IPv6 Support in EFT

EFT supports IPv6 connections. You can continue to use IPv4 addresses, only IPv6 addresses, or a both IPv4 and IPv6. All IP address fields accept IPv4, IPv6, and host names transparently; you are not required to understand what an IPv4 or IPv6 address is to use it. Outbound connections are handled transparently based on the IP address or host entered into any host fields. EFT determines whether the connection requires IPv4 or IPv6 without requiring you to specify.

IPv6 is not supported in EFT HA environments.

The following areas of EFT support IPv6 addresses:

  • Configuring EFT - The Server's listening IP address and the IP address used for remote administration each support IPv6 addresses.

  • Defining Connections (Sites) - The Site's listening IP address supports IPv6 addresses.

  • IP ban/access rules - The IP address ban/access rules support IPv6 addresses. (Refer to Controlling IP Access for Remote administration and Controlling Access to the Site by IP Address for information about banning IP addresses.)

  • Event Rules - The Copy/Move Action and the Download Action support IPv6 address. When you create an Event Rule using one of these actions, you can specify an IPv4 or IPv6 address or let EFT choose the best available address to use.

  • Various COM API objects have been modified to allow the use of IPv6 addresses, and new methods were added to support multiple listening IP addresses.

  • DMZ Gateway was updated to allow both IPv4 and IPv6 addresses.

  • The Auditing and Reporting module schema has been modified to allow IPv6 addresses.

  • The AS2 module supports both IPv4 and IPv6 addresses.

  • IPv6 addresses use colons, but a colon is not a valid character in UNC path names. To address this, Microsoft created the "ipv6-literal.net" domain. An IPv6 literal address is an ipv6-address with the colon ':' characters replaced by dash '-' characters, and then followed by the ".ipv6-literal.net" string.

  • For example, for the following IPv6 address:

    2001:4898:9:3:c069:aa97:fe76:2449

    would be translated as follows:

    \\2001-4898-9-3-c069-aa97-fe76-2449.ipv6-literal.net\share

     For more information about the ipv6-literal.net domain, refer to the MSDN article at http://msdn.microsoft.com/en-us/library/aa385353.aspx.

  • CIDR notation is supported for both IPv4 and IPv6 literals. For example: 2001:cdba:9abc:5678::/64 for blocking an IPv6 LAN or 192.168.29.0/24 for an IPv4 network.

IPv6 FAQ

Q. What is IPv6?

A. IPv6 is a proposed replacement to IPv4. One of the benefits of IPv6 is a larger address space, with 128 bits versus IPv4’s 32 bits. Search online to learn more about IPv6, the benefits it provides, and challenges it presents.

Q. When will IPv6 replace IPv4?

A. This is the subject of much debate. Many have claimed for years that we are in imminent danger of running out of IPv4 addresses; however, NATing (including ISP carrier grade NATing) and other workarounds have surfaced that will delay the inevitable exhaustion of IPv4 address for at least a few more years.

Q. If the need for IPv6 is not imminent, then why was it incorporated into EFT?

A. Large enterprises are leading the way in converting to IPv6 (at least internally) and EFT is often a critical piece of the edge architecture for many of these companies. Also, our government customers are actively transitioning to IPv6 based on internal mandates and have requested support for IPv6.

Q. Is IPv6 supported limited to EFT? Or does it include the DMZ Gateway as well?

A. EFT and the DMZ Gateway comprehensively support IPv6. DMZ Gateway requires Windows Server 2008 for IPv6. (In Windows 2003, IPv6 is not supported for DMZ Gateway.)

Q. Will EFT operate with a mix of IPv4 and IPv6 addresses?

A. EFT supports the three scenarios (abstract network topologies) described in RFC 4057, in addition to the current IPv4-only scenario. The scenarios include 1) dual-stack, which is the wide-scale deployment of hosts that support both IPv4 and IPv6 running simultaneously; 2) sparse dual stack, in which only some applications in the infrastructure support IPv6 (mainly during the transition to full dual stack or IPv6 only); and 3) IPv6 only, in which all nodes in the infrastructure operate exclusively on IPv6.

Q. How is dual stack possible given that EFT currently supports only “all incoming” or a single listener IP address?

A. You can choose a single listener IP address, all incoming IPv4 addresses, all incoming IPv6 addresses, all incoming IPv4 and IPv6 addresses, or multiple specific IPv4 and/or IPv6 addresses for the Site and/or administration listeners.

Q. If EFT and DMZ Gateway are working in a pure IPv6 environment, how will they correspond with the outside world, parts of which are still using IPv4?

