Introducing IPv6 on Your Network

In addition to the IPv4 stack installed by default, Windows Server 2003 and Windows XP include an IPv6 protocol stack that you can use to test IPv6, to explore IPv6-enabled applications, and to prepare for possible eventual migration to a native IPv6 infrastructure.

It is expected that IPv4 and IPv6 will coexist on enterprise networks for a number of years. Depending on their needs, some organizations might continue to use IPv4 exclusively, some will migrate slowly while running both IPv4 and IPv6 in the interim, and some will maintain IPv4 in one or more sections of their organization and implement IPv6 in other sections.

To ensure that your organization makes best use of IPv6 capabilities with the least administrative overhead, include a plan for introducing IPv6 into the design for your TCP/IP network. To prepare to introduce IPv6, you must explore the new functionality introduced by IPv6, plan IPv6 addressing, plan how to route IPv6 traffic over an existing IPv4 infrastructure or an IPv6 infrastructure, decide whether to deploy DNS dynamic update, and decide whether to deploy PortProxy to enable IPv4 applications (where possible) for IPv6. Figure 1.15 shows each task in the planning process.

Figure 1.15: Introducing IPv6 on Your Network

Exploring IPv6

Windows Server 2003 includes an IPv6 stack, in addition to the IPv4 stack, which you can use to explore the capabilities of IPv6, test new applications and network technologies, and plan the first steps toward the wider adoption of IPv6 on your network.

The current version of the Internet Protocol — IP version 4, known as IPv4 — dates from 1981 and has not changed substantially since it was introduced in RFC 791, "Internet Protocol." Although IPv4 proved to be remarkably robust and enduring, in the early 1990s the Internet Engineering Task Force (IETF) began to develop a suite of protocols and standards — IPv6 — to better address the demands of modern networking. Two of the most important of these protocols are RFC 2460, "Internet Protocol, Version 6 (IPv6) Specification," which defines IPv6, and RFC 2463, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification," which specifies a set of ICMP messages for use with IPv6.

Before considering the design choices that you must make when introducing IPv6 on your network, you must become familiar with some of the basics about IPv6, including:

• IPv6 features.

• Supported features, server applications, and application programming interfaces (APIs).

• Supported IPv6 tools.

• Types of nodes.

IPv6 Features

The IPv6 protocol includes the following features and improvements over IPv4:

• New header format. The IPv6 header is designed to minimize overhead. Although the IPv6 address field is four times as long as the address field in IPv4, the IPv6 header is only twice as large as the IPv4 header overall. The more efficient header design enables faster processing at intermediate routers. Because IPv6 headers are not interoperable with IPv4 headers, and the IPv6 protocol is not backward compatible with IPv4. A host or router must use an implementation of both IPv4 and IPv6 in order to recognize and process both header formats.

• Large address space. IPv6 provides 128-bit IP addresses, in contrast with the 32-bit IPv4 IP addresses. The address space is designed to accommodate a vast number of interconnected devices on any network, and its structure is designed to reduce the number of routing table entries in IPv6 routers.

• Hierarchical addressing and routing infrastructure. IPv6 global addresses are designed to facilitate a hierarchical routing infrastructure that is based on the common occurrence of multiple levels of ISPs. It is anticipated that the routing tables for backbone routers on the IPv6 Internet will be much smaller and, as a result, will be processed much more efficiently.

• Automatic address configuration. IPv6 simplifies address configuration and renumbering by enabling automatic address configuration for all hosts. Host interfaces automatically learn their addresses through interactions with local IPv6 routers. They can learn new addresses on the fly, making network renumbering much simpler than in IPv4.

• Integrated network security. Support for IPSec is an IPv6 protocol suite requirement.

• Better support for Qualify of Service (QoS). The IPv6 header contains a new field that can be used to determine how to identify and prioritize traffic. Because the traffic type can be identified within the IPv6 header, support for QoS is available even when IPSec encryption is in use.

• New protocol for neighboring node interaction. The IPv6 Neighbor Discovery protocol is a series of Internet Control Message Protocols for IPv6 messages (ICMPv6) that manage the interaction of nodes on the same link. Neighbor Discovery replaces broadcast-based Address Resolution Protocol (ARP), ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast Neighbor Discovery messages.

• Extensibility. IPv6 can be easily extended to incorporate new features by adding extension headers after the IPv6 header. The size of IPv6 extension headers is limited only by the size of the IPv6 packets.

