ISATAP
Encyclopedia
ISATAP is an IPv6
transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4
network.
Unlike 6over4
(an older similar protocol using IPv4 multicast), ISATAP uses IPv4 as a virtual nonbroadcast multiple-access network (NBMA) data link layer
, so that it does not require the underlying IPv4 network infrastructure to support multicast
.
on top of IPv4.
For example, host
) link layer, ICMPv6 Neighbor Discovery cannot be done in the usual manner. That is why ISATAP is a bit more complex than 6over4.
The link layer address associated with a given IPv6 address is contained in the lower-order 32-bits of the IPv6 address, so that Neighbor Discovery is not really needed. However, the lack of multicast support prevents the use of automatic Router Discovery. Therefore, ISATAP hosts must be configured with a potential routers list (PRL). Each of these routers is infrequently probed by an ICMPv6
Router Discovery message, to determine which of them are functioning, and to perform unicast-only autoconfiguration (typically, obtain the list of on-link IPv6 prefixes that can be used).
In practice, implementations build their PRL by querying the DNS
, e.g. by looking up
ISATAP carries the same security risks as 6over4: the IPv4 virtual link must be delimited carefully at the network edge, so that external IPv4 hosts cannot pretend to be part of the ISATAP link. That is normally done by ensuring that proto-41 cannot pass through the firewall.
, Windows Vista
, Windows 7, Windows Mobile
, Linux
, and in some versions of Cisco IOS
.
Due to a patent claim
, early in-kernel implementations were withdrawn from both KAME
(*BSD) and USAGI
(Linux). However the IETF IPR disclosure search engine reports that the would-be infringing patent’s holder requires no license from implementers. ISATAP support has been supported in Linux since kernel version 2.6.25, the tool isatapd http://www.saschahlusiak.de/linux/isatap.htm provides a userspace helper. For prior kernels, the open source project Miredo
provided an incomplete userland ISATAP implementation, which was removed in version 1.1.6.
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
network.
Unlike 6over4
6over4
6over4 is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of a multicast-enabled IPv4 network. IPv4 is used as a virtual data link layer on which IPv6 can be run.-How 6over4 works:...
(an older similar protocol using IPv4 multicast), ISATAP uses IPv4 as a virtual nonbroadcast multiple-access network (NBMA) data link layer
Data link layer
The data link layer is layer 2 of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model....
, so that it does not require the underlying IPv4 network infrastructure to support multicast
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
.
How ISATAP works
ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor DiscoveryNeighbor Discovery Protocol
The Neighbor Discovery Protocol is a protocol in the Internet Protocol Suite used with Internet Protocol Version 6 . It operates in the Link Layer of the Internet model and is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer...
on top of IPv4.
Link-local address generation
Any host wishing to participate in ISATAP over a given IPv4 network can set up a virtual IPv6 network interface. The link-local address is determined by concatenatingfe80:0000:0000:0000:0200:5efe: for global unique and fe80:0000:0000:0000:0000:5efe: for private addresses with the 32 bits of the host's IPv4 address.For example, host
192.0.2.143 would use fe80:0000:0000:0000:0200:5efe:192.0.2.143 as its link-local IPv6 address. A shortened notation would be fe80::200:5efe:c000:028f (192.0.2.143 is c000028f in hexadecimal notation).Neighbor Discovery
Because ISATAP uses IPv4 as a non multicast/broadcast-capable (unlike EthernetEthernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
) link layer, ICMPv6 Neighbor Discovery cannot be done in the usual manner. That is why ISATAP is a bit more complex than 6over4.
The link layer address associated with a given IPv6 address is contained in the lower-order 32-bits of the IPv6 address, so that Neighbor Discovery is not really needed. However, the lack of multicast support prevents the use of automatic Router Discovery. Therefore, ISATAP hosts must be configured with a potential routers list (PRL). Each of these routers is infrequently probed by an ICMPv6
ICMPv6
Internet Control Message Protocol version 6 is the implementation of the Internet Control Message Protocol for Internet Protocol version 6 defined in RFC 4443...
Router Discovery message, to determine which of them are functioning, and to perform unicast-only autoconfiguration (typically, obtain the list of on-link IPv6 prefixes that can be used).
In practice, implementations build their PRL by querying the DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
, e.g. by looking up
isatap.example.com if the local domain is example.com. The local domain is typically obtained via DHCP (over IPv4) or statically configured.Criticisms of ISATAP
ISATAP typically builds its PRL by consulting the DNS; hence, it is a lower-layer protocol that relies on a higher layer. A circularity is avoided by relying on an IPv4 DNS server, which does not rely on IPv6 routing being established; however, this is a violation of network design principles, and feels brittle to some network specialists.ISATAP carries the same security risks as 6over4: the IPv4 virtual link must be delimited carefully at the network edge, so that external IPv4 hosts cannot pretend to be part of the ISATAP link. That is normally done by ensuring that proto-41 cannot pass through the firewall.
Implementations of ISATAP
ISATAP is implemented in Microsoft Windows XPWindows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, Windows 7, Windows Mobile
Windows Mobile
Windows Mobile is a mobile operating system developed by Microsoft that was used in smartphones and Pocket PCs, but by 2011 was rarely supplied on new phones. The last version is "Windows Mobile 6.5.5"; it is superseded by Windows Phone, which does not run Windows Mobile software.Windows Mobile is...
, Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, and in some versions of Cisco IOS
Cisco IOS
Cisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
.
Due to a patent claim
Patent infringement
Patent infringement is the commission of a prohibited act with respect to a patented invention without permission from the patent holder. Permission may typically be granted in the form of a license. The definition of patent infringement may vary by jurisdiction, but it typically includes using or...
, early in-kernel implementations were withdrawn from both KAME
KAME project
The KAME project was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec protocol stack implementation for variants of the BSD Unix computer operating-system...
(*BSD) and USAGI
Usagi
Usagi may refer to:*Usagi, a Japanese term for rabbit*Usagi, a Japanese unisex given name meaning rabbit*Hana Usagi, a manga series by Kentarō Kobayashi*Samurai Usagi, a manga series by Teppei Fukushima...
(Linux). However the IETF IPR disclosure search engine reports that the would-be infringing patent’s holder requires no license from implementers. ISATAP support has been supported in Linux since kernel version 2.6.25, the tool isatapd http://www.saschahlusiak.de/linux/isatap.htm provides a userspace helper. For prior kernels, the open source project Miredo
Miredo
Miredo is an open-source Teredo IPv6 tunneling software included in many Linux and BSD operating systems and is also available for recent versions of Mac OS X.It includes working implementations of:* a Teredo client,* a Teredo relay and* a Teredo server....
provided an incomplete userland ISATAP implementation, which was removed in version 1.1.6.