A. DMZ Gateway's server support for IPv6 was ingeniously implemented so that it can act as a 4to6 or 6to4 translator. For example, DMZ Gateway can listen on IPv4 IPs for incoming connections, but then route those to IPv6 listeners in EFT. Likewise, it can broker IPv6-initiated connections from EFT to external hosts located on IPv4 networks.

Q. Is EFT backward compatible with prior versions of the DMZ Gateway?

A. Yes. For IPv6 support, you will need to upgrade to DMZ Gateway v3.2 or later.

Q. Is IPv6 support available by default when newly installed?

A. Yes, IPV6 support is available by default. However, on dual stack systems, IPv6 listener IPs are not selected by default. To comply with Department of Defense requirement 5.3.5.4, 1.2 (all nodes and interfaces that are IPv6 capable must be carefully configured and verified prior to enabling/using IPv6), it is up to the administrator to configure which IPv6 addresses to use as the listener, rather than the default "All incoming IPv4" selection (if IPv6 support is required).

Q. How does EFT support IPv6 for FTP connections, given the need for separate control and data channels?

A. EFT (as both server and client) fully complies with RFC 2428 for client-initiated negotiation of extended port (EPRT) and extended passive (EPSV) data connection modes. Furthermore, EFT complies with draft-ietf-ftpext2-ftp64-00, an ingenious solution to a scenario in which a pure IPv6 client connects to an IPv4 server over a 6to4 translator, but receives an error in response to the EPSV command (unsupported by the IPv4 server). In that case, EFT reverts to sending the PASV command to obtain the port number, but then uses the host’s IPv6 address as the data connection address, ignoring the IPv4 address returned because of the PASV command.

Q. Can EFT audit or log IPv6 addresses?

A. Yes. EFT can both audit and report IPv6 addresses, including the file transfer status viewer and anywhere else IP addresses are displayed or saved in the program. Note that IPv6 addresses are displayed in the administration interface, status viewer, and reports using shorthand form to conserve space (according to section 3 of RFC 1924). The exception to this rule is in the DMZ Gateway, which uses the preferred form (also documented in section 3 of RFC 1924).

Q. Can EFT connect to my SMTP server, LDAP, or AD for the authentication provider or the ARM SQL Server if they are on an IPv6 network?

A. As long as the remote system or component is addressable via IPv6, you can specify an IPv6 address and EFT will connect to the IPv6 host.

Q. How does IPv6 affect upgrades or backup-and-restore functions?

A. The current Site/administrator listeners will be respected and warnings will occur if their IP addresses are no longer present. Existing COM scripts will not be affected. When restoring from a backed up configuration, the specified listener IP addresses are conserved; however, you will be given the option to specify new listeners, including IPv6 addresses (if present), or a mix of IPv4 and IPv6 addresses.

Q. Does EFT’s ban list work with IPv6 IP addresses?

A. DoS and Flood protection work regardless of protocol, along with all controls related to managing IP ban lists. What’s more, EFT now supports CIDR Classless Inter-Domain Routing (CIDR) for IP masking for banned IPv4 and IPv6 addresses, meaning you can now specify masks such as 255.255.29.0/24 or 2001:cdba:9abc:5678::/64 instead of wildcard masking, although wildcards are still supported for IPv4 address masking for legacy users.

Q. How does EFT know whether the host address supplied for a remote connection is IPv4 or IPv6?

A. In accordance with RFC 3484, EFT will use address look-up to determine the family and correct connection type without asking the administrator for more information. Address look-up will result in a list of addresses ordered by most preferred. EFT will then attempt to connect to each address in order until a successful connection occurs or that list is exhausted, and will log the result in the EFT debug log. Keep in mind that you can enter an IPv4, IPv6, or host address anywhere an address can be entered. The only exceptions are fields that cannot take host addresses, such as the Site listener IP.

Q. When specifying multiple IP addresses, which source IP address is used for binding when making an outbound connection as part of an Event Rule sequence?

A. EFT can automatically choose the IP address (it selects from the top of adaptor order using whatever internal mechanisms Windows uses) or the administrator can specify the source IP address.

Q. What if I’m not using or don’t care about IPv6? Will I notice any change?

A. We have made IPv6 support as unobtrusive as possible. Pure IPv4 customers will not be affected and will not see any UI or other changes. A difference will only be noticed once/if IPv6 adaptors are physically enabled on the system.

Q. What about COM support for IPv6?

A. New methods have been created to fully support IPv6, while legacy methods have been retained for backward compatibility. (Refer to the COM API reference for details.)