Supported Features, Server Applications, and APIs

Windows Server 2003 supports IPv6 functionality for a wide range of services. Table 1.3 shows which IPv6 features Windows Server 2003 IPv6 supports.

Table 1.3: IPv6 Features Supported by Windows Server 2003 IPv6

IPv6 Feature	Supported by Windows Server 2003 IPv6
Installation (Use Add protocol GUI, or use the Netsh command-line tool)	Yes
Uninstallation (Use Remove protocol GUI, or use the Netsh command-line tool)	Yes
Dual IPv6/IPv4 stack	Yes
6to4	Yes
ISATAP	Yes
6over4 (manual)	Yes
IPv6 NAT Traversal (also referred to as Teredo)	No
DNS over IPv6 (also referred to as DNS AAAA records)	Yes
Linklocal Multicast Name Resolution (LLMNR)	No
DNS dynamic update	Yes
DHCP	No
TCP PortProxy	Yes
Remote Desktop	No
Remote Assistance	No
IPv6 Management Information Base (MIB) for Simple Network Management Protocol (SNMP)	Yes
Microsoft Network Monitor version 2 (Netmon)	Yes
Visual Studio. NET (VS.NET)	Yes
IPSec authentication	Yes
IPSec encryption	No

Table 1.4 shows which server applications Windows Server 2003 IPv6 supports.

Table 1.4: Server Applications Supported by Windows Server 2003 IPv6

Server Applications	Supported by Windows Server 2003 IPv6
File sharing, printer sharing	Yes
Windows Media Server	Yes
Internet Information Services (IIS) 6.0 (HTTP only)	Yes
Tel net server	Yes
FTP server	No
Active Directory	No
Microsoft Exchange Server	No
SQL Server™	No

Windows Server 2003 IPv6 also supports Internet Explorer. However, it does not include support for literal addresses.

In addition, the following APIs support Windows Server 2003 IPv6:

• .NET Framework

• Windows Sockets 2 (Winsock2) API

• Remote procedure call (RPC)

• Distributed Component Object Model (DCOM)

• Windows Internet (WinlNet) API (does not include support for literal addresses)

• Windows HTTP Services (WinHTTP)

• HTTP.sys

• IP Helper API (IPHLPAPI) module

• Debuggers

Supported IPv6 Tools

Windows Server 2003 IPv6 supports the following tools.

• Ping

• Tracert

• Pathping

• Ipconfig

• Route

• Netsh (Use netsh interface IPv6 commands)

• Netstat

• Nslookup

• Telnet client

• FTP client

For more information about these TCP/IP tools and commands, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).

Types of Nodes

To understand IPv6 tunneling technologies, such as 6to4 and ISATAP (described later), you must understand the types of nodes that might be involved. Table 1.5 shows IPv4 and IPv6 node types.

Table 1.5: IPv4 and IPv6 Node Types

Node Type	Description
IPv4-only node	A device that can communicate only with IPv4 nodes and applications and that does not support IPv6.
IPv6-only node	A device that can communicate only with IPv6 nodes and that does not support IPv4.
IPv6/IPv4 node	A device that implements both IPv4 and IPv6 and that can communicate with either IPv6 or IPv4 nodes and applications.
IPv4 node	Any device that supports IPv4. Both IPv4-only and IPv6/IPv4 nodes are IPv4 nodes.
IPv6 node	Any device that supports IPv6. Both IPv6-only and IPv6/IPv4 nodes are IPv6 nodes.

For more information about the different node types, see RFC 2893, "Transition Mechanisms for IPv6 Hosts and Routers."

Planning IPv6 Addressing

To plan an efficient IPv6 addressing strategy, you must understand how IPv6 addressing works. IPv6 addressing is a major departure from IPv4 addressing. The most obvious difference is that IPv4 uses 4-byte source and destination addresses, typically expressed in the familiar dotted-decimal notation, whereas IPv6 uses 16-byte addresses, typically expressed in colon-hexadecimal notation. Colon-hexadecimal notation uses eight 4-digit hexadecimal numbers, with colons separating the 16-bit blocks (the 4-digit numbers).

To manage addresses more easily, IPv6 suppresses leading zeros and compresses a single contiguous all-zero 16-bit block, representing the contiguous block with two colons (::) (known as double-colon compression). Table 1.6 shows the effects of suppressing leading zeros and double-colon compression on the notation for an IPv6 address.

