The Cable Guy
Migrating Your Intranet to IPv6 with ISATAP
Joseph Davies
This article is based on a prerelease version of Windows Server 2008. All information herein is subject to change.
A common misperception about Internet Protocol version 6 (IPv6) is that in order to use it, you must deploy native IPv6 addressing and routing, which requires a detailed analysis of IPv6 addressing schemes, router updates and configuration, and a rollout schedule. Although this should eventually be done for native
IPv6 connectivity, you can easily deploy tunneled IPv6 connectivity using the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). With tunneled IPv6 connectivity, hosts that support ISATAP can communicate using IPv6 traffic that is encapsulated with an IPv4 header (the IPv4 Protocol field is set to 41). ISATAP traffic can traverse an IPv4-only intranet, so you can begin testing IPv6-capable applications immediately, without having to wait for a native IPv6 infrastructure.
ISATAP is an address assignment and automatic tunneling technology defined in RFC 4214 that provides unicast IPv6 connectivity between IPv6/IPv4 hosts across an IPv4-
only intranet. ISATAP hosts use a logical tunneling interface that is assigned ISATAP addresses, which have the form UnicastPrefix:0:5EFE:w.x.y.z (when w.x.y.z is a private IPv4 address assigned to the ISATAP host) or UnicastPrefix:200:5EFE:w.x.y.z (when w.x.
y.z is a public IPv4 address assigned to the ISATAP host). UnicastPrefix is any 64-bit unicast address prefix, including link-local, global, and unique local prefixes. Examples of ISATAP addresses are 2001:DB8::98CA:200:131.107.28.9 and 2001:DB8::98CA:0:10.91.211.17.
Intranet Migration to IPv6 with ISATAP
An ISATAP deployment consists of one or more logical ISATAP subnets, which are IPv4-only networks assigned a 64-bit IPv6 subnet prefix. On a logical ISATAP subnet there are ISATAP hosts and ISATAP routers. An ISATAP host uses an ISATAP tunneling interface to encapsulate IPv6 traffic. This traffic can be sent directly to other ISATAP hosts on the same logical ISATAP subnet. To reach destinations that are on other ISATAP subnets or on native IPv6 subnets, the traffic is sent to an ISATAP router. An ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts and forwards IPv6 traffic between ISATAP hosts and hosts on other IPv6 subnets. Figure 1 shows the components of ISATAP on a simplified intranet.
.gif)
Figure 1 IPv4-only and IPv6-capable portions of your intranet (Click the image for a larger view)
ISATAP allows you to deploy native IPv6 addressing and routing capabilities on your intranet in three phases.
Phase 1: IPv4-Only Intranet In this phase, your entire intranet can be a single, logical ISATAP subnet. Figure 2 shows an example with an IPv4-only intranet with an ISATAP router that is only advertising a global or unique local address prefix to ISATAP hosts.
.gif)
Figure 2 An IPv4-only intranet (Click the image for a larger view)
Phase 2: IPv4-Only and IPv6-Capable Portions of Your Intranet In this middle phase, your intranet has an IPv4-only portion (the logical ISATAP subnet) and an IPv6-capable portion. The IPv6-capable portion of your intranet supports IPv4 and has been updated to support native IPv6 addressing and routing. You saw this configuration in Figure 1.
Phase 3: IPv6-Capable Intranet In this final phase, your entire intranet supports both IPv4 and native IPv6 addressing and routing. Note that ISATAP is no longer needed. Figure 3 shows an example.
.gif)
Figure 3 IPv6-capable intranet (Click the image for a larger view)
With ISATAP, you can have IPv6 connectivity between hosts and applications during the first two phases of the transition from an IPv4-only to an IPv6-capable intranet.
Windows Server 2008 and Windows Vista
The IPv6 protocol for Windows Server® 2008 and Windows Vista® supports ISATAP as both an ISATAP host and an ISATAP router. There is a separate ISATAP tunneling interface for each LAN interface that is installed in the computer that has a different DNS suffix. For example, if a computer running Windows Vista has two LAN interfaces and they are both attached to the same intranet and are assigned the same DNS suffix, there is only one ISATAP tunneling interface. If these two LAN interfaces are attached to two different networks with different DNS suffixes, there are two ISATAP tunneling interfaces. For computers running Windows Server 2008 or Windows Vista SP1, the ISATAP tunnel interfaces are placed in a media-disconnected state unless the name "ISATAP" can be resolved.
