Using an ISATAP Router|Configuring the IPv6 Protocol for Windows XP and the Windows .NET Server 2003 Family as an ISATAP Router|ISATAP and 6to4 Example

ISATAP

ISATAP is an address assignment and host-to-host, host-to-router, and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. ISATAP is described in the Internet draft titled "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)." ISATAP hosts do not require any manual configuration and create ISATAP addresses by using standard address autoconfiguration mechanisms.

ISATAP can be used for communication between IPv6/IPv4 nodes on an IPv4 network. ISATAP addresses use the locally administered interface identifier ::0:5EFE: w.x.y.z where:

  • The 0:5EFE portion is formed from the combination of an Organizational Unit Identifier (OUI) assigned by the Internet Assigned Numbers Authority (IANA) (00-00-5E), and a type that indicates an embedded IPv4 address (FE).
  • The w.x.y.z portion is any unicast IPv4 address, which includes both public and private addresses.

The ISATAP interface identifier can be combined with any 64-bit prefixthat is valid for IPv6 unicast addresses. This includes the link-local addressprefix (FE80::/64), site-local prefixes, and global prefixes (including 6to4 prefixes).

Like IPv4-mapped addresses, 6over4 addresses, and 6to4 addresses, ISATAP addresses contain an embedded IPv4 address that can be used to determine either the source or destination IPv4 addresses within the IPv4 header when ISATAP-addressed IPv6 traffic is tunneled across an IPv4 network.

By default, the IPv6 protocol for Windows XP and the Windows .NET Server 2003 family automatically configures the link-local ISATAP address ofFE80::5EFE: w.x.y.z on the Automatic Tunneling Pseudo-Interface (interface index 2) for each IPv4 address that is assigned to the node. These link-local ISATAP addresses allow two hosts to communicate over an IPv4 network by using each other's link-local ISATAP address.

For example, Host A is configured with the IPv4 address of 10.40.1.29 and Host B is configured with the IPv4 address of 192.168.41.30. When the IPv6 protocol for Windows XP or the Windows .NET Server 2003 family is started, Host A is automatically configured with the ISATAP address of FE80::5EFE:10.40.1.29 and Host B is automatically configured with the ISATAP address of FE80::5EFE:192.168.41.30. This configuration is shown in Figure 11-11.

Figure 11-11. An ISATAP configuration

When Host A sends IPv6 traffic to Host B by using Host B's link-local ISATAP address, the source and destination addresses for the IPv6 and IPv4 headers are as listed in Table 11-4.

Table 11-4. Example Link-local ISATAP Addresses

Field Value

IPv6 Source Address

FE80::5EFE:10.40.1.29

IPv6 Destination Address

FE80::5EFE:192.168.41.30

IPv4 Source Address

10.40.1.29

IPv4 Destination Address

192.168.41.30

To test connectivity, use the ping command. For example, Host A would use the following command to ping Host B by using Host B's link-local ISATAP address:

ping FE80::5EFE:192.168.41.30%2

Because the destination of the ping command is a link-local address, the % ZoneID portion of the command is used to specify the interface index of the interface from which traffic is sent. In this case, %2 specifies interface 2, which is the interface index assigned to the Automatic Tunneling Pseudo-Interface on Host A. The Automatic Tunneling Pseudo-Interface uses the link-local ISATAP address assigned to the interface as a source, and uses the last 32 bits in the source and destination IPv6 addresses (corresponding to the embedded IPv4 addresses) as the source and destination IPv4 addresses.

Using an ISATAP Router

The use of link-local ISATAP addresses allows IPv6/IPv4 hosts on the same logical subnet (an IPv4 network) to communicate with each other, but not with other IPv6 addresses on other subnets. To communicate outside the logical subnet by using ISATAP-derived global or site-local addresses, IPv6 hosts using ISATAP addresses must tunnel their packets to an ISATAP router.

An ISATAP router is an IPv6 router that performs the following:

  • Forwards packets between ISATAP hosts on a logical subnet (an IPv4 network) and hosts on other subnets.