Table 1.6: Leading Zero Suppression and All-Zero Contiguous Block Compression

IPv6 Address Notation	IPv6 Address
IPv6 address	FEC0:0000:0000:0000:02AA:00FF:FE3F:2A1C
IPv6 address with leading zeros suppressed	FEC0:0:0:0:2AA:FF:FE3F:2A1C
IPv6 address with leading zeros suppressed and an all-zero contiguous block compressed	FEC0::2AA:FF:FE3F:2A1C

The 16 bytes, or 128 bits, provided in the IPv6 address space potentially supports 2¹²⁸ addresses. However, the purpose of this large address space is not only to provide an inexhaustible supply of addresses, but also to enable a hierarchical routing infrastructure that can be summarized. IPv6 addressing is designed to minimize the size of routing tables and to reduce routing complexity.

IPv6 supports address configuration both in the presence of a DHCP server, known as stateful address configuration, and in the absence of a DHCP server, known as stateless address configuration. Stateless address configuration introduces the use of link-local addresses, whereby hosts on the same link automatically configure themselves with IPv6 addresses for that link and can use those addresses to communicate with the other hosts on the same link. If one or more local routers exist, hosts can use router discovery to automatically determine the routers' addresses and can then communicate with IPv6 hosts beyond the local link.

As in IPv4, the high-order bits in an IPv6 address identify the type of address. In IPv6, the high-order bits are known as the Format Prefix (FP). IPv6 does not use subnet masks to specify the network ID. Instead, it uses only prefix notation.

IPv6 Address Types

IPv6 has three types of addresses, which can be categorized by type and scope:

• Unicast addresses. A packet is delivered to one interface.

• Multicast addresses. A packet is delivered to multiple interfaces.

• Anycast addresses. A packet is delivered to the nearest of multiple interfaces (in terms of routing distance).

IPv6 does not use broadcast messages.

Unicast and anycast addresses in IPv6 have the following scopes (for multicast addresses, the scope is built into the address structure):

• Link-local. The scope is the local link (nodes on the same subnet).

• Site-local. The scope is the organization (private site addressing).

• Global. The scope is global (IPv6 Internet addresses).

In addition, IPv6 has special addresses such as the loopback address. The scope of a special address depends on the type of special address.

Much of the IPv6 address space is unassigned.

Unicast IPv6 Addresses

IPv6 has several major unicast address types.

Unicast global addresses

IPv6 unicast global addresses are similar to IPv4 public addresses. Also known as aggregatable global unicast addresses, global addresses are globally routable. The structure of an IPv6 unicast global address creates the three-level topology shown in the following illustration.

Table 1.7 explains each field in a unicast global address.

Table 1.7: Fields in a Unicast Global Address

Field	Description
001	Identifies the address as an IPv6 unicast global address.
Top Level Aggregation Identifier (TLA ID)	Identifies the highest level in the routing hierarchy. TLA IDs are administered by IANA, which allocates them to local Internet registries, which then allocate a given TLA ID to a global ISP.
Res	Reserved for future use (to expand either the TLA ID or the NLA ID).
Next Level Aggregation Identifier (NLA ID)	Identifies a specific customer site.
Site Level Aggregation Identifier (SLA ID)	Enables as many as 65,536 (216) subnets within an individual organization's site. The SLA ID is assigned within the site; an ISP cannot change this part of the address.
Interface ID	Identifies the interface of a node on a specific subnet.

Unicast site-local addresses

IPv6 unicast site-local addresses are similar to IPv4 private addresses. The scope of a site-local address is the internetwork of an organization's site. (You can use both global addresses and site-local addresses in your network.) The prefix for site-local addresses is FECO::/48.

The following illustration shows the structure of a site-local address.

1111 111011 (10 bits)

000 ... 000 (38 bits)

Subnet ID (16 bits)

Interface ID (64 bits)

The initial 48 fixed bits are followed by a 16-bit Subnet ID field, which provides as many as 65,536 subnets in a flat subnet structure. Alternatively, you can subdivide the high-order bits of the Subnet ID field to create a hierarchical routing infrastructure. The last field is a 64-bit Interface ID field that identifies the interface of a node on a specific subnet.

Note

Global addresses and site-local addresses share the same structure after the first 48 bits — the 16-bit SLA ID of a global address and the 16-bit Subnet ID of a site-local address both identify the subnets of an organization's site. Because of this, you can assign a specific subnet number to identify a subnet that is used for both global and site-local unicast addresses.

