If you would like to read the first part in this article series please go to Configuring an ISATAP Router with Windows Server 2008 R2 (Part 1).
Introduction
In part 1 of this two part series on ISATAP and ISATAP routers, we provided a high level overview of IPv6 and how IPv6 can be used on networks today, and then we started a short discussion on ISATAP. In this article, we’ll expand on the ISATAP discussion and describe how you can use ISATAP on your network today to help you transition to a native IPv6 network.
Remember that ISATAP stands for “Intra-site Automatic Tunnel Addressing Protocol”. The name of the protocol itself gives you some insight into its function. Let’s parse its parts and look at each one:
- Intra-site – this means that you use ISATAP within a site, or on an intranet. ISATAP is not used for communications over the public Internet.
- Tunnel – ISATAP tunnels IPv6 packets over an IPv4 intranet by encapsulating the IPv6 packets in an IPv4 header so that they appear to be IPv4 packets.
- Automatic – When an ISATAP host (a device configured with an ISATAP tunnel adapter) enables its ISATAP adapter, the ISATAP router will provide information it needs to assign an address to the ISATAP adapter (An important point here is that DHCP is not used).
- Addressing – The ISATAP router assigns addressing information to the ISATAP host’s ISATAP tunnel adapter.
ISATAP addressing notation
Like all IPv6 addresses, ISATAP has two components:
- The IPv6 prefix (which is similar to a IPv4 network ID)
- The IPv6 interface ID (which is similar to the IPv4 host ID)
Without going into too many details regarding IPv6 prefixes, we can say that ISATAP can use any valid IPv6 prefix. For the Interface ID, the last 64 bits of the ISATAP address will be either:
- ::0:5efe:w.x.y.z, when the IPv4 address is a private IP address
- ::200:5efe:w.x.y.z, when the IPv4 address is a public IP address
Note that, when writing out the ISATAP address, we use the “dotted quad” notation at the end of the address instead of the hexadecimal that is used to represent the rest of the address. This is done as a convenience by the Windows client and server operating system for all of us who are used to the IPv4 addressing notation. If you were to view the ISATAP addresses that are registered in a Windows DNS server for these same hosts, you would see that the “dotted quad” address is registered as its hexadecimal equivalent.
Examples of ISATAP addresses are shown here:
2002:836b:4:8000:0:5efe:10.0.0.20, for a private address.
2002:836b:4:8000:200:5efe:131.107.0.31, for a public address.
It’s important to note that the ISATAP address is a “real” IPv6 address. It can be used by any IPv6 capable service and operating system to enable communications between ISATAP hosts and ISATAP and native IPv6 hosts.
Why use ISATAP?
At this point, you might be wondering, “why do I even want to use ISATAP?” and that’s a very good question to ask. ISATAP is an IPv6 transition technology which allows hosts on an IPv4 network to communicate with hosts on an IPv6 only network. Most networks we have now are IPv4 only and the routing infrastructure on these networks support IPv4 only. But as you upgrade your networks and your operating systems, you’ll almost certainly eventually have portions of your network that support IPv6 and IPv6 routing. ISATAP enables you to connect the hosts on the IPv4 only network with the hosts on the IPv6 only networks.
Deploying ISATAP
Take a look at the diagram below (Figure 1). I’ve borrowed this from my husband, Tom (a.k.a. Tom Shinder, “The Edge Man”). This is part of the work he’s doing on multi-site UAG DirectAccess server deployment, and it nicely illustrates how ISATAP is deployed in that situation.
Figure 1
In the figure, you can see that there is an ISATAP subnet, with the prefix 2002:836b:4:8000::/64. Some of the hosts on the Corpnet subnet are ISATAP capable hosts and some are not. Those that are ISATAP capable can communicate with IPv6 only hosts. The figure also shows an IPv6-only subnet between ISATAP1 and UAG1, with an IPv6 prefix of 2002:836b:20:8000::/64. In addition, the DirectAccess clients that connect to the Corpnet subnet are assigned IPv6 addresses with the prefixes 2001:0:836b:2::/64 and 2002:836b:2:8100::/64. An ISATAP router can be used to route the IPv4 encapsulated IPv6 packets on the Corpnet subnet to the native IPv6 subnet connecting ISATAP1 to UAG1 and also to the IPv6 subnets (prefixes) that are assigned to the DirectAccess clients.
