ISATAP

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.

Unlike 6over4 (an older similar protocol using IPv4 multicast), ISATAP uses IPv4 as a virtual nonbroadcast multiple-access network (NBMA) data link layer, so that it does not require the underlying IPv4 network infrastructure to support multicast.

How ISATAP works

ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4.

Any host wishing to participate in ISATAP over a given IPv4 network can set up a virtual IPv6 network interface. The link-local address is determined by prepending fe80::0200:5efe:… for globally unique addresses, or fe80::0000:5efe:… for private addresses, in front of the 32 bits of the host's IPv4 address.

For example, the global IPv4 address 192.0.2.143 would use fe80::0200:5efe:192.0.2.143 as its link-local IPv6 address. The shortened notation would be fe80::0200:5efe:c000:028f (where c0 00 02 8f is 192.0.2.143 in hexadecimal notation).[1]

Neighbor Discovery

Because ISATAP uses IPv4 as a non multicast/broadcast-capable (unlike Ethernet) link layer, ICMPv6 Neighbor Discovery cannot be done in the usual manner. That is why ISATAP is a bit more complex than 6over4.

From the viewpoint of the IPv6 packet, the link layer is the IPv4 packet. As the link layer address, the IPv4 address, is contained in the lower-order 32-bits of the IPv6 address, Neighbor Discovery is not really needed. However, the lack of multicast support prevents the use of automatic Router Discovery. Therefore, ISATAP hosts must be configured with a potential routers list (PRL). Each of these routers is infrequently probed by an ICMPv6 Router Discovery message, to determine which of them are functioning, and to perform unicast-only autoconfiguration (typically, obtain the list of on-link IPv6 prefixes that can be used).

In practice, implementations build their PRL by querying the DNS, e.g. by looking up isatap.example.com if the local domain is example.com. The local domain is typically obtained via DHCP (over IPv4) or statically configured.

Criticisms of ISATAP

ISATAP typically builds its PRL by consulting the DNS; hence, in the OSI model it is a lower-layer protocol that relies on a higher layer. A circularity is avoided by relying on an IPv4 DNS server, which does not rely on IPv6 routing being established; however, certain network specialists have judged this a violation of what are, in their perception, generally accepted design principles and further claim that these violations lead to insufficient protocol robustness.[2]

ISATAP carries the same security risks as 6over4: the IPv4 virtual link must be delimited carefully at the network edge, so that external IPv4 hosts cannot pretend to be part of the ISATAP link. That is normally done by ensuring that proto-41 (6in4) cannot pass through the firewall.

Implementations of ISATAP

ISATAP is implemented in Microsoft Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10[3], Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Mobile, Linux, and in Cisco IOS (since IOS 12.2(14)S and IOS XE Release 2.1).[4]

Due to a patent claim, early in-kernel implementations were withdrawn from both KAME (*BSD) and USAGI (Linux). However the IETF IPR disclosure search engine reports that the would-be infringing patent’s holder requires no license from implementers.[5] ISATAP support has been supported in Linux since kernel version 2.6.25,[6] the tool isatapd [7] provides a userspace helper. For prior kernels, the open source project Miredo provided an incomplete userland ISATAP implementation, which was removed in version 1.1.6.

gollark: It is kind of annoying that they made their own protocol and constantly fiddle with it despite the myriad of standards for this stuff.
gollark: Minecraft rewrite in Rust WHEN?
gollark: The protocol is surprisingly well-documented (unofficially) at this point.
gollark: There's, what, Cuberite and stuff?
gollark: > Soviet national anthem disasterpiece

References

  1. R. Hinden, S. Deering (February 2006). "RFC 4291: Section 2.2 - Text Representation of Addresses". IETF. Retrieved 2015-02-09.
  2. itojun (2002-12-25). "Request to Publish ISATAP". v6ops Mailing List. Retrieved 2015-02-09.
  3. removed features since update 1703 disabled by default
  4. "Cisco IOS IPv6 Command Reference". Retrieved 2015-05-06.
  5. Peter Marcotullio (2005-03-15). "SRI International's statement about IPR claimed in draft-ietf-ngtrans-isatap-24.txt". Retrieved 2015-02-09.
  6. Fred L. Templin (2007-11-29). "IPV6: Add RFC4214 support". Retrieved 2015-02-09.
  7. Sascha Hlusiak (2010). "ISATAP client for Linux". Retrieved 2015-02-09.

Other

  • F. Templin, T. Gleeson, D. Thaler Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) RFC 5214, March 2008.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.