Unicast link-local addresses (FE80::/64)

IPv6 unicast link-local addresses are similar to IPv4 APIPA addresses used by computers running Microsoft Windows. Hosts on the same link (the same subnet) use these automatically configured addresses to communicate with each other. Neighbor Discovery provides address resolution. The prefix for link-local addresses is FE80::/64. The following illustration shows the structure of a link-local address.

1111 1110 10 (10 bits)

000 ... 000 (54 bits)

Interface ID (64 bits)

Unicast unspecified address

The IPv6 unicast unspecified address is equivalent to the IPv4 unspecified address of 0.0.0.0. The IPv6 unspecified address is 0:0:0:0:0:0:0:0:, or a double colon (::).

Unicast loopback address

The IPv6 unicast loopback address is equivalent to the IPv4 loopback address, 127.0.0.1. The IPv6 loopback address is 0:0:0:0:0:0:0:1, or ::1.

Unicast 6to4 addresses (2002::/16)

IPv6 uses 6to4 addresses to communicate between two IPv6/IPv4 nodes over the IPv4 Internet. A 6to4 address combines the prefix 2002::/16 with the 32 bits of the public IPv4 address of the node to create a 48-bit prefix — 2002:WWXX:YYZZ::/48, where WWXX:YYZZ is the colon-hexadecimal representation of w.x.y.z, a public IPv4 address. Therefore, the IPv4 address 157.60.91.123 translates into a 6to4 address prefix of 2002:9D3C:5B7B::/48.

The following illustration shows the structure of a 6to4 address.

1111 1110 11 (10 bits)

000 ... 000 (54 bits)

Interface ID (64 bits)

However, this is often written using the hexadecimal prefix: 2002:WWXX:YYZZ:SLA ID:Interface ID.

The following example shows how the WWXX:YYZZ portion of the address is translated from colon-hexadecimal notation to dotted-decimal notation. In this example, 9D3C:5B7B translates to 157.60.91.123, as illustrated in the following example.

Notation Type	Use a calculator to convert each constituent number from one notation type to the other
Colon-hexadecimal	9D	3C	5B	7B
Dotted-decimal	157	60	91	123

For more information about 6to4 tunneling, see "Routing IPv6 Traffic over an IPv4 Infrastructure" later in this chapter.

Unicast ISATAP addresses

IPv6 uses ISATAP addresses to communicate between two IPv6/IPv4 nodes over an IPv4 intranet. An ISATAP address combines a 64-bit unicast link-local, site-local, or global prefix (a global prefix might be a 6to4 prefix) with a 64-bit suffix constructed of the ISATAP identifier 0:5EFE, followed by the IPv4 address assigned to an interface of the host. The prefix is known as the subnet prefix. Although a 6to4 address can incorporate only a public IPv4 address, an ISATAP address can incorporate either a public or a private IPv4 address.

The following illustration shows the structure of an ISATAP address.

Subnet prefix <A link-local, site-local, or global prefix> (64 bits)

0000:5EFE (32 bits)

WWXX:YYZZ (32 bits)

Table 1.8 shows an example of each type of ISATAP address.

Table 1.8: Examples of ISATAP addresses

Type of ISATAP Address	ISATAP Address
With link-local prefix	FE80::5EFE:131.107.129.8[*]
With site-local prefix	FECO::1111:0:5EFE:131.107.129.8[*]
With global prefix	3FFE:1A05:510:1111:0:5EFE:131.107.129.8[*]
With global 6to4 prefix	2002:9D36:1:2:0:5EFE:131.107.129.8[*]
[*]Alternatively, the IPv4 address (in this example, 131.107.129.8) can be written in hexadecimal (in this example, 836B:8108).

By default, the IPv6 protocol for Windows XP and members of Windows Server 2003 automatically configures the ISATAP address of FE80::5EFE:w.x.y.z for each IPv4 address that is assigned to the node. This link-local ISATAP address allows two hosts to communicate over an IPv4 network by using each other's ISATAP address.

For more information about ISATAP tunneling, see "Routing IPv6 Traffic over an IPv4 Infrastructure" later in this chapter.

Multicast IPv6 Addresses

IPv6 multicast addresses are similar to IPv4 multicast addresses. Packets addressed to a multicast address are delivered to all interfaces that the address identifies.

The following illustration shows the structure of an IPv6 multicast address.

