Kahn - Unix Services for NT

>

What's in SFU v.1 (services for unix) currently shipping for NT 4.0 (you must have SP4 applied!)

NFS client & server

Telnet client & server

Password Sync

Shell Environment

License Issues (here's the bad news!)

Where is SFU going?

What's missing?

NT Security - Microsoft

Active Directory becomes the repository for user account information, it replaces the Domain Controller as the backstore for user information. AD (Active Directory) uses core MS Exchange directory components as the basis for the AD LDAP directory service. The Microsoft KDC is also relies upon the Active Directory. NT 5.0 security supports RFC1510 (Kerberos) for authentication.

So what were the target objectives?

Part of the delay in shipping NT 5.0 is the interoperability work, MS needs to have MIT compatibility finished. While MS is not implementing any K4 support (doesn't seem to warrant development investment), it is willing to help others , perhaps by helping a customer to enable k4to5 daemon (any volunteers?).

Question

Do you have to implement the MS-KDC if you already have a Unix KDC? Do you have to run the Active Directory? Some implementation facts to consider:

  1. the AD (Active Directory) is required to support the Domain Controller
  2. NT uses the SSPI (like GSS-API), MS stuffs the authorization data in the auth_data portion of the session ticket (which includes an authorization signature), the authorization data signature is ultimately verified against the data in the AD.

Answer:

As long as you don't need to use NT access control lists, you don't need to use the AD. If you do need to use NT access control lists - you better be using AD.

June 9, 1998 - Building 27, Microsoft campus - Redmond

CMU - Project Orpheus Overview (Walter Wong)

CMU uses NT 4.0 in the public sites, no Win95. Created a K4 GINA along with kerberized versions of telnet, ftp, and web access. Created a utility similar to unix "package" called NT package to help with software distribution and maintenance.

CMU is exploring issues related to NT and Unix Kerberos.

CMU is exploring issues related to AFS & NT.

Could we learn more about DNS and NT 5.0?

Stanford - Directory Services (Bob Morgan)

Bob talked about LDAP activities in IETF (see RFC2251-RFC2256).

Extensions currently being proposed:

The ZAW group is working with other product teams to make MS Apps better "behaved", with fewer "system" components, as most of the ZAW capabilities depends upon ZAW-aware applications.

PKI - Microsoft

No presentation - just here for questions about core PKI & cryptography.

How does PKI & Kerberos interact?

  • Kerberos useful when well known trust model exists
  • PKI useful when no known trust model exists (?)
  • ISS allows mapping from public key to NT Domain (kerberos 5)

Lots of discussion concerning interoperability and chains of trust. Conclusion - it's hard!

Terminal Server - Microsoft

NT originally designed NT 3.1 or this, but (legend says) MS product managers cut it from initial implementation. So, Microsoft licensed NT source code to Citrix & Prologue. As companies began deploying these products (and making $$$), bugs occurred which caused support problems - apps won't run on Citrix (Citrix problem or NT problem?).

MS bought core Citrix code, but not the ICA protocols. Citrix wasn't interested in selling the ICA protocol & MS more interested in using RTP (this is not what you think it is!) to take advantage of existing kernels. Terminal Server will be part of NT 5.0, an install option with NT Server (Terminal Services).

Pricing: MS view is that this is another way to run Windows on a machine, so each desktop will require a Windows license of some kind. This is essentially the same model as Citrix, charging based on clients deployed.

Scaling: 15-25 users per processor, so maybe 60-100 users per NT Server, depending on the level of activity by the user. The applications seem to have the most impact on the scaling properties (not surprising!). MS is still learning how to tune and configure for performance & scaling. MS will shortly produce a white paper on their findings. MS thinks they do as well (or better) than Citrix ICA in terms of performance.

Terminal Server will use AD in NT 5.0 to do load balancing. More performance enhancements for RTP (it is really the T.128 protocol with some modifications, not the IETF described RTP) will show up in NTS (NT Server) 5.0. MS deal with Citrix is that MS will only do Windows Clients until the November 1999. Thus, MS will not publish the RTP protocol until after Nov `99 in order to avoid responsibility for creation of non-Window clients.

MS RTP always encrypts (40 bit) from client to the server. Options will exist for bi-directional encryption and for 128-bit encryption. MS uses an internal MS encryption algorithm, which (he thinks) is published.

The MS RTP client requires a 70K executable, uses 1.5MB memory for caching. It should run on 4MB machine. Having a "good" graphic card on the client helps a lot, since the claim is that most of the client load is in screen painting.

Note: Citrix clients work with both Winframe (Citrix) and the MS Terminal Server.

Active Directory - Microsoft

AD is marketing term for the set of directories shipped with NT 5.0. AD is LDAP compliant, ADSI is a set of interfaces that allow programs to take advantage of AD services (the "ODBC" for directories). So, now for questions:

The AD is composed of a database (Jet Database Engine - the same used for Exchange) and "heads" which sit on top of the Database - LDAP, MAPI, XAPI (XDS), DS.

  • Support exists to allow permission on a per-attribute basis. This allows restricted access to attributes i.e. HR can see your salary level but no one else is allowed to view this data.
  • LDIF is supported.
  • An SQL-like interface is provided for queries & read-only operations

Scaling: have tested up to .5 million objects, around 27 GBytes. Directories of this size cause problems with most administration tools (flat views). MS has implemented "filter" and "find" (LDAP cursor functions).

What won't be in NT 5.0?

Is it possible to replace the Jet Database Engine with something else?

NO!

Maybe in the future MS will use SQL Server as the database engine for AD.

Note: MS is working with PeopleSoft, SAP, etc. trying to convince them that the AD is a good place to put things.

What is the Global Catalog?

A view of all the objects & domains in the organization, not all the attributes. The Global Catalog Server can build its own replication schedule. It is a read-only database. It is a place to do quick lookups of users & groups. This might be used to support a white pages service or other read-only services that is only interested in limited scope queries.

NT Futures - Microsoft (Felipe Cabrera)

NT 5.0 will contain 55 million lines of code. (55 thousand KLOCS!)

Advances in Storage Management in NT 5.0.

1. New management of storage device

2. New features in the NTFS file system

  1. File based services