Chapter 12 ISATAP At the end of this chapter,you should be able to do the following: ■Define the address format,encapsulation,and intended use of the Intra-Site Auto- matic Tunnel Addressing Protocol (ISATAP)IPv6 transition technology. ■Describe how the IPv6 protocol in Windows Server2008 and Windows Vista supports ISATAP as a host and router. ■List and describe the routes on ISATAP hosts,ISATAP routers,and IPv6 routers that make ISATAP-based communication possible. Describe how ISATAP communication works between ISATAP hosts and native IPv6 hosts on an intranet. ■Describe how to configure a computer running Windows Server2O08 or Windows Vista as an ISATAP router. ISATAP Overview ISATAP is an address assignment and host-to-host,host-to-router,and router-to-host auto- matic tunneling technology defined in RFC 4214 that provides unicast IPv6 connectivity between IPv6/IPv4 hosts across an IPv4 intranet.ISATAP hosts do not require any manual configuration,and they can create ISATAP addresses using standard IPv6 address autoconfig- uration mechanisms. ISATAP addresses have one of the two following formats: 64-bitUnicastPrefix:0:5EFE:w.x.y.z 64-bitUnicastPrefix:200:5EFE:w.x.y.z The ISATAP address consists of the following: ■64-bitUnicastPrefix is any64-bit unicast address prefix,including link-local,global,and unique local prefixes. ■:0:5EFE:w.x.y.zand:2oo:5EFE:w.x.y.g are the locally administered interface identifiers. For:0:5EFE:w.x.y.之,w.x.y.z is a private unicast IPv4 address.For:200:5EFE:w.x.y.z, w.x.y.z is a public unicast IPv4 address.The interface identifier (ID)portion of an ISATAP address contains an embedded IPv4 address that determines the destination IPv4 address in the encapsulating IPv4 header of ISATAP traffic. 275
!"##$%%$$$&'( ) *+,-.+/0+1223+44,5361/7+.8194:;1/-5.71.2-./+.2+2:4+5,/0+-/+?:/5= 61/-8@:..+;?223+44-.AB35/585;C<>?@?BD+3E+3LMMN1.2K-.25J4O-4/14:9953/4 <>?@?B141054/1.235:/+3H ) P-4/1.22+483-I+/0+35:/+45.<>?@?B054/47<>?@?B35:/+3471.2?@?B=I14+28566:.-81/-5.9544-I;+H ) *+483-I+05J<>?@?B8566:.-81/-5.J53Q4I+/J++.<>?@?B054/41.2.1/-E++3E+3LMMN53K-.25J4 O-4/1141.<>?@?B35:/+3H RSTUSVTW XYZ[Z\]^_`_aabc^^_^^]d`ec`f_`agh^fifhigh^fjgh^fifhibhkfcbj_`abhkfcbifhigh^f_kfhi e_f]lfk``cm]`dfclg`hmhdnaco]`ca]`pqrstusfg_fvbhw]ac^k`]l_^fX\wxlh``clf]w]fn ycfzcc`X\wx{X\wsgh^f^_lbh^^_`X\ws]`fb_`cf|XYZ[Z\gh^f^ah`hfbc}k]bc_`ne_`k_m lh`o]dkb_f]h`j_`afgcnl_`lbc_fcXYZ[Z\_aabc^^c^k^]`d^f_`a_baX\wx_aabc^^_kfhlh`o]di kb_f]h`eclg_`]^e^| XYZ[Z\_aabc^^c^g_wch`chofgcfzhohmmhz]`dohbe_f^~ z||n| z||n| [gcXYZ[Z\_aabc^^lh`^]^f^hofgcohmmhz]`d~ ) ]^_`nxsiy]fk`]l_^f_aabc^^vbco]j]`lmka]`dm]`imhl_mjdmhy_mj_`a k`]}kcmhl_mvbco]c^| ) ~~~q~_`a~~t~q~_bcfgcmhl_mmn_ae]`]^fcbca]`fcbo_lc]ac`f]o]cb^| qhb~~~q~j]^_vb]w_fck`]l_^fX\ws_aabc^^|qhb~~t~q~j ]^_vkym]lk`]l_^fX\ws_aabc^^|[gc]`fcbo_lc]ac`f]o]cbX ¡vhbf]h`ho_` XYZ[Z\_aabc^^lh`f_]`^_`ceycaacaX\ws_aabc^^fg_facfcbe]`c^fgcac^f]`_f]h` X\ws_aabc^^]`fgcc`l_v^km_f]`dX\wsgc_acbhoXYZ[Z\fb_oo]l|
276 Understanding IPv6,Second Edition There is a common misconception that before you can begin experimenting with IPv6 connectivity and application migration,you must deploy native IPv6 addressing and rout- ing,which requires a detailed analysis of IPv6 addressing schemes,router updates and configuration,and a rollout schedule.Although this should eventually be done for intra- nets,ISATAP allows you to turn the IPv4-only portion of your intranet into a logical IPv6 subnet.Once this subnet is defined and assigned a global or unique local prefix,IPv6/IPv4 hosts that support ISATAP can use ISATAP-based addresses for IPv6 connectivity.ISATAP allows you to make your IPv4-only intranet IPv6-capable,without requiring modifications to your existing router infrastructure to support native IPv6 addressing and routing. With ISATAP,you can immediately begin experimenting