1111 1111 (8 bits)

Flags (4 bits)

Scope (4 bits)

Group ID (112 bits)

Table 1.9 explains each field in an IP multicast address. The prefix for multicast addresses is FF00::/8.

Table 1.9: Fields in a Multicast Address

Field	Description
1111 1111	Identifies the address as an IP multicast address.
Flags	Currently, the only defined flag is the Transient (T) flag. Set to zero, the T flag identifies the address as a permanently assigned multicast address. Set to 1, it identifies a transient address.
Scope	Indicates the scope of the multicast traffic, such as interface-local, link-local, site-local, organization-local, or global scope.
Group ID	identifies the multicast group.

Multicast solicited node address

The IPv6 multicast solicited node address is used for efficient address resolution. The IPv4 ARP Request frame is sent to the MAC-level broadcast, which disturbs all nodes on the network segment. The multicast solicited node address combines the prefix FF02::1:FF00:0/104 with the last 24 bits of the IPv6 address being resolved. IPv6 uses the solicited node multicast address for the Neighbor Solicitation message (the IPv6 equivalent to the ARP Request frame) that resolves an IPv6 address to its link-layer address, disturbing few nodes during the address resolution process.

Anycast IPv6 Addresses

Anycast IPv6 addresses are similar to but more efficient than the anycast addresses in IPv4, which are used primarily by large ISPs. Anycast addresses use the unicast address space but function differently from other unicast addresses. IPv6 uses anycast addresses to identify multiple interfaces. IPv6 delivers packets addressed to an anycast address to the nearest interface that the address identifies. In contrast to a multicast address, where delivery is from one to many, an anycast address delivery is from one to one-of-many. Currently, anycast addresses are assigned only to routers and are used only as destination addresses.

IPv6 Addresses Assigned to Hosts and Routers

An IPv6 host, including those with only one interface, typically has multiple IPv6 addresses. By default, link-local addresses are automatically configured for each interface on each IPv6 host or router. To communicate with non-neighboring nodes, a host must also be configured with unicast site-local or global addresses. A host obtains these additional addresses either from router advertisements or by manual assignment. Use commands in the netsh interface ipv6 context to manually configure IPv6 addresses.

In IPv6, hosts and routers are typically assigned the following addresses:

• Unicast addresses:

  • A link-local address for each interface

  • A site-local address for each interface

  • One or more global addresses for each interface

  • The loopback address for the loopback interface

• Multicast addresses (to listen for multicast traffic):

  • The interface-local scope all-nodes address (FF01:: 1)

  • The link-local scope all-nodes address (FF02::1)

  • The solicited node address for each unicast address on each interface

  • The multicast address for each joined group on each interface

In addition, IPv6 routers also have the following addresses:

• Multicast addresses:

  • The interface-local scope all-routers address (FF01::2)

  • The link-local scope all-routers address (FF02::2)

  • The site-local scope all-routers address (FF05::2)

• Anycast addresses:

  • A subnet-router anycast address for each subnet

  • Optional — Additional anycast addresses

Table 1.10 summarizes the major differences between IPv6 and IPv4 addresses.

Table 1.10: Differences Between IPv4 Addressing and IPv6 Addressing

IPv4 Address	IPv6 Address
Internet address classes	N/A
Multicast addresses (224.0.0.0/4)	IPv6 multicast addresses (FF00::/8)
Broadcast addresses	N/A
Unspecified address is 0.0.0.0	Unspecified address is::
Loopback address is 127.0.0.1	Loopback address is ::1
Public IP addresses	Aggregatable global unicast addresses
Private IP addresses	Site-local addresses (FECO::/48)
Autoconfigured addresses	Link-local addresses (FE80::/64)
Dotted decimal notation	Colon hexadecimal format
Subnet mask or prefix length notation	Prefix length notation only
A resource records	AAAA resource records

Routing IPv6 Traffic over an IPv4 Infrastructure

An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in today's predominantly IPv4 environment. To support this, IPv6 packets are automatically tunneled over IPv4 routing infrastructures, enabling IPv6 clients to communicate with each other by using 6to4 or ISATAP addresses and tunneling IPv6 packets across IPv4 networks. For information about automatic tunneling of IPv6 packets, see RFC 2893, "Transition Mechanisms for IPv6 Hosts and Routers."

Support for IPv6 automatic tunneling technologies in Windows XP and Windows Server 2003 includes:

• 6to4, to provide automatic intersite tunnels across the IPv4 Internet.