By default, the IPv6 protocol for Windows Vista with no service packs installed automatically configures link-local ISATAP addresses (FE80::5EFE:
w.x.y.z or FE80::200:5EFE:w.x.y.z) on the ISATAP tunnel interfaces for the IPv4 addresses that are assigned to the corresponding LAN interfaces.
The IPv6 protocol for Windows Server 2008 and Windows Vista SP1 configures link-local ISATAP addresses on ISATAP tunnel interfaces only if the name "ISATAP" can be resolved.
To receive a router advertisement message from the ISATAP router, the ISATAP host must send the ISATAP router a router solicitation message. On an Ethernet subnet, a native IPv6 host sends a multicast router solicitation message and then the routers on the subnet respond with a router advertisement message. Because ISATAP does not use IPv4 multicast traffic or require an IPv4 multicast-capable infrastructure, the ISATAP host must unicast the router solicitation message to the ISATAP router.
To unicast the router solicitation message to the ISATAP router, the ISATAP host must first determine the unicast IPv4 address of the ISATAP router's interface on the logical ISATAP subnet. For the IPv6 protocol for Windows Server 2008 and Windows Vista, an ISATAP host obtains the unicast IPv4 address of the ISATAP router through the successful resolution of the host name "ISATAP" to an IPv4 address or with the netsh interface isatap set router command.
Migrating Your Intranet: Phase 1
In order to deploy ISATAP on your intranet for phase 1 of your migration to IPv6, you need to perform the following steps.
Determine the ISATAP Subnet Prefix You must determine the 64-bit subnet prefix to assign to the logical ISATAP subnet corresponding to your intranet. You can obtain a 48-bit prefix from an ISP or Internet registry, or you can derive your own 48-bit unique local prefix (see RFC 4193 online at
tools.ietf.org/html/rfc4193).
From the 48-bit prefix, choose a 16-bit subnet ID for the logical ISATAP subnet. The combination of the 48-bit prefix and 16-bit subnet ID is the 64-bit ISATAP subnet prefix. For example, the 48-bit unique local prefix FD8A:219C:052A::/48 and the subnet ID 1 form the 64-bit subnet prefix FD8A:219C:052A:1::/64.
Designate an ISATAP Router Computer Determine which computer will be the ISATAP router. Although many commercial routers support ISATAP router functionality, the information I present here is specific to computers running Windows Server 2008.
The ISATAP router computer does not need multiple LAN interfaces, nor does it need to be connected to an IPv6-capable portion of your intranet for phase 1; however, the computer should be chosen so that later it can be updated with an additional LAN interface that is connected to the IPv6-capable portion of your intranet.
Configure the ISATAP Router Computer On the ISATAP router computer, issuing the following command places the ISATAP tunneling interfaces on the ISATAP router computer in a media-connected state:
netsh interface isatap set router IPv4Address
IPv4Address is the IPv4 address assigned to the LAN interface of the ISATAP router computer that is attached to the logical ISATAP subnet.
Next, determine the name or interface index of the ISATAP tunneling interface that corresponds to the LAN interface of the ISATAP router computer that is attached to the logical ISATAP subnet, all from the output of this command:
netsh interface ipv6 show interfaces
Next, use this command to enable advertising on the ISATAP interface:
netsh interface ipv6 set interface ISATAPInterfaceNameOrIndex advertise=enabled
ISATAPInterfaceNameOrIndex is the name or interface index of the ISATAP tunneling interface.
Next, use this command to configure the ISATAP router computer to advertise the ISATAP subnet prefix to ISATAP hosts:
netsh interface ipv6 add route ISATAPSubnetPrefix ISATAPInterfaceNameOrIndex publish=yes
ISATAPSubnetPrefix is the determined ISATAP subnet prefix
Configure DNS In your DNS, add an address (A) record for the name ISATAP to the appropriate domains so that ISATAP hosts on your intranet can successfully resolve the name "ISATAP." For example, if your intranet hosts use the contoso.com DNS suffix, you must now add an A record to the contoso.com domain for the name isatap.contoso.com with the IPv4 address that is assigned to the ISATAP router's LAN interface on the IPv4-only intranet.