    The other subnets can be other IPv4 networks (such as a portion of an organization network or the IPv4 Internet) or subnets in a native IPv6 routing domain (such as an organization's IPv6 network or the IPv6 Internet).

  • Acts as a default router for ISATAP hosts.
  • Advertises address prefixes to identify the logical subnet on which ISATAP hosts are located. ISATAP hosts use the advertised address prefixes to configure site-local and global ISATAP addresses.

When an ISATAP host receives a router advertisement from an ISATAP router, a default route (::/0) is added using the Automatic Tunneling Pseudo-Interface with the next -hop address set to the link-local ISATAP address that corresponds to the logical subnet interface of the ISATAP router. When packets destined to locations outside the logical subnet are sent, they are tunneled to the IPv4 address of the ISATAP router. The specific IPv4 address corresponds to the ISATAP router's interface on the logical subnet defined by the IPv4 network that contains the ISATAP router and the ISATAP host. The ISATAP router then forwards the IPv6 packet.

For the IPv6 protocol for Windows XP and the Windows .NET Server 2003 family, the configuration of the intranet IPv4 address of the ISATAP router is obtained through the following:

  • The successful resolution of the name ISATAP to an IPv4 address
  • The netsh interface ipv6 isatap set router command

Resolving the ISATAP Name

When the IPv6 protocol for the Windows .NET Server 2003 family starts, it attempts to resolve the name ISATAP to an IPv4 address by using normal TCP/IP name resolution techniques that include the following:

  1. Checking the local host name.
  2. Checking the Hosts file in the SystemRoot \system32\drivers\etc folder.
  3. Using ISATAP to form a fully qualified domain name and sending a DNS name query. For example, if the Windows XP computer is a member of the example.microsoft.com domain (and example.microsoft.com is the only domain name in the search list), the computer sends a DNS query to resolve the name ISATAP.example.microsoft.com.
  4. Converting the ISATAP name into the NetBIOS name "ISATAP <00>" and checking the NetBIOS name cache.
  5. Sending a NetBIOS name query to a configured WINS server.
  6. Sending NetBIOS broadcasts.
  7. Checking the Lmhosts file in the SystemRoot \system32\drivers\etc folder.

To ensure that at least one of these attempts is successful, do one of the following:

  • If the ISATAP router is a computer running a member of the Windows .NET Server 2003 family, name the computer ISATAP and it will automatically register the appropriate records in DNS and WINS.
  • Manually create an ISATAP address (A) record in the appropriate domain in DNS. For example, for the example.microsoft.com domain, create an A record for ISATAP.example.microsoft.com.
  • Manually create a static WINS record in WINS for the NetBIOS name "ISATAP <00>".
  • Add the following entry to the Hosts file of the computers that need to resolve the name ISATAP:

    IPv4Address ISATAP

  • Add the following entry to the Lmhosts file of the computers that need to resolve the name _ISATAP:

    IPv4Address _ISATAP

Resolving the _ISATAP Name for Windows XP

When the IPv6 protocol for Windows XP starts, it attempts to resolve the name "_ISATAP" rather than "ISATAP." To ensure that a computer running Windows XP can resolve the name ISATAP, you can do one of the following:

  • Manually create a _ISATAP canonical name (CNAME) record in the appropriate domain in DNS. A CNAME record maps a name that is an alias to another name. For example, assuming that an A record already exists for the name ISATAP.example.microsoft.com, create a CNAME record that maps _ISATAP.example.microsoft.com to ISATAP. example.microsoft.com
  • Manually create a static WINS record in WINS for the NetBIOS name "_ISATAP <00>".
  • Add the following entry to the Hosts file of the computers running Windows XP:

    IPv4Address _ISATAP

  • Add the following entry to the Lmhosts file of the computers running Windows XP:

    IPv4Address _ISATAP

Windows XP with Service Pack 1 (SP1) attempts to resolve the name "ISATAP" to determine the IPv4 address of the ISATAP router. The methods described here are not needed if all your computers are running either a member of the Windows .NET Server 2003 family or Windows XP with SP1.