• ISATAP, to provide automatic intrasite tunnels.

A computer running Windows XP or Windows Server 2003 can automatically configure itself for 6to4 and ISATAP tunneling. The IPv6 Helper service, included with the IPv6 protocol for Windows XP and Windows Server 2003, provides support for 6to4 hosts and 6to4 routers. Use netsh interface IPv6 isatap context commands to configure the IPv6 Helper service. In addition, you can configure a computer running Windows XP or Windows Server 2003 as a 6to4 router by enabling the Internet Connection Sharing (ICS) feature on the interface that is connected to the Internet.

Both 6to4 and ISATAP encapsulate an IPv6 packet within an IPv4 header. However, they send the packet across an IPv4 infrastructure in different ways:

• 6to4 uses the IPv6 prefix. 6to4 uses a public IPv4 address to create the 64-bit subnet identifier portion for an IPv6 address. For example, 131.107.71.152 becomes 2002:836B:4798::/48.

• ISATAP uses the IPv6 interface ID. ISATAP uses a locally assigned IPv4 address (public or private) to create a 64-bit interface identifier. For example, 172.31.71.152 becomes ::0:5EFE:172.31.71.152.

In both cases, IPv4 addresses that are embedded in portions of the IPv6 address provide the information to determine the source and destination addresses in the encapsulating IPv4 header.

By deploying 6to4 or ISATAP, you can integrate IPv6 traffic into your IPv4 network environment. Understanding examples of each automatic tunneling technology can help you decide whether to deploy 6to4, ISATAP, or both as you introduce IPv6 on your network.

Note

For an introduction to IPv6, including information about router-to-router, host-to-router, router-to-host, and host-to-host tunneling configurations that underlie 6to4 and ISATAP tunneling, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).

Using 6to4 for IPv6 Traffic Between Subnets or Between Sites

6to4 is an address assignment and router-to-router automatic tunneling technology that is described in RFC 3056, "Connection of IPv6 Domains via IPv4 Clouds." To facilitate the introduction of IPv6 in current IPv4 environments, IPv6 is designed so that you can use 6to4 to handle traffic between IPv6 nodes without obtaining an IPv6 global address prefix from an IPv6 ISP, and without a direct connection to the IPv6 Internet.

Figure 1.16 shows one way to use 6to4 to handle the following types of traffic:

• Direct 6to4 host communication within a site (no tunnel). A 6to4 host can communicate directly with another 6to4 host within the same site. A 6to4 host is an IPv6 host that is configured with at least one 6to4 address (a global address with the 2002::/16 prefix). Host A and Host B in Figure 1.16 use the local 6to4 router to communicate with each other.

• Tunnel across the IPv4 Internet by using a 6to4 router. A 6to4 host can communicate with a non-local 6to4 host by using a tunnel from a local 6to4 router across an IPv4 network (such as the Internet) to a 6to4 router at the destination site. The first 6to4 router encapsulates the packet in an IPv4 header; the receiving 6to4 router removes the IPv4 header and then forwards the IPv6 packet to the destination 6to4 host. During the first and last stages of the packet's transmission — from the sending 6to4 host to its 6to4 router, and from the recipient 6to4 router to the destination 6to4 host — the IPv6 routing infrastructure in place at each site is used. In Figure 1.16, 6to4 Host A (or 6to4 Host B) sends its packet to 6to4 Router 1, which tunnels it across the IPv4 Internet to 6to4 Router 2, which then forwards the packet to 6to4 Host C.

• Tunnel across the IPv4 Internet to the IPv6 Internet by using a 6to4 router and a 6to4 relay. A 6to4 host on an IPv4 network can communicate with an IPv6-only host on the IPv6 Internet by using a tunnel from a local 6to4 router across the IPv4 Internet to a 6to4 relay that then forwards the packet across the IPv6 Internet to the recipient IPv6-only host. In this case, it is the 6to4 relay that removes the IPv4 header and forwards the IPv6 packet to the recipient IPv6-only host. In Figure 1.16, Host A (or Host B) sends its packet to 6to4 Router 1, which tunnels it across the IPv4 Internet to the 6to4 relay, which then forwards the packet to 6to4 Host D.

Figure 1.16: Using 6to4 to Route IPv6 Packets

In Figure 1.16, 6to4 Router 2 represents a computer running Windows XP with ICS enabled. The private interface of the ICS computer connects to a single-subnet intranet, and the ICS computer's public interface connects to the IPv4 Internet. The private interface of an ICS computer always uses the private IPv4 address 192.168.0.1.

