Microsoft working on implementation of modern internet standards

IPv6 for VNet

Starting this month, Microsoft is making IPv6 available for all users of its Azure Virtual Network (VNet). Subscribers will then be able to create dual-stack set-ups, where any Windows or Linux application or virtual machine can have both an IPv4 address and an IPv6 address at the same time. That will be the case both for internal (private) networks and for public interfaces. According to this overview, nearly all facilities that were already available for IPv4 are now available for IPv6 as well, including VPNs, firewalls, load balancers and anti-DDoS protection systems. Microsoft is a longstanding advocate of IPv6 adoption. IPv6 is integral to the Windows operating system, for example. Consequently, applications are no longer tested at all in situations where IPv6 is disabled. Microsoft has also said that IPv6 was in the picture right from the first Xbox design. More recently, the corporation has enabled IPv6 for various peer-to-peer applications that otherwise encounter connection problems. IPv6 is now enabled by default, and Microsoft is working on IPv6 support for all Xbox applications. What's more, Microsoft has spent several years migrating its own networks to IPv6-only, for the simple reason that the Azure group required all the corporation's public IPv4 addresses to provide connectivity for all their external customers' (cloud-based) systems and services.

DNSSEC and DANE

Progress is being made with DNSSEC and DANE (for mail) as well, albeit more slowly. By the end of this year, Office 365 Exchange Online will support DANE for outgoing mail. Within a further year, the two standards will be supported for incoming mail as well. For DANE to work, DNSSEC has to be supported, because trust in TLSA records is based on the DNSSEC infrastructure. Before the year is out, therefore, DNSSEC will be implemented on Microsoft's Exchange mail domains. Responding to Microsoft's announcement, the Forum for Standardisation has advised government organisations thinking of switching to Exchange Online to wait until the corporation has completed its implementation. According to Microsoft, the hundred-plus organisations that are already (or still) on Exchange Online will have to install separate gateways if they now want IPv6 support.

Official pressure

For several years now, Microsoft customers have been calling for the addition of DNSSEC and DANE support to the Azure and Office 365 cloud services. [1, 2] Until now, however, those calls have not led to action. Last autumn, the National Strategic Vendor Management (SLM) team for Microsoft and the Forum for Standardisation increased the pressure on Microsoft. The move was prompted by the latest Information Standards Survey, which found that DNSSEC/DANE support by municipal and provincial authorities had declined as a consequence of several authorities switching to Office 365. That development was completely at odds with the obligation that all public bodies in the Netherlands have to implement the standards on the 'use-or-explain' list.

Aspiration agreements

A Joint Ambition Statement that includes implementation deadlines for modern (security) standards has additionally been agreed with the Pan-governmental Digital Government Policy Forum (OBDO). Although use of such standards has increased substantially in recent years, not a single adoption target has been met in full. More recently, a Joint Ambition Statement on IPv6 has been agreed, under which all government bodies have to support IPv6 connectivity by the end of 2021. Indeed, IPv6 has been on the 'use-or-explain' list since 2010. However, the Forum for Standardisation says that only 64 per cent of government websites currently support the protocol. And the figure for mail servers (MX gateways) is just 22 per cent. With a view to accelerating progress, the Joint Ambition Statement now provides for progress on IPv6 to be checked and reported twice a year.