with IPv6 connectivity and application migration. ISATAP allows you to phase in the native IPv6 addressing and routing capability on your intranet in the following way: Phase 1:IPv4-only intranet In this phase,your entire intranet can be a single,logical ISATAP subnet. Phase 2:IPv4-only and IPv6-capable portions of your intranet In this phase, your intranet has an IPv4-only portion(the logical ISATAP subnet)and an IPv6-capable portion.The IPv6-capable portion of your intranet has been updated to support native IPv6 addressing and routing. Phase 3:IPv6-capable intranet In this phase,your entire intranet supports both IPv4 and native IPv6 addressing and routing and ISATAP is no longer needed. With ISATAP,you can have IPv6 connectivity between hosts and applications during the first two phases of the transition from an IPv4-only to an IPv6-capable intranet. ISATAP Tunneling ISATAP-based IPv6 traffic is tunneled or encapsulated with an IPv4 header,also known as IPv6-over-IPv4 traffic.For the details of IPv6-over-IPv4 traffic,see Chapter 11,"IPv6 Transition Technologies."This tunneling is automatically done by an ISATAP tunneling interface on the sending host or forwarding router.The ISATAP tunneling interface treats the entire IPv4-only portion of the intranet as a single link layer,in much the same way as Ethernet.In the case of ISATAP,the link-layer encapsulation is IPv4. The IPv6 protocol for Windows Server 2008 and Windows Vista creates a separate ISATAP tunneling interface for each LAN interface that is installed in the computer that has a different DNS suffix.For example,if a computer running Windows Vista has two LAN interfaces and they are both attached to the same intranet and are assigned the same DNS suffix,there is only one ISATAP tunneling interface.If these two LAN interfaces are attached to two different networks with different DNS suffixes,there are two ISATAP tunneling interfaces.For
!! "! "#$ "$$%& ' ("%)"*#!"$")+$,-./ ""$.$'"0##1$ "!)$ "2' (!($0#1 '"$.,-./00")"0 ($3 ")2+4(0$10"1' &,-./00")!2 ($(#0$"0 "&)($ "2"0 11 ($0(1561$ ()$ (10."$(11'%0 "& "$3 "$2,766-11 +' ($ $("$,-.83 "1'# $ " &' ("$"$"$ 1 )1,-./ (%"$59"$(%"$0&"0"0)"0)1 %1 ("4(1 1#&*2,-./:,-.8 $$$(## $,766-"(,766-3%000& ,-./ ""$.$'5,766- 11 +' ($ !;' (,-.83 "1'"$"$,-./3#%12+$ ($4(")! 0&$ " $ ' (*$") ($"&$($($ (## $"$.,-./00")"0 ($")5 ? @ABCDE ,"$#2' ("$"$"$"%")121 )1 ,766-(%"$5 > ? FABCDECGHDG IEJ ,"$#2 ' ("$"$",-.83 "1'# $ "K$1 )1,766-(%"$L"0",-./3#%1 # $ "5,-./3#%1# $ " &' ("$"$%"(#0$0$ (## $"$. ,-./00")"0 ($")5 > ? MACGHD ,"$#2' ("$"$"$(## $% $,-.8 "0"$.,-./00")"0 ($")"0,766-" 1 ")"005 <$,766-2' (".,-./ ""$.$'%$+" $"0##1$ "0(")$&$ $+ # &$$"$ "& !",-.83 "1'$ ",-./3#%1"$"$5 NONOJD ,766-3%0,-./$&&$(""10 "#(1$0+$",-.8021 ;" +" ,-./3 .3,-.8$&&5P $0$1 &,-./3 .3,-.8$&&2Q#$RR2S,-./"$ " " 1 )5T$(""1")($ !$11'0 "%'",766-$(""1")"$& "$ "0") $ & +0") ($5,766-$(""1")"$&$$$"$,-.83 "1' # $ " &$"$"$")11";1'2"!($!+'U$"$5,"$ & ,766-2$1";31'"#(1$ ",-.85 ,-./# $ 1& <"0 +7.VWWX"0<"0 +Y$$#$,766- $(""1")"$&& Z6["$&$$"$110"$ !#($$$0&&"$ \[7(&&*5P *!#12& !#($(""")<"0 +Y$$+ Z6["$&"0 $'% $$$0$ $!"$"$"0)"0$!\[7(&&*2$ "1' ",766-$(""1")"$&5,&$$+ Z6["$&$$0$ $+ 0&&"$"$+ ;+$0&&"$\[7(&&*2$$+ ,766-$(""1")"$&5P
Chapter 12 ISATAP 277 computers running Windows Server 2008 or Windows Vista with Service Pack 1,the ISATAP tunnel interfaces are placed in a media disconnected state unless the name "ISATAP"can be resolved. By default,the IPv6 protocol for Windows Vista with no service packs installed automatically configures link-local ISATAP addresses(FE80::5EFE:w.x.y.z or FE80::200:5EFE:w.x.y.z)on the ISATAP tunnel interfaces for the IPv4 addresses that are assigned to the corresponding LAN interface.The IPv6 protocol for Windows Server 2008 and Windows Vista with Service Pack 1 configures link-local ISATAP addresses(FE80::5EFE:w.x.y.z