Using the netsh interface ipv6 isatap set router Command

Although the automatic resolution of the ISATAP name is the recommended method for configuring the IPv4 address of the ISATAP router, you can also use the netsh interface ipv6 isatap set router command for manual configuration. The syntax of this command is:

netsh interface ipv6 isatap set router AddressorName

in which AddressorName is either the IPv4 address of the ISATAP router's intranet interface or the name of the ISATAP router to resolve. For example, if the ISATAP router's IPv4 address is 192.168.39.1, the command is:

netsh interface ipv6 isatap set router 192.168.39.1

Regardless of how the IPv4 address of the ISATAP router is obtained, the host sends an IPv4-encapsulated Router Solicitation message to the ISATAP router. The ISATAP router responds with an IPv4-encapsulated unicast Router Advertisement message advertising itself as a default router and containing prefixes to use for autoconfiguration of ISATAP-based addresses.

Network Monitor Capture

Here is an example of the IPv4-encapsulated Router Solicitation message as displayed by Network Monitor (frame 1 of capture 11_02 in the \NetworkMonitorCaptures folder on the companion CD-ROM):

+ Frame: Base frame properties + ETHERNET: ETYPE = Internet IP (IPv4) IP: Protocol = IPv6 - Ipv6; Packet ID = 114; Total IP Length = 68; Options = No Options IP: Version = IPv4; Header Length = 20 IP: Type of Service = Normal Service IP: Total Length = 68 (0x44) IP: Identification = 114 (0x72) IP: Fragmentation Summary = 0 (0x0) IP: Time to Live = 128 (0x80) IP: Protocol = IPv6 - IPv6 IP: Checksum = 4324 (0x10E4) IP: Source Address = 157.60.136.217 IP: Destination Address = 172.31.87.6 IP6: Proto = ICMP6; Len = 8 IP6: Version = 6 (0x6) IP6: Traffic Class = 0 (0x0) IP6: Flow Label = 0 (0x0) IP6: Payload Length = 8 (0x8) IP6: Next Header = 58 (ICMP6) IP6: Hop Limit = 255 (0xFF) IP6: Source Address = fe80::5efe:9d3c:88d9 IP6: Destination Address = ff02::2 IP6: Payload: Number of data bytes remaining = 8 (0x0008) ICMP6: Router Solicitation ICMP6: Type = 133 (Router Solicitation) ICMP6: Code = 0 (0x0) ICMP6: Checksum = 0xF822 ICMP6: Reserved

Notice that the IPv4 address of the ISATAP router is 172.31.87.6. Also note the use of the link-local scope all-routers multicast address in the IPv6 header.

Here is an example of the IPv4-encapsulated Router Advertisement message as displayed by Network Monitor (in the \NetworkMonitorCaptures folder on the companion CD-ROM, frame 2 of capture 11_02):

