280 Understanding IPv6, Second Edition

Note Hosts running Windows Vista with no service packs on the IPv6-enabled portion of the intranet, by default, have ISATAP enabled and automatically configure link-local ISATAP addresses on their ISATAP tunneling interfaces. It is possible for these ISATAP hosts on the ISATAP subnet to communicate directly with native IPv6 hosts on the IPv6-capable portion of the intranet through host-to-host tunneling by using link-local ISATAP addresses. However, because link-local addresses are not registered in DNS, ISATAP hosts would have to manually specify the destination link-local ISATAP address and interface index to reach a host on the IPv6-capable portion of the intranet without first tunneling the traffic to the ISATAP router. This type of communication is not practical or commonly used and is not described further in this chapter.

To prevent the hosts on the IPv6-capable portion of the intranet from using ISATAP, you can disable ISATAP with the DisabledComponents registry value as previously described.

An ISATAP router is an IPv6 router with an ISATAP tunneling interface that does the following:

■Forwards packets between ISATAP hosts on ISATAP subnets and IPv6 hosts on IPv6-capable subnets.

■Advertises address prefixes to ISATAP hosts on the ISATAP subnet. ISATAP hosts use the advertised address prefixes to configure global or unique local ISATAP addresses.

■Acts as a default router for ISATAP hosts. When an ISATAP host receives a router advertisement from an ISATAP router that is advertising itself as a default router, the ISATAP host adds a default route (::/0) using the ISATAP tunneling interface with next-hop address set to the link-local ISATAP address of the ISATAP router. When ISATAP hosts send packets destined to locations beyond their ISATAP subnet, the packets are tunneled to the IPv4 address of the ISATAP router corresponding to the ISATAP router’s interface on the ISATAP subnet. The ISATAP router then forwards the IPv6 packet to the appropriate next-hop on the IPv6-capable portion of the intranet.

An IPv6-capable portion of an intranet is optional, in which case the ISATAP router is only functioning as an advertising router and not a forwarding or default router. This is the case for an initial ISATAP deployment in which there are no IPv6-capable subnets.

Router Discovery for ISATAP Hosts

To receive a Router Advertisement message from the ISATAP router, the ISATAP host must send the ISATAP router a Router Solicitation message. On an Ethernet subnet, a native IPv6 host sends a multicast Router Solicitation message and the routers on the subnet respond with a multicast Router Advertisement message. Because ISATAP does not use IPv4 multicast traffic or require an IPv4 multicast-capable infrastructure, the ISATAP host must unicast the Router Solicitation message to the ISATAP router. To unicast the Router Solicitation message to the ISATAP router, the ISATAP host must first determine the unicast IPv4 address of the ISATAP router’s interface on the ISATAP subnet.

For the IPv6 protocol for Windows Server 2008 and Windows Vista, an ISATAP host obtains the unicast IPv4 address of the ISATAP router through one of the following methods:

■The successful resolution of the host name “ISATAP” to an IPv4 address

■The netsh interface isatap set router command

Resolving the Name “ISATAP”

When the IPv6 protocol for Windows Server 2008 or Windows Vista starts, it attempts to resolve the host name “ISATAP” to an IPv4 address using normal Windows-based TCP/IP host name resolution techniques. If it is successful, the host unicasts an IPv4-encapsulated Router Solicitation message to the ISATAP router at the resolved address. The ISATAP router responds with an IPv4-encapsulated unicast Router Advertisement message that contains prefixes to use for autoconfiguration of additional ISATAP addresses and, optionally, indicates that the ISATAP router is a default router.

Normal Windows-based host name resolution techniques for resolving the name “ISATAP” include the following:

1.Checking the local host name.

2.Checking the DNS client resolver cache, which includes the entries in the Hosts file in the %SystemRoot%/system32\drivers\etc folder.

3.Forming a fully qualified domain name (FQDN), and sending a DNS name query. For example, if the computer is a member of the example.microsoft.com domain (and example.microsoft.com is the only domain name in the search list), the computer sends a DNS name query to resolve the FQDN isatap.example.microsoft.com.

7.Checking the Lmhosts file in the SystemRoot\system32\drivers\etc folder for an entry with the name “ISATAP”.

To ensure that at least one of these attempts is successful, you can do one of the following:

■If the ISATAP router is a computer running Windows Server 2008 or Windows Vista, name the computer “ISATAP” and it will automatically register the appropriate records in DNS and WINS.

282Understanding IPv6, Second Edition

■Manually create an address (A) record for the name “ISATAP” in the appropriate domains in DNS. For example, for the example.microsoft.com domain, create an A record for isatap.example.microsoft.com.

■Manually create a static WINS record in WINS for the NetBIOS name "ISATAP

<00>".

■Add the following entry to the Hosts file of the computers that need to resolve the name ISATAP:

IPv4Address ISATAP

■Add the following entry to the Lmhosts file of the computers that need to resolve the name ISATAP:

IPv4Address ISATAP

Note Computers running Windows XP with no service packs installed attempt to resolve the name “_ISATAP” to determine the IPv4 address of the ISATAP router.

Figure 12-3 shows how an ISATAP host obtains the IPv4 address of the ISATAP router through a DNS name query and performs router discovery with an ISATAP router.

