Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
6to4 are enabled by default on Windows Server 2008, Windows Server 2008 R2, Windows
Vista, and Windows 7.
ptg
The ISATAP Tunneling Protocol
The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an IPv6 transition proto-
col. It provides for the automatic conversion of an IPv4 address to an IPv6 address, as well
as a mechanism for setting up a virtual IPv6 network that transmits over an IPv4 network.
The protocol does not require any manual configuration.
NOTE
Link-local addresses are network addresses that are only designed to communicate on
a segment and basically allow communications with neighboring devices without need-
ing a globally routable address. They are mandatory in IPv6 and are automatically
assigned with the FE80::/10 prefix.
The components of ISATAP are the following:
10
.
ISATAP host—
The ISATAP host communicates IPv6 over IPv4 networks with other
ISATAP hosts and with ISATAP routers.
.
ISATAP router—
The ISATAP router advertises address prefixes to the local ISATAP
subnet, forwards ISATAP traffic to IPv6 networks, and acts as the default route for
ISATAP hosts.
304
CHAPTER 10
Domain Name System and IPv6
This is useful for deploying IPv6 without having to explicitly define and configure a IPv6
network addressing scheme because it allows IPv6 devices to communicate over IPv4
networks. Figure 10.22 illustrates the ISATAP network.
IPv4 Internet
ISATAP Router
Windows 7
Windows Server 2008 R2
ISATAP Host
ISATAP Host
ptg
Windows 7
Windows Server 2008 R2
IPv6 Host
IPv6 Host
FIGURE 10.22
ISATAP network.
The Windows Vista RTM, Windows Server 2003, and Windows XP all automatically enable
and configure the ISATAP tunneling adapter if the IPv6 protocol is installed. These operat-
ing systems use the name Automatic Tunneling Pseudo-Interface rather than ISATAP to
identify the adapter.
The Windows Server 2008 R2, Windows 2008, Windows 7, and Windows Vista SP1 operat-
ing systems do not enable the ISATAP tunneling adapter unless they can resolve the name
“ISATAP” in to an IPv4 address. The ISATAP address is the IPv4 address of the local ISATAP
router. The name resolution can use any of the standard methods to resolve, including
DNS, WINS, NetBIOS broadcast, or the LMHOSTS file. When these operating systems are
able to resolve the ISATAP address, they configure the ISATAP tunneling adapter and add a
default route of ::/0 to the link-local address of the ISATAP router.
ISATAP address IPv4 to IPv6 address translation is done by concatenating a 64-bit prefix
with :0000:5EFE:w.x.y.z, where w.x.y.z is the IPv4 address in dotted decimal format. The
prefix can be a link-local prefix (that is, FE80::/64), a global prefix (for example,
FC00:1234:5678:9abc::/64), or even a global 6to4 prefix (for example,
2002:c9b:a602:1:0::/64), discussed in the next section. Table 10.3 lists some example
values for IP address conversions in ISATAP.
IPv6 Introduction
305
TABLE 10.3
Example ISATAP IP Address Conversions
IPv4 Address
IPv6 ISATAP Address
12.155.166.101
2002:c9b:a602:1:0:5EFE:12.155.166.101
192.168.2.5
FE80::5EFE:192.168.2.5
10.12.1.1
FC00:1234:5678:9abc:5EFE:10.12.1.1
NOTE
The format FE80::5EFE:w.x.y.z is functionally equivalent to the format
FE80::5EFE:WWXX:YYZZ, where the dotted decimal IPv4 address format is converted to
hexadecimal format. Each decimal number (for example, w) is converted to a two-digit
hexadecimal number (for example, WW). In the first example above, the IPv6 address
FE80::5EFE:12.155.166.101 would be expressed as FE80::5EFE:0C9B:A665. This for-
mat is known as the colon hexadecimal format.
The 6to4 Tunneling Protocol
ptg
The 6to4 protocol provides for automatic address assignment and tunneling of IPv6 across
the IPv4 Internet. The protocol is detailed in IETF RFC3056. The 6to4 protocol uses the
prefix 2002::/16—otherwise known as a 6to4 address.
The global address prefix for a given organization takes the form 2002:WWXX:YYZZ::/48,
where WWXX:YYZZ is the colon hexadecimal format of the organization’s public IPv4
dotted decimal address w.