or FE80::200:5EFE:w.x.y.z)on ISATAP tunnel interfaces only if the name "ISATAP"can be resolved. These link-local ISATAP addresses allow two hosts to communicate over an IPv4-only network without requiring additional global or unique local ISATAP addresses.You can determine the names and interface indexes of the ISATAP tunneling interfaces from the display of the ipconfig /all command. All tunneling interfaces by default have an asterisk(")in their name,such as"Local Area Connection*6".ISATAP tunneling interfaces have an asterisk in their name,"ISATAP" in their description,and are assigned a link-local ISATAP address.You can obtain the interface index for an ISATAP tunneling interface from the number after the percent sign ("%")in the link-local addresses assigned to the interface.For example,the interface index of the ISATAP tunneling interface with the address FE80::200:5EFE:131.107.9.221%10 is 10 You can disable ISATAP by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl- Set\Services\tcpip6\Parameters\DisabledComponents registry value to 0x4 (DWORD). Note IPv6 for Windows Server 2003 and Windows XP created only a single ISATAP tunneling interface that was named 'Automatic Tunneling Pseudo-Interface,with an interface index that was typically set to 2. ISATAP Tunneling Example Host A has a single LAN interface and is configured with the IPv4 address of 10.40.1.29.Host B has a single LAN interface and is configured with the IPv4 address of 192.168.41.30.IPv6 on Host A has the ISATAP address of FE80:5EFE:10.40.1.29 assigned to its ISATAP tunneling interface(named"Local Area Connection*6"with the interface index 10)and Host B has the ISATAP address of FE80:5EFE:192.168.41.30 assigned to its ISATAP tunneling interface (named "Local Area Connection*5"with the interface index 11).Figure 12-1 shows this example configuration
!"#$$% &' (!")'*+,(-!./.) 01''0''''0('2-!./.)3' 40"5 671'0,(-)"801 &' ("'*'00'''007 10*90'0-!./.)':;3 ((1'J++D5;+#9+( ( J'01'5
278 Understanding IPv6,Second Edition Host A FE80:5EFE:10.40.1.29 IPv4-Only Infrastructure Host A FE80:5EFE192.168.41.30 Figure 12-1 An example ISATAP configuration When Host A sends IPv6 traffic to Host B destined for Host B's link-local ISATAP address, the source and destination addresses for the IPv6 and IPv4 headers are as listed in Table 12-1 Table 12-1 Example Link-Local ISATAP Addresses Field Value IPv6 Source Address FE80:5EFE:10.40.1.29 IPv6 Destination Address FE80:5EFE:192.168.41.30 IPv4 Source Address 10.40.1.29 IPv4 Destination Address 192.168.41.30 To test connectivity between ISATAP hosts,you can use the Ping tool (subject to Windows Firewall exceptions for Internet Control Message Protocol for IPv6 [ICMPv6]traffic).For example,to ping Host B at its link-local ISATAP address from Host A,you would use the following command: ping fe80::5efe:192.168.41.30%10 Because the destination of the ping command is a link-local address,you must use the %ZonelD as part of the destination address to specify the interface index of the interface from which traffic must be sent.In this case,"%10"specifies interface index 10,which is the inter- face index assigned to the ISATAP tunneling interface on Host A.The ISATAP tunneling inter- face uses its own link-local ISATAP address as a source IPv6 address.The ISATAP tunneling interface determines the destination IPv4 address of the encapsulating IPv4 header from the last 32 bits in the destination IPv6 address,which correspond to the embedded IPv4 address
!"#$%&'()*+,-./!0,* 123456789734:7;8?@AABC865678D:378B43:A6?5678DE7FB4GHF6C@F;I9J9@4:;\;Z[]8?@AABC^QW6? 3X@_YF3K86YB4T5678D@8B87FB4GHF6C@F;I9J9@::?377QJ23;I9J9@::?377KS2BC2C6??37Y64:868233_N3::3:;<=M@::?377 ~ ~ %(&*./)/ %(0,!0,*/ %(&*./)/ %(0,!0,*/ ¡¢¢£¢¤¡¥¦¡¥¤¥§¨ ¡¢¢£¢¤¨§¥¤© ¥¦¤¥ª¡ «¬®¯°±²³ «±´µ¶·¸µ¹º¸¹µ»