If the DNS server is running Windows Server 2008, use the registry editor (regedit.exe) on the DNS server to remove the ISATAP entry from the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList registry value.
Test ISATAP Hosts From an ISATAP host on your intranet, use the Ipconfig tool to view the assigned addresses. ISATAP hosts should have an address of the form ISATAPSubnetPrefix::
5EFE:w.x.y.z or ISATAPSubnetPrefix::
200:5EFE:w.x.y.z. For example, if your ISATAP subnet prefix is FD8A:219C:
052A:1::/64 and an ISATAP host has the IPv4 address 10.1.31.97, the ISATAR host should have the address FD8A:
219C:052A:1::5FE:10.1.31.97 assigned to its ISATAP tunneling interface.
If an ISATAP host does not have an ISATAP address based on the ISATAP subnet prefix, verify that the host can resolve the name "ISATAP." If not, verify that the A records have been created in the appropriate domains and, for DNS servers running Windows Server 2008, verify that the GlobalQueryBlockList registry value has been modified to remove the ISATAP entry. If the name can be resolved, verify that the ISATAP router computer has been configured correctly. If it has, verify that the routers on your intranet allow the forwarding of IPv4 protocol 41 traffic.
When ISATAP hosts can successfully configure themselves with addresses based on the ISATAP subnet prefix, they register these ISATAP addresses as AAAA records in DNS and begin using them for IPv6-based connectivity.
Migrating Your Intranet: Phase 2
In phase 2 of your migration to IPv6, it is necessary for you to modify your ISATAP router configuration to perform forwarding between the IPv4-only and IPv6-capable portions of your intranet.
On the ISATAP router computer, issue the following command:
netsh interface ipv6 show interfaces
From the output of the command above, determine the name or interface index of the LAN interface attached to the IPv6-capable portion of the intranet and the ISATAP tunneling interface.
Use this command to enable forwarding on the ISATAP interface:
netsh interface ipv6 set interface ISATAPInterfaceNameOrIndex forwarding=enabled
Use this command to enable forwarding on the LAN interface:
netsh interface ipv6 set interface LANInterfaceNameOrIndex forwarding=enabled
LANInterfaceNameOrIndex is the name or interface index of the LAN interface.
Use the following command to add a default route to the ISATAP router:
netsh interface ipv6 add route ::/0 LANInterfaceNameOrIndex NextHopAddress publish=yes
NextHopAddress is the IPv6 address of a neighboring native IPv6 router on the IPv6-capable portion of the intranet.
To make the logical ISATAP subnet reachable from the IPv6-capable portion of the intranet, it is important that you configure the native IPv6 routers with a route for the ISATAP subnet prefix that points back to the ISATAP router computer.
To selectively disable ISATAP for computers on the IPv6-capable portion of the intranet, manipulate A records for the name ISATAP in your DNS so that computers on the IPv6-capable portion of the intranet cannot resolve the name ISATAP.
Another option that you have is to create and set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponents registry value to 0x4 (DWORD type).
Migrating Your Intranet: Phase 3
For phase 3, when your entire intranet is IPv6-capable, you will need to remove the ISATAP deployment through DNS and reconfigure the ISATAP router computer. For DNS, remove all A records for the name ISATAP. This will prevent any host from determining the IPv4 address of the ISATAP router.
For the ISATAP router computer, run the following command:
netsh interface isatap set router default
This command resets the ISATAP component back to its default state.
Determine the name or interface index of the ISATAP tunneling interface from the output of this command:
netsh interface ipv6 show interfaces
Use this command to disable forwarding and advertising on the ISATAP interface:
netsh interface ipv6 set interface ISATAPInterfaceNameOrIndex forwarding=disabled advertise=disabled
Use this command to remove the ISATAP subnet prefix route from the ISATAP router computer:
netsh interface ipv6 delete route ISATAPSubnetPrefix ISATAPInterfaceNameOrIndex
ISATAPSubnetPrefix is the ISATAP subnet prefix.
For more information about ISATAP deployment, including details about redundant ISATAP routers and firewall considerations, see the "Intra-Site Automatic Tunnel Addressing Protocol Deployment Guide" at
go.microsoft.com/fwlink/?LinkId=106926.
.