Using ISATAP for IPv6 Traffic Between Subnets

Intrasite Automatic Tunnel Addressing Protocol (ISATAP) is an address assignment and automatic tunneling technology that is described in the Internet Draft "Intrasite Automatic Tunnel Addressing Protocol (ISATAP)." ISATAP enables unicast communication between IPv6/IPv4 nodes in an IPv4 intranet.

ISATAP derives an interface identifier (the last 64 bits of an IPv6 address) from any IPv4 address assigned to the node, either public or private. The ISATAP address format supports configuration of global addresses (including 6to4), site-local addresses, and link-local addresses.

Figure 1.17 shows two IPv6/IPv4 hosts communicating over an IPv4 network by using each other's automatically configured link-local ISATAP address.

Figure 1.17: Using Link-Local ISATAP Addresses to Route IPv6 Packets on an IPv4 Network

IPv6/IPv4 hosts can also communicate with non-local IPv6/IPv4 hosts by using ISATAP-derived global addresses, and by using an ISATAP router to tunnel packets through an IPv4 infrastructure. Under the IPv6 protocol that Windows XP and Windows Server 2003 support, you can use either of the following methods to configure the intranet IPv4 address of an ISATAP router:

• Name resolution (preferred). For computers running Windows XP (SP1 or later) or Windows Server 2003, automatic resolution of the name ISATAP to an IPv4 address. To ensure successful name resolution, name the computer used as the ISATAP router ISATAP. A computer running Windows XP or Windows Server 2003 then automatically registers the appropriate records in DNS and WINS. For computers running Windows XP (earlier than SP1), the name resolved is _ISATAP.

• Netsh commands for Interface IPv6. Manual configuration by using commands in the Netsh Interface IPv6 context.

An ISATAP host sends an IPv4-encapsulated Router Solicitation message to a configured ISATAP router. The ISATAP router responds with an IPv4-encapsulated unicast Router Advertisement message that contains prefixes for use in autoconfiguring ISATAP-based addresses. This additional configuration is needed only when the host's subnet does not contain an IPv6 router.

The example in Figure 1.18 shows how two ISATAP hosts that use 6to4 prefixes can communicate across the Internet even though each site is using the 192.168.0.0/16 private address space.

Figure 1.18: Using 6to4 and ISATAP to Route IPv6 Packets Across the IPv4 Internet

Note

Hosts running Windows XP or Windows Server 2003 determine whether to use 6to4, ISATAP, or both depending on their IPv4 configuration.

Configuring DNS for IPv6/IPv4 Coexistence

Through DNS dynamic update, DNS client computers register and dynamically update their resource records with a DNS server whenever an IP address changes. This reduces the need to manually administer zone files, especially for clients that frequently move or change locations and that use DHCP to obtain an IP address.

In an IPv4 environment, by default the DNS Client service on computers running Windows 2000, Windows XP, or Windows Server 2003 dynamically updates host (A) resource records (RRs) in DNS. If all hosts on your network run those operating systems, DNS dynamic updates are automatic.

However, on hosts that do not support dynamic update, you must either enable dynamic update or manually add or update their DNS records. The same is true on a network to which IPv6 has been introduced: hosts that do not support dynamic update must have dynamic update enabled or must have DNS records added manually. IPv6 has the additional requirement that IPv6 nodes use a new type of address resource record, known as AAAA (quad-A) resource records, to resolve a fully qualified domain name to an IPv6 address. (Four "A"s are used for the name of these resource records because 128-bit IPv6 addresses are four times as large as 32-bit IPv4 addresses.)

Systems that support IPv6 use the same domain names as the domain names used in IPv4 but have both IPv6 and IPv4 addresses registered in DNS. The DNS Server service in Windows Server 2003 and Windows 2000 support processing for DNS IPv6 host records as defined in RFC 1886, "DNS Extensions to Support IP Version 6."

An IPv6 host sends DNS name queries to the DNS server to resolve host names to IPv6 addresses. The AAAA resource records stored on the DNS server provide the mapping from a host name to its IPv6 address.

DNS traffic is also supported over IPv6 for both client and server. The client and server are configured for IPv6 over DNS using anycast or unicast DNS server IP addresses. For more information, see "IPv6 configuration items" in Help and Support Center for Windows Server 2003.

