The Cable Guy - September 2005

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008

By The Cable Guy

Microsoft® Windows Vista and Windows Server 2008 include a new implementation of the TCP/IP protocol suite known as the Next Generation TCP/IP stack. The TCP/IP protocol stack provided with Windows XP and Windows Server 2003 was originally designed in the early 1990s and was modified and enhanced over time to meet the needs of home and enterprise users. The Next Generation TCP/IP stack in Windows Vista and Windows Server 2008 is a complete redesign of TCP/IP functionality for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) that meets the connectivity and performance needs of today's varied networking environments and technologies.

Features of the Next Generation TCP/IP Stack

The following are the new features of the Next Generation TCP/IP stack:

• Dual IP layer architecture for IPv6

  The implementation of IPv6 in Windows XP and Windows Server 2003 is a dual stack architecture. For IPv6 support, you have to install a separate protocol through the Network Connections folder. The separate IPv6 protocol stack had its own Transport layer that included Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) and its own Framing layer. Changes to protocols in either the Transport or Framing layers had to be done to two Windows drivers; Tcpip.sys for the IPv4 protocol stack and Tcpip6.sys for the IPv6 protocol stack.

  The Next Generation TCP/IP stack supports the dual IP layer architecture in which the IPv4 and IPv6 implementations share common Transport and Framing layers. The Next Generation TCP/IP stack has both IPv4 and IPv6 enabled by default. There is no need to install a separate component to obtain IPv6 support.

  For more information about IPv6 enhancements in the Next Generation TCP/IP stack, see Changes to IPv6 in Windows Vista and Windows Server 2008, the October 2005 The Cable Guy article.

• Easier kernel mode network programming

  The Next Generation TCP/IP stack supports Winsock Kernel (WSK), a new kernel-mode programming interface that is designed to eventually replace the Transport Driver Interface (TDI) in Windows XP and Windows Server 2003. Windows Vista and Windows Server 2008 also support TDI.

• Support for a strong host model

  When a unicast packet arrives at a host, IP must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host). IP implementations that follow a weak host model accept any locally destined packet, regardless of the interface on which the packet was received. IP implementations that follow the strong host model only accept locally destined packets if the destination address in the packet matches an address assigned to the interface on which the packet was received. The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak host model. The Next Generation TCP/IP stack supports the strong host model for both IPv4 and IPv6 and is configured to use it by default. You can configure the Next Generation TCP/IP stack to use a weak host model. The weak host model provides better network connectivity. However, it also makes hosts susceptible to multihome-based network attacks. For more information, see Strong and Weak Host Models

• New security and packet filtering APIs

  The interfaces in the current TCP/IP stack for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as the Windows Filtering Platform (WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is more secure, integrated in the stack, and much easier for independent software vendors (ISVs) to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic. For more information about WFP, see Windows Filtering Platform.

• New mechanisms for protocol stack offload

  The Next Generation TCP/IP stack can offload the processing of TCP and other types of traffic to Network Driver Interface Specification (NDIS) miniport drivers and network interface adapters. Offloading TCP and other protocol processing can improve performance for high-bandwidth networks or high-volume servers.

• New support for scaling on multi-processor computers

  The architecture of NDIS 5.1 and earlier versions limits receive protocol processing to a single processor. This limitation can inhibit scaling to large volumes of network traffic on a multi-processor computer. Receive-side scaling (RSS) resolves this issue by allowing the network load from a network adapter to be balanced across multiple processors. For more information, see Scalable Networking with RSS.

• New extensibility

  The Next-Generation TCP/IP stack has an infrastructure to enable more modular components that can be dynamically inserted and removed.

• Reconfigure without having to restart the computer

  The Next-Generation TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after settings are changed.

• Automatic configuration of stack settings based on different network environments

  The Next-Generation TCP/IP stack automatically senses the network environment and adjusts key performance settings, such as the TCP receive window. Improved stack auto-tuning and configuration reduces the need for manual configuration of TCP/IP settings.

• Supportability enhancements

  There is extensive support for run-time diagnostics, including support for TCP Management Information Base (MIB)-II and better system event logging and tracing.

The following features are improvements in the Next Generation TCP/IP stack:

• Better support for computers that roam between networks.

• Better support for developers of multicast-enabled applications and networks.

• TCP performance enhancements for high-speed networks, asymmetric satellite links, and wireless and other high loss networks. For more information, see Performance Enhancements in the Next Generation TCP/IP Stack, the November 2005 The Cable Guy article.

• Improved portability of the Next Generation TCP/IP stack to other Microsoft operating systems such as Windows CE, Xbox, and Windows Embedded.

• Improved resistance against all known TCP/IP-based denial of service and other types of network attacks.

Architecture of the Next Generation TCP/IP Stack

The following figure shows the architecture of the Next Generation TCP/IP stack.

The three principal APIs by which applications, services, or other system components access the Next Generation TCP/IP stack are the following:

• WSK Used by WSK clients. For more information, see Winsock Kernel in the Windows Driver Kit.

• Windows Sockets Used by Windows Sockets-based applications and services. The Windows Sockets API operates through the Ancillary Function Driver (AFD) to perform Socket functions with TCP/IP.

• TDI Used by NetBIOS over TCP/IP (NetBT) and other legacy TDI clients. TDX is a translation layer between TDI and the Next Generation TCP/IP stack.

The Next Generation TCP/IP stack exposes an WFP Callout API, which provides a consistent, general-purpose interface to perform deep inspection or data modification of packet contents. The WFP Callout API is part of WFP. The Next Generation TCP/IP stack provides access to the packet processing path at the Network and Transport layers.

The Next Generation TCP/IP stack sends and receives frames using NDIS.

The architecture of the Next Generation TCP/IP stack driver (Tcpip.sys) consists of the following layers:

• Transport layer Contains the implementations of TCP and UDP, and a mechanism to send raw IP packets that do not need a TCP or UDP header.

• Network layer Contains implementations of both IPv4 and IPv6 in a dual IP layer architecture.

• Framing layer Contains modules that frame IPv4 or IPv6 packets. Modules exist for physical networking technologies such as IEEE 802.3 (Ethernet), IEEE 802.11, wide area networks (Point-to-Point Protocol [PPP]-based traffic), and IEEE 1394 interfaces. Modules also exist for logical interfaces such as the loopback interface, IPv4-based tunnels, and IPv6-based tunnels. IPv4-based tunnels are commonly used for IPv6 transition technologies.

For More Information

For more information about this topic, consult the following resources:

• Windows Server 2008 TCP/IP Protocols and Services book from Microsoft Press

• Microsoft Windows Vista Web page

• Windows Vista Resources for IT Professionals

• Microsoft Windows Server 2003 TCP/IP Implementation Details white paper

For a list of all The Cable Guy articles, click here.