For example, DC1 in the figure is assigned an ISATAP address as well as an IPv4 address. DC1 needs to connect to a DirectAccess client on the Internet. Here’s the process:
- The DirectAccess client is assigned an IPv6 address (such as a Teredo address).
- In order to connect to the DirectAccess client, DC1 will use its ISATAP adapter to connect to ISATAP1, which is an ISATAP router.
- When the connection reaches the ISATAP router, the IPv4 header is removed from the IPv6 packet and the router forwards the connection to the native IPv6 address assigned to the internal interface of UAG1.
- UAG1 then routes the packet to the DirectAccess client on the Internet.
- When the DirectAccess client responds, it sends its response to UAG1.
- UAG1 routes the packet to the IPv6 interface on ISATAP1.
- ISATAP1 then encapsulates the IPv6 packet with an IPv4 header and forwards it to the ISATAP adapter on DC1.
ISATAP and DNS
ISATAP hosts discover an ISATAP router by performing a DNS query. By default, Windows ISATAP hosts will query the name ISATAP and then try to connect to the IPv4 address that resolves to the name. If the connection succeeds, then the ISATAP adapter can be configured with addressing and routing information.
By default, Windows 2003 SP2 and above DNS servers do not answer queries for the names WPAD and ISATAP. That means you will need to enable queries for the ISATAP name on these servers. For information on how to do this, check out this article.
When the ISATAP enabled host configures its ISATAP adapter, it will register its ISATAP address in DNS, as seen in figure 2.
Figure 2
Configuring the ISATAP Router
An ISATAP router can do two things:
- Provide the ISATAP subnet ID (prefix) to the ISATAP adapter on the ISATAP enabled host (all Windows Vista and above and Windows Server 2008 and above hosts are ISATAP enabled by default).
- Provide IPv6 routing information to the ISATAP hosts so that if the hosts need to route to IPv6-only networks, the ISATAP adapter will be aware of these routes and forward the connection to the ISATAP router.
Since modern Windows hosts are ISATAP capable and enabled by default, you don’t need to do anything on the clients. However, to make a Windows Server 2008 R2 computer function as an ISATAP router, you need to do some work at the command line; unfortunately, there is no graphical interface for ISATAP router configuration, so be careful!
The step is to configure the Windows Server 2008 R2 computer to advertise itself as an ISATAP router. This advertising enables the ISATAP capable hosts to connect to the ISATAP router to get addressing and routing information. To do that, use the following command:
netsh interface ipv6 set interface ISATAPInterfaceNameOrIndex advertise=enabled
To get the ISATAPInterfaceNameOrIndexnumber, you can use the ipconfig command, as shown in Figure 3.
Figure 3
The adapter we’re interested in is the one with the fe80::5efe:w.x.y.z address assigned to it, which in this example is the Tunnel adapter isatap.corp.contoso.com. To get the interface ID, you can use the netsh command netsh interface ipv6 show interface, as shown in Figure 4.
Figure 4
So now we know the interface index in this example is 12.
To advertise this Windows Server 2008 R2 computer as an ISATAP router, you need to enter:
netsh interface ipv6 set interface 12 advertise=enabled
Now you want to inform the ISATAP capable hosts of which ISATAP prefix to use when they configure their ISATAP adapters. To do this, on the Windows Server 2008 R2 ISATAP router, enter the following:
netsh interface ipv6 add routeIPv6AddressPrefix/PrefixLengthISATAPInterfaceNameOrIndex publish=yes
We already know that the ISATAP Interface Index is 12. The only other thing you need to know in order to complete the command is the IPv6 prefix. Let’s say that we want to use the prefix 2002:836b:4:8000::/64. In this case, you would then enter the following command:
netsh interface ipv6 add route 2002:836b:4:8000::/64 12 publish=yes
The publish statement is used to inform the ISATAP enabled hosts that the ISATAP router is publishing this IPv6 prefix, which they should use to configure their ISATAP adapters.
At this point, our ISATAP router is advertising itself as an ISATAP router and will provide the IPv6 prefix information to the ISATAP enabled hosts that connect to this ISATAP router for addressing and routing information. The next step is to enable the ISATAP router to do what a router does; in other words, we need to configure this ISATAP router to forward packets from the ISATAP network prefix to the native IPv6 networks.
