Ipv6 ISATAP tunneling
June 30, 2008 9 Comments
OVERVIEW
Comparing with other tunneling techniques like 6to4, ISATAP (Intra-site Automatic Tunnel Addressing Protocol) tunneling builds a tunnel for transport of IPv6 traffic over IPv4 within an IPv4 network, not between IPv6 networks.
ISATAP treats IPv4 network as NBMA and determines the destination on a per packet-basis (point-to-multipoint).
There is two ISATAP node behaviors, client and server : Each client builds a static tunnel to the server and requests an IPv6 address. The server (dedicated router or Windows any *nix server) with ipv6 functionalities enabled, will advertise IPv6 network information and allow IPv6 nodes to configure their applications as they were connected to an Ethernet interface.
In this Lab a server 2003 is configured as a ISATAP client node and a Cisco Router as an advertiser, ISATAP server.
The client ISATAP configuration is also applicable to windows XP workstations as well.
ISATAP address scheme is developed as follow:
64-bit link-local or global unicast prefix + 0000:5EFE + <IPv4 of ISATAP link>
0000:5EFE == the ISATAP identifier.
DEPLOYMENT
ISATAP router configuration:
Router Ethernet interface should be configured to communicate with all nodes that want to communicate in IPv4.
| interface FastEthernet0/0 ip address 192.168.43.103 255.255.255.0 no sh |
| ISATAP-srv# ISATAP-srv#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.43.103 YES manual up up … Tunnel0 unassigned YES unset up up ISATAP-srv#ping 192.168.43.104 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.43.104, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/40 ms ISATAP-srv# |
The interface is up and the ipv4 address connectivity is verified, this allows the communication between IPv6 nodes and the router to automatically configure their ISATAP information.
On the tunnel interface, IPv6 RA (router advertisement) is disabled by default and need to be re-enabled, also the ISATAP is specified under IPv6 over ipv4 tunnel mode.
| ipv6 unicast-routing interface Tunnel0 ipv6 address 2001:DB8:2:1::/64 eui-64 no ipv6 nd suppress-ra tunnel source FastEthernet0/0 tunnel mode ipv6ip isatap no sh |
IPv6 information are correctly configured and verified:
| ISATAP-srv#sh ipv6 int brief FastEthernet0/0 [up/up] … Tunnel0 [up/up] FE80::5EFE:C0A8:2B67 2001:DB8:2:1:0:5EFE:C0A8:2B67 ISATAP-srv# |
ISATAP node configuration:
First of all ipv6 protocol must be enabled on windows server 2003 /XP, then within “netsh” ISATAP ipv6 mode must be specified.
| Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\>netsh interface ipv6 isatap set router \\192.168.43.103 Ok. |
| C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : mngmnt Primary Dns Suffix . . . . . . . : nouri.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : nouri.com Ethernet adapter loopback: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Loopback Adapter Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.43.104 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : fe80::4cff:fe4f:4f50%6 Default Gateway . . . . . . . . . : 192.168.43.103 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface Physical Address. . . . . . . . . : C0-A8-2B-68 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::5efe:192.168.43.104%2 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Disabled C:\> |
ISATAP router and ipv6 node are communicating with success as the node is reached through its dynamically configured address:
| ISATAP-srv#ping ipv6 fe80::5efe:c0a8:2b68 Output Interface: tunnel 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::5EFE:C0A8:2B68, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/44 ms ISATAP-srv# |
Figure2: IPv6 traffic capture
ROUTER CONFIGURATION
Router ISATAP-srv configuration:
| ISATAP-srv#sh run …ipv6 unicast-routing …interface Tunnel0 ipv6 address 2001:DB8:2:1::/64 eui-64 no ipv6 nd suppress-ra tunnel source FastEthernet0/0 tunnel mode ipv6ip isatap ! interface FastEthernet0/0 ip address 192.168.43.103 255.255.255.0 … |
About ajnouri
CCIE, the beginning! 
Hi,
My name is Sinan KAYA and I live in Belgium. I’m following network management program at the moment. Actually I was searching for a solution to my
problem and have been redirected to this page. The information which you spread here about tunnel applications may be very usefull but it can also be
used for a wrong purpose like I’ve been experiencing last few weeks. My pc at home and notebook have been hacked by a docent on this way who gives us networking lessons at school.He gained his first access via vmware at school which I had to give permission for to learn building servers and related applications. He could easily get the ip and mac adresses of my notebook and also information about my network at home. He gained full controle on my other pc with Windows XP and has brought it to a unusable state. He has also reserved some of the ports for himself on my notebook with Windows 7 which are no more under my controle. Up to his wish he is making changes on my system and I don’t know any good advice to get rid of him. When I disable isatap,teredo tunneling for pseudo interface services and TCP/ipv6 protocole my system is crashing and I’m being obliged to make a system recovery(it’s also possible only for a few system recovery points) which results with his gaining his access back. School management don’t want to believe this and they even don’t check it out. And the policemen don’t have enough knowledge about hacking and think it’s not possible and also too lazy to ask for permission to check my provider information. And the docent is telling his misuse to the people close to him and showing my personal data as a glorious victory. Every detail which I have told here is true but I don’t know how can I proeve it and also don’t know any good advice to get completely rid of this problem. Thanks in advance.