DNS Server

Figure 12-3 Performing router discovery with an ISATAP router

ISATAP hosts on the ISATAP subnet send their DNS name queries over IPv4, rather than IPv6, because the ISATAP hosts do not have native IPv6 connectivity. By default, an ISATAP host running Windows Server 2008 or Windows Vista will attempt to register global and unique local ISATAP addresses in DNS using DNS dynamic update.

Network Monitor Capture

Here is an example of the IPv4-encapsulated Router Solicitation message as displayed by Network Monitor 3.1 (frame 1 of capture 12_01 in the \NetworkMonitorCaptures folder on the companion CD-ROM):

Frame:

+ Ethernet: Etype = Internet IP (IPv4)

-Ipv4: Next Protocol = IPv6 over IPv4, Packet ID = 56, Total IP Length = 68

+Versions: IPv4, Internet Protocol; Header Length = 20

+DifferentiatedServicesField: DSCP: 0, ECN: 0 TotalLength: 68 (0x44)

Identification: 56 (0x38)

+FragmentFlags: 0 (0x0) TimeToLive: 128 (0x80)

NextProtocol: IPv6 over IPv4, 41(0x29) Checksum: 9815 (0x2657)

SourceAddress: 10.0.0.2 DestinationAddress: 10.0.0.1

-Ipv6: Next Protocol = ICMPv6, Payload Length = 8

+Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 8 (0x8)

NextProtocol: ICMPv6, 58(0x3a) HopLimit: 255 (0xFF)

SourceAddress: FE80:0:0:0:0:5EFE:A00:2 DestinationAddress: FE80:0:0:0:0:5EFE:A00:1

-Icmpv6: Router Solicitation

MessageType: Router Solicitation, 133(0x85)

-RouterSolicitation: Code: 0 (0x0)

Checksum: 43963 (0xABBB) Reserved: 0 (0x0)

Notice that the IPv4 address of the ISATAP router is 10.0.0.1. Also note the use of the unicast ISATAP address of the ISATAP router as the IPv6 destination address in the IPv6 header.

Here is an example of the IPv4-encapsulated Router Advertisement message as displayed by Network Monitor 3.1 (in the \NetworkMonitorCaptures folder on the companion CD-ROM, frame 2 of capture 12_01):

Frame:

+ Ethernet: Etype = Internet IP (IPv4)

-Ipv4: Next Protocol = IPv6 over IPv4, Packet ID = 4011, Total IP Length = 148

+Versions: IPv4, Internet Protocol; Header Length = 20

+DifferentiatedServicesField: DSCP: 0, ECN: 0 TotalLength: 148 (0x94)

Identification: 4011 (0xFAB)

+FragmentFlags: 0 (0x0) TimeToLive: 128 (0x80)

NextProtocol: IPv6 over IPv4, 41(0x29) Checksum: 5780 (0x1694)

SourceAddress: 10.0.0.1 DestinationAddress: 10.0.0.2

284Understanding IPv6, Second Edition

-Ipv6: Next Protocol = ICMPv6, Payload Length = 88

+Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 88 (0x58)

NextProtocol: ICMPv6, 58(0x3a) HopLimit: 255 (0xFF)

SourceAddress: FE80:0:0:0:0:5EFE:A00:1 DestinationAddress: FE80:0:0:0:0:5EFE:A00:2

-Icmpv6: Router Advertisement

MessageType: Router Advertisement, 134(0x86) - RouterAdvertisement:

Code: 0 (0x0)

Checksum: 46260 (0xB4B4) CurHopLimit: 0 (0x0)

- RouterAdvertisementFlag:

M: (0.......) Not managed address configuration O: (.0......) Not other stateful configuration A: (..0.....) Not a Mobile IP Home Agent RouterPreference: (...00...) Medium,0(0x0)

Reserved: (.....000)

RouterLifetime: 65535 (0xFFFF) ReachableTime: 0 (0x0) RetransTimer: 0 (0x0)

- MTU:

Type: MTU, 5(0x5)

Length: 1, in unit of 8 octets Reserved: 0 (0x0)

MTU: 1280 (0x500) - PrefixInformation:

Type: Prefix Information, 3(0x3) Length: 4, in unit of 8 octets PrefixLength: 64 (0x40)

-Flags: 192 (0xC0)

L:(1.......) On-Link determination allowed

A:(.1......) Autonomous address-configuration

R:(..0.....) Not router Address

S:(...0....) Not a site prefix

P: (....0...) Not a router prefix Rsv: (.....000)

ValidLifetime: 4294967295 (0xFFFFFFFF) PreferredLifetime: 4294967295 (0xFFFFFFFF) Reserved: 0 (0x0)

Prefix: 2001:DB8:3C5A:21DA:0:0:0:0 - PrefixInformation:

Type: Prefix Information, 3(0x3) Length: 4, in unit of 8 octets PrefixLength: 64 (0x40)

-Flags: 192 (0xC0)

L:(1.......) On-Link determination allowed

A:(.1......) Autonomous address-configuration

R:(..0.....) Not router Address

S:(...0....) Not a site prefix

P: (....0...) Not a router prefix

Rsv: (.....000)

ValidLifetime: 4294967295 (0xFFFFFFFF)

PreferredLifetime: 4294967295 (0xFFFFFFFF)

Reserved: 0 (0x0)

Prefix: FD31:2C00:8D33:21DA:0:0:0:0