To do this, use the following command:
netsh interface ipv6 set interfaceLANInterfaceNameOrIndexforwarding=enabled
Notice that in this instance, we’re using the Interface Index for the LAN interface (NIC) and not the ISATAP adapter. If you look at figure 4, you can see that the Interface Index for the NIC is 11 (in this example, the ISATAP router has a single NIC, but you typically would have two NICs in the ISATAP router, and you would use the Interface Index of the NIC that has the native IPv6 address assigned to it. In this example, the same physical NIC is hosting the ISATAP adapter and the native IPv6 address). So, in this example, to enable routing from the ISATAP adapter to the IPv6 interface, you would use the command:
netsh interface ipv6 set interface11forwarding=enabled
We have already enabled advertising on the ISATAP adapter, but we also need to enable routing (forwarding) on the ISATAP adapter as well, so that it can forward the packets to the IPv6-only networks:
netsh interface ipv6 set interface ISATAPInterfaceNameOrIndex forwarding=enabled
In our example, the ISATAP Interface Index is 12, so we use the following command:
netsh interface ipv6 set interface 12 forwarding=enabled
Finally, we want to provide IPv6 routes that the ISATAP router will advertise to the ISATAP enabled hosts. To do that, you would use the following command:
netsh interface ipv6 add route ::/0LANInterfaceNameOrIndexnexthop=IPv6RouterAddress publish=yes
We know that the LAN Interface Index is 11. Now we need to configure the ISATAP router with a default gateway that it will use to connect to IPv6 capable networks:
netsh interface ipv6 add route ::/0LANInterfaceNameOrIndexnexthop=IPv6RouterAddress publish=yes
In the example shown in figure 1, we would use the following command:
netsh interface ipv6 add route ::/0 11 nexthop=2002:836b:20:8000::1publish=yes
Publishing Specific Routes
We can also publish specific routes in addition to the default gateway. If you look at Figure 1, the nexthop address is the IPv6 address assigned to the internal interface on UAG1, which is 2002:836b:20:8000::1. The routes available through that gateway address (the UAG1 DirectAccess server is the gateway to the IPv6 prefixes used by the DirectAccess clients) are 2001:0:836b:2::/64 and 2002:836b:2:8100::/64. Thus, in this example, we can enter the following on the Windows Server 2008 R2 ISATAP router:
netsh interface ipv6 add route 2001:0:836b:2::/64 11 nexthop=2002:836b:20:8000::1publish=yes
netsh interface ipv6 add route 2002:836b:2:8100::/64 11 nexthop=2002:836b:20:8000::1publish=yes
You can see these routes in the routing table on the ISATAP router after you add them, as seen in Figure 5 below:
Figure 5
If you go to one of the ISATAP hosts that use this ISATAP router, you will be able to see that the routes also appear in the host’s routing tables, as shown in Figure 6.
Figure 6
The routing table entries are automatically populated on the ISATAP host for the Interface Index assigned to the ISATAP adapter, as you can also see in figure 6 (the ISATAP adapter is Interface Index 12).
Now that everything is configured, you can do a tracert to show routing from an ISATAP subnet to a native IPv6 subnet and back, as seen in Figure 7.
Figure 7
Summary
In this, part 2 of a two part series on ISATAP routers using Windows Server 2008 R2, we configured the Windows Server 2008 R2 machine as an ISATAP router, and then configured the router to advertise its status as an ISATAP router and assign an ISATAP subnet prefix to the ISATAP enabled hosts. After that, we configured forwarding to be enabled on the IPv6 address assigned NIC and on the ISATAP adapter itself. Finally, we configured routing table entries on the ISATAP router that provided information to the ISATAP enabled hosts to reach various native IPv6 subnets and then tested the configuration to confirm that it works.
If you would like to read the first part in this article series please go to Configuring an ISATAP Router with Windows Server 2008 R2 (Part 1).
Hi, we can read that “ISATAP is not used for communications over the public Internet.” What prevents me from deploying ISATAP on the internet facing interface of my router ? and building a tunnel to another internet interface of another router ? Thanks !