+ Frame: Base frame properties + ETHERNET: ETYPE = Internet IP (IPv4) IP: Protocol = IPv6 - Ipv6; Packet ID = 34933; Total IP Length = 148; Options = No Options IP: Version = IPv4; Header Length = 20 IP: Type of Service = Normal Service IP: Total Length = 148 (0x94) IP: Identification = 34933 (0x8875) IP: Fragmentation Summary = 0 (0x0) IP: Time to Live = 125 (0x7D) IP: Protocol = IPv6 - IPv6 IP: Checksum = 35728 (0x8B90) IP: Source Address = 172.31.87.6 IP: Destination Address = 157.60.136.217 IP6: Proto = ICMP6; Len = 88 IP6: Version = 6 (0x6) IP6: Traffic Class = 0 (0x0) IP6: Flow Label = 0 (0x0) IP6: Payload Length = 88 (0x58) IP6: Next Header = 58 (ICMP6) IP6: Hop Limit = 255 (0xFF) IP6: Source Address = fe80::5efe:ac1f:5706 IP6: Destination Address = fe80::5efe:9d3c:88d9 IP6: Payload: Number of data bytes remaining = 88 (0x0058) ICMP6: Router Advertisement ICMP6: Type = 134 (Router Advertisement) ICMP6: Code = 0 (0x0) ICMP6: Checksum = 0xE6CB ICMP6: Current Hop Limit = 0 (0x0) ICMP6: 0....... = Not managed address config ICMP6: .0...... = Not other stateful config ICMP6: Router Lifetime = 0 (0x0) ICMP6: Reachable Time = 0 (0x0) ICMP6: Retransmission Timer = 0 (0x0) ICMP6: MTU = 1280 (0x500) ICMP6: Type = 5 (0x5) ICMP6: Length = 1 (0x1) ICMP6: Reserved ICMP6: MTU = 1280 (0x500) ICMP6: Prefix = fec0:0:0:f28b:: ICMP6: Type = 3 (0x3) ICMP6: Length = 4 (0x4) ICMP6: Prefix Length = 64 (0x40) ICMP6: 1....... = On-link determination allowed ICMP6: .1...... = Autonomous address configuration ICMP6: Valid Lifetime = 4294967295 (0xFFFFFFFF) ICMP6: Preferred Lifetime = 4294967295 (0xFFFFFFFF) ICMP6: Reserved ICMP6: Prefix = fec0:0:0:f28b:: ICMP6: Prefix = 3ffe:2900:d005:f28b:: ICMP6: Type = 3 (0x3) ICMP6: Length = 4 (0x4) ICMP6: Prefix Length = 64 (0x40) ICMP6: 1....... = On-link determination allowed ICMP6: .1...... = Autonomous address configuration ICMP6: Valid Lifetime = 4294967295 (0xFFFFFFFF) ICMP6: Preferred Lifetime = 4294967295 (0xFFFFFFFF) ICMP6: Reserved ICMP6: Prefix = 3ffe:2900:d005:f28b::

Notice that the Router Advertisement message contains an MTU option setting the MTU over the tunnel interface to 1,280 and two Prefix Information options—one for the global prefix 3FFE:2900:D005:F28B::/64 and one for the site-local prefix FEC0:0:0:F28B::/64.

Upon receipt of this Router Advertisement message, a computer running Windows XP or the Windows .NET Server 2003 family and assigned the single IPv4 address 157.60.136.217 will:

  • Autoconfigure the addresses of 3FFE:2900:D005:F28B:0:5EFE:157.60.136.217 and FEC0::F28B:0:5EFE:157.60.136.217 on the Automatic Tunneling Pseudo-Interface.

    If the host had multiple IPv4 addresses assigned, the IPv4 address used in the ISATAP-derived interface ID would be that which is the best source to reach 172.31.87.6, the IPv4 address of the ISATAP router.

  • Use DNS Dynamic Update to automatically register the addresses of 3FFE:2900:D005:F28B:0:5EFE:157.60.136.217 and FEC0::F28B:0:5EFE:157.60.136.217 as AAAA records in DNS (provided that the host has already automatically registered the IPv4 address of 157.60.136.217).

Configuring the IPv6 Protocol for Windows XP and the Windows .NET Server 2003 Family as an ISATAP Router

A computer running the IPv6 protocol for Windows XP and the Windows .NET Server 2003 family can be configured as an ISATAP router. Assuming that the router is already configured to forward IPv6 traffic on its LAN interfaces and has a default route that is configured to be published, the additional commands that need to be issued on the router are:

netsh interface ipv6 set interface 2 forwarding=enabled advertise=enabled

netsh interface ipv6 set route Address / PrefixLength 2 publish=yes

The first command enables forwarding and advertising on interface index 2, the interface index assigned to the Automatic Tunneling Pseudo-Interface. The Automatic Tunneling Pseudo-Interface is the interface on which Router Solicitation messages and traffic to be forwarded is received.

The second command enables the advertisement of a specific prefix ( Address / PrefixLength ) over the Automatic Tunneling Pseudo-Interface. Use this command one or multiple times to advertise as many prefixes as required. All the prefixes configured using this command are included in the Router Advertisement message sent back to the ISATAP host.