Because IPv6 addresses are too long to remember easily, you can populate your DNS servers with IPv6 address resource records to support IPv6 name-to-address resolutions and optionally with pointer resource records to support IPv6 address-to-name resolutions:

• Address Resource Records. To successfully resolve names to addresses, the DNS infrastructure must contain the following resource records, populated either manually or dynamically:

  • A resource records for the IPv4 addresses of IPv4 nodes.

  • AAAA resource records for the IPv6 addresses of IPv6 nodes. The following is an example of a AAAA resource record:

        host1.microsoft.com  IN  AAAA  FEC0::2AA:FF:FE3F:2A1C 

• Pointer (PTR) Resource Records (optional; not recommended). The DNS infrastructure can also contain the following resource records, populated either manually or dynamically, to resolve addresses to host names in reverse queries:

  • PTR records in the IN-ADDR.ARPA domain for the IPv4 addresses of IPv4 nodes.

  • PTR records in the IP6.ARPA domain for the IPv6 addresses of IPv6 nodes. (Recall that RFC 3152 specifies that IP6.INT be phased out and replaced by IP6.ARPA.) The IP6.INT domain was created specifically for IPv6 reverse queries. To create the namespace for reverse queries, each hexadecimal digit in the 32-digit IPv6 address (zero compression and double-colon compression notation cannot be used) becomes a separate level in inverse order in the reverse domain hierarchy. Therefore, the reverse lookup domain name for the address FECO::2AA:FF:FE3F:2A1C is:

     C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.INT 

  Avoid integrating PTR resource record support into your DNS infrastructure; the results can be unreliable.

For name-to-address resolution, after the querying node obtains the set of addresses corresponding to the name, that node must determine the best set of addresses to use as the source and destination for outbound packets.

While name-to-address resolution is fairly straightforward in an IPv4-only environment, it becomes more complex in an environment in which IPv4 and IPv6 coexist. In the mixed IPv6/IPv4 scenario, a DNS query can return both IPv4 and IPv6 addresses. The querying host is configured with at least one IPv4 address and, typically, multiple IPv6 addresses. Determining the type of address (IPv4 versus IPv6), and then the scope of the address (for IPv4, public versus private; for IPv6, link-local versus site-local versus global versus coexistence), for both the source and the destination addresses is complex.

Two algorithms, one to select the source address and another to select the destination address, specify default behavior for IPv6 implementations. These algorithms do not override choices made by applications or upper-layer protocols, nor do they preclude the development of more advanced mechanisms for address selection. The two algorithms include an optional mechanism that lets you override the default behavior. In dual-stack implementations, the destination address selection algorithm considers both IPv4 and IPv6 addresses, and determines whether it prefers IPv6 addresses over IPv4 addresses, or vice-versa.

For more information about default address selection rules for IPv6, including the source address selection algorithm and the destination address selection algorithm, see the Internet Draft "Default Address Selection for IPv6."

For an introduction to IPv6 and more information about Windows Server 2003 IPv6, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit), or see the IPv6 link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Enabling IPv4 Applications for IPv6

You can use the PortProxy service as an application-layer gateway for nodes or applications that do not support IPv6. PortProxy facilitates the communication between nodes or applications that cannot connect using a common address type, Internet layer protocol (IPv4 or IPv6), and TCP port. The primary purpose of the service is to allow IPv6 nodes to communicate with IPv4 TCP applications.

PortProxy relays TCP traffic from IPv4 to either IPv4 or IPv6, or from IPv6 to either IPv6 or IPv4. In the context of IPv6/IPv4 coexistence or migration, use the PortProxy service to enable any of the following scenarios:

• An IPv6 node accessing an IPv4-only application that is running on an IPv4 node.

• An IPv4-only node accessing an IPv6-only node.

• An IPv6-only node accessing an IPv4-only node.

The Netsh commands for Interface Portproxy provide a command-line tool for administering servers that act as proxies between IPv4 and IPv6 networks and applications. For more information about how to use the Netsh Interface PortProxy commands, see the Netsh command-line help, or see "Netsh commands for Interface Port Proxy" in Help and Support Center for Windows Server 2003.

Note

The PortProxy service transmits only TCP traffic for application-layer protocols that do not embed address or port information in the TCP segment. For example, the File Transfer Protocol (FTP), which embeds addresses when using the FTP Port command, does not work across a PortProxy computer. Unlike NAT, the PortProxy service does not include an equivalent to NAT editors.