Kind regards,
Sinan KAYA
Hi Sinan,
These are general advices and I encourage you to look for more appropiate sites for the subject matter :
1- Start by changing ALL your account passwords (financial accounts and other critical data…) by phone or maybe locally, certainly NOT from the same computer!
2- Unplug your computer from Internet and replace your anti-virus and anti-malware by a more efficient ones, generally they are not too expensive(30$-70$).
Something like “Zonealarm” provide a suite with anti-virus+anti-malware+personal firewall (try version available)
http://www.zonealarm.com/security/fr/anti-virus-spyware-free-download.htm
3- Check the entire PC with your anti-virus + anti-malware.
4- If your PC is “entirely” controlled by the hacker (Trojans, key-loggers, rootkits, remote control, backdoors…) maybe a good idea is to backup your most critical data (after cleaning them of course!) and reinstall your OS from the scratch.
5- A personal firewall with a restrictive mode(zonealarm for example), can detect any incoming and outgoing attempts of connection (IPv6 application included)
You can see what applications or programs are requesting a connection and allow or deny them.
For program you don’t know, google them a lot of resources available about legitimate and illegitimate processes and programs. (I think there is such an integrated service in ZoneAlarm)
6- If IPv6 is not supported by the firewall, disable ISATAP/teredo IPv6 tunneling because of the risk to bypass your network firewall (or NAT box).
7- Further consider “https”, “secure email connections”, SSL and VPN clients for your data transmission over the Internet.
8- And remember being safe in not only a question of software or hardware or technical threats, but mostly “social engeneering” and your behavior concerning things like: email-links, attachement, downloading, what sites and content to trust and what data you trust to the network.
Good luck and good work!
Hello ,
I just checked your ISATAP tunneling lesson which is very good, and quite handy . I think for the results you are using wire shark or Ethreal . I can see in results the tunnle is setuped but why dosent its says “ISATAP tunnel ” rather it says “Internet Protocol Verson 6 “. Because if you setup GRE , on wire shark it will show you GRE tunneling . SO i was thinking what is the logical reason behind that.
Thank you
Secondly i wanted to check the performance of the tunnels ,but i dont know any good software to do that , i have searched on internet but i got only one free software called “IPerf” . So if you can suggest me any software for the performance checking of tunnels.
I am using XP for my system , and Cisco routers , so i want to know the CPU usage, jitter , delay etc of the router having a tunnel set uped and traffic going through that . Please kindly if you can help me in that regards .
Thank you
Kind Regards ,
Azi
Hi Azi,
ISATAP is a basic tunneling mechanism (protocol 41: encapsulation of IPv6 inside ipv4) not based on GRE
– RFC4214
– link to a pdf document illustrating ISATAP encapsulation.
ISATAP belongs to the general category of transition 6to4 which encompass the following techniques:
– ISATAP
PTM (Point-to-Multipoint)
Deployed inside IPv4 local site / campus
:0:5EFE: /64
– Automatic IPv4-compatible
PTM (Point-to-Multipoint)
typically between two IPv6 sites
::A.B.C.D/96
– Automatic 6to4 (IPv6 over IPv4)
PTM (Point-to-Multipoint)
typically between two and more IPv6 sites
tunnel addresses are configured per-site= f (IPv4)hex
2002:::/48
– Manual 6to4 (IPv6 over IPv4)
PTP (Point-to-Point)
tunnel addresses are configured per-pair (IPv6 tunnel borders belong to the same subnet)
– IPv6 over IPv4 GRE (any IPv6 over IPv4)
PTP (Point-to-Point)
tunnel addresses are configured per-pair (IPv6 tunnel borders belong to the same subnet)
For performance measurement you can Jperf (http://sourceforge.net/projects/jperf/) to stress links and for SLA, the amazing Cisco IP SLA integrated feature, more accurate for jitter/Latency/Loss monitoring with great flexibility.
Where can I find Turkish of this article
First of all, I would like to thank you a lot! This guide helped me a lot to finish my lab! I just have a doubt, I did the same thing that you did, but it didn´t work. So searching in other sites, I saw an example that needed to configure a DNS in router cisco. Then I configured DNS in cisco router and it worked. You didn´t mention anything about DNS, so is it really necessary?
Hi Eduu,
The ISATAP tunnel configuration process itself doesn’t require any name resolution configured on the router.
Make sure your configuration works for IPv6 addresses first and then you can deal with IPv6 name resolution and address hosts by their domain name by configuring a dedicated internal or provider DNS server on all your internal hosts, the ISATAP router included, if you want to test reachability with Internet hosts by their domain name.
With nowadays ubiquitous dualstack equipements for home and enterprises, I hope you are not considering ISATAP (deprecated) as a transition solution for your network.
Hi ajnouri,
Thank you for your reply! In fact I’m doing a project for the university with some transition techniques from IPv4 to IPv6 using ISATAP, Dual Stack, GRE over IPv4 and 6rd in their own scenarios. Yesterday night I removed the DNS from my ISATAP scenario (in GNS3), and it continued working, so I think it was a bug. My lab is working with these steps above. Thank you again!