ISATAP

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.

Contrary to 6over4, ISATAP uses IPv4 as a virtual nonbroadcast multiple-access network (NBMA) data link layer, so that it does not require the underlying IPv4 network infrastructure to support multicast.

How ISATAP works

ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4.

Link-local address generation

Any host wishing to participate in ISATAP over a given IPv4 network can set up a virtual IPv6 network interface. The link-local address is determined by concatenating fe80:0000:0000:0000:0000:5efe: with the 32 bits of the host's IPv4 address (expressed in hexadecimal notation).

For example, host 192.0.2.143 would use fe80:0000:0000:0000:0000:5efe:c000:028f as its link-local IPv6 address (192.0.2.143 is c000028f in hexadecimal notation). A shortened notation would be fe80::5efe:c000:28f.

Neighbor Discovery

Because ISATAP uses IPv4 as a non multicast/broadcast-capable (unlike Ethernet) link layer, ICMPv6 Neighbor Discovery cannot be done in the usual manner. That is why ISATAP is a bit more complex than 6over4.

The link layer address associated with a given IPv6 address is contained in the lower-order 32-bits of the IPv6 address, so that Neighbor Discovery is not really needed. However, the lack of multicast support prevents the use of automatic Router Discovery. Therefore, ISATAP hosts must be configured with a "potential routers list" (PRL). Each of these routers are infrequently probed by an ICMPv6 Router Discovery message, to determine which of them are functioning, and to perform unicast-only autoconfiguration (typically, obtain the list of on-link IPv6 prefixes that can be used).

In practice, implementations build their PRL by querying the DNS, e.g. by looking up isatap.example.com if the local domain is example.com. The local domain is typically obtained via DHCP (over IPv4) or statically configured.

Criticisms of ISATAP

ISATAP typically builds its PRL by consulting the DNS; hence, it is a lower-layer protocol that relies on a higher layer. A circularity is avoided by relying on an IPv4 DNS server, which does not rely on IPv6 routing being established; however, this hack is a violation of network design principles, and feels brittle to some network specialists [http://www.ops.ietf.org/lists/v6ops/v6ops.2002/msg01045.html] .

ISATAP carries the same security risks as 6over4 (an older similar protocol using IPv4 multicast): the IPv4 virtual link must be delimited carefully at the network edge, so that external IPv4 hosts cannot pretend to be part of the ISATAP link. That is normally done by ensuring that "proto-41" cannot pass through the firewall.

Implementations of ISATAP

ISATAP is implemented in Microsoft Windows XP, Windows Vista, Windows Mobile and in some versions of Cisco IOS.

Due to a patent claim, early in-kernel implementations were withdrawn from both KAME (*BSD) and USAGI (Linux). However the IETF IPR disclosure search engine reports that the would-be infringing patent’s holder requires no license from implementers [https://datatracker.ietf.org/public/ipr_detail_show.cgi?ipr_id=550] . ISATAP support has been therefore added to Linux since version 2.6.25 [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c7dc89c0ac8e7c3796bff91becf58ccdbcaf9f18] . For the remaining systems, Miredo provides a userland ISATAP implementation.

References

* F. Tremplin, T. Gleeson, M. Talwar & D. Thaler "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)" RFC 4214, October 2005.