If the router is not named ISATAP or the name ISATAP is not resolved to the IPv4 address of the router's intranet interface, you also need to issue the following command on the router:

netsh interface ipv6 isatap set router AddressorName

in which AddressorName is either the IPv4 address of the router's intranet interface or the name of the router that resolves to the IPv4 address of the router's intranet interface.

For information about how to configure a computer running the IPv6 protocol for Windows XP and the Windows .NET Server 2003 family to forward IPv6 traffic on its LAN interfaces and advertise itself as a default router, see Chapter 10 "IPv6 Routing."

ISATAP and 6to4 Example

Figure 11-12 shows two ISATAP hosts using 6to4 prefixes that are communicating across the Internet even though each site is using the 192.168.0.0/16 private address space internally.

Figure 11-12. Communication between ISATAP hosts in different 6to4 sites

In this configuration:

  • ISATAP Host A automatically configures a link-local ISATAP address of FE80::5EFE:192.168.12.9 on its Automatic Tunneling Pseudo-Interface.
  • 6to4 Router A automatically configures the link-local ISATAP addresses of FE80::5EFE:192.168.204.1 and FE80::5EFE:157.54.0.1 on its Automatic Tunneling Pseudo-Interface.
  • 6to4 Router B automatically configures the link-local ISATAP addresses of FE80::5EFE:192.168.39.1 and FE80::5EFE:131.107.0.1 on its Automatic Tunneling Pseudo-Interface.
  • ISATAP Host B automatically configures a link-local ISATAP address of FE80::5EFE:192.168.141.30 on its Automatic Tunneling Pseudo-Interface.

ISATAP Host A can reach 6to4 Router A and all other hosts within Site A by using link-local ISATAP addresses. However, ISATAP Host A cannot reach any addresses outside Site A. As a 6to4 router, 6to4 Router A constructs the global prefix 2002:9D36:1:5::/64 (9D36:1 is the colon hexadecimal notation for 157.54.0.1 and 5 is the interface index of 6to4 Router A's intranet interface) and advertises it using a router advertisement on its intranet interface. However, ISATAP Host A is not on 6to4 Router A's intranet subnet and will never create a global address based on this 6to4 prefix.

To configure ISATAP Host A to receive the router advertisement from 6to4 Router A, the network administrator for Site A has configured 6to4 Router A as an ISATAP router and added an A record to Site A's DNS infrastructure so that the name ISATAP is resolved to the IPv4 address of 192.168.204.1. Upon startup, the IPv6 protocol on Host A resolves the ISATAP name and sends a Router Solicitation message to the addresses as listed in Table 11-5.

Table 11-5. Addresses in the RouterSolicitation Message

Field Value

IPv6 Source Address

FE80::5EFE:192.168.12.9

IPv6 Destination Address

FF02::2

IPv4 Source Address

192.168.12.9

IPv4 Destination Address

192.168.204.1

Upon receipt of the Router Solicitation message from ISATAP Host A, 6to4 Router A sends back a unicast Router Advertisement message advertising 6to4 Router A as a default router and with a Prefix Information option to automatically configure IPv6 addresses using the prefix 2002:9D36:1:2::/64 (9D36:1 is the colon hexadecimal notation for 157.54.0.1 and 2 is the interface index of 6to4 Router A's Automatic Tunneling Pseudo-Interface).

The Router Advertisement message is sent to the addresses as listed in Table 11-6.

Table 11-6. Addresses in the RouterAdvertisement Message

Field Value

IPv6 Source Address

FE80::5EFE:192.168.204.1

IPv6 Destination Address

FE80::5EFE:192.168.12.9

IPv4 Source Address

192.168.204.1

IPv4 Destination Address

192.168.12.9

Upon receipt of the Router Advertisement message, ISATAP Host A autoconfigures the address 2002:9D36:1:2:0:5EFE:192.168.12.9, a default route (::/0) using the Automatic Tunneling Pseudo-Interface (interface index 2) with the next-hop address of FE80::5EFE:192.168.204.1, and a 2002:9D36:1:2::/64 route using the Automatic Tunneling Pseudo-Interface.

Similarly, 6to4 Router B is configured as an ISATAP router and Site B has an appropriate A record in its DNS infrastructure so that ISATAP Host B autoconfigures the address 2002:836B:1:2:0:5EFE:192.168.141.30 (836B:1 is the colon hexadecimal notation for 131.107.0.1), a default route (::/0) using the Automatic Tunneling Pseudo-Interface (interface index 2) with the next-hop address of FE80::5EFE:192.168.39.1, and a 2002:836B:1:2::/64 route using the Automatic Tunneling Pseudo-Interface.

ISATAP Host A can now send a packet to ISATAP Host B. Let's examine the packet addressing in three parts (as shown in Figure 11-12) during its trip from ISATAP Host A to ISATAP Host B.

Part 1: From ISATAP Host A to 6to4 Router A

When ISATAP Host A sends the IPv6 packet, it sends it with the ::/0 route that uses the Automatic Tunneling Pseudo-Interface to the next-hop address of FE80::5EFE:192.168.204.1. By using this route, the next-hop address for this packet is set to the link-local ISATAP address of 6to4 Router A (FE80::5EFE:192.168.204.1).

Using the Automatic Tunneling Pseudo-Interface, the packet is tunneled by using IPv4 from the IPv4 address assigned to its intranet interface (192.168.12.9) to the embedded IPv4 address in the ISATAP interface ID of the next-hop address (192.168.204.1). The resulting addresses are listed in Table 11-7.

Table 11-7. Addresses in Part 1

Field Value

IPv6 Source Address

2002:9D36:1:2:0:5EFE:192.168.12.9

IPv6 Destination Address

2002:836B:1:2:0:5EFE:192.168.141.30

IPv4 Source Address

192.168.12.9

IPv4 Destination Address

192.168.204.1

Part 2: From 6to4 Router A to 6to4 Router B

6to4 Router A receives the IPv4 packet and removes the IPv4 header. When 6to4 Router A forwards the IPv6 packet, it forwards it with the 2002::/16 route that uses the 6to4 Tunneling Pseudo-Interface. By using this route, the next-hop address for this packet is set to the destination address (2002:836B:1:2:0:5EFE:192.168.141.30).

Using the 6to4 Tunneling Pseudo-Interface, the packet is tunneled by using IPv4 from the IPv4 address assigned to its Internet interface (157.54.0.1) to the embedded IPv4 address in the 6to4 NLA ID of the next-hop address (131.107.0.1). The resulting addresses are listed in Table 11-8.

Table 11-8. Addresses in Part 2

Field Value

IPv6 Source Address

2002:9D36:1:2:0:5EFE:192.168.12.9

IPv6 Destination Address

2002:836B:1:2:0:5EFE:192.168.141.30

IPv4 Source Address

157.54.0.1

IPv4 Destination Address

131.107.0.1

Part 3: From 6to4 Router B to ISATAP Host B

6to4 Router B receives the IPv4 packet and removes the IPv4 header. When 6to4 Router B forwards the IPv6 packet, it forwards it with the 2002:836B:1:2::/64 route that uses its Automatic Tunneling Pseudo-Interface. By using this route, the next-hop address for this packet is set to the destination address (2002:836B:1:2:0:5EFE:192.168.141.30).

Because the Automatic Tunneling Pseudo-Interface is used to forward the packet, the packet is tunneled by using IPv4 from the IPv4 address assigned to its intranet interface (192.168.39.1) to the embedded IPv4 address in the ISATAP interface ID of the next-hop IPv6 address (192.168.141.30). The resulting addresses are listed in Table 11-9.

Table 11-9. Addresses in Part 3

Field Value

IPv6 Source Address

2002:9D36:1:2:0:5EFE:192.168.12.9

IPv6 Destination Address

2002:836B:1:2:0:5EFE:192.168.141.30

IPv4 Source Address

192.168.39.1

IPv4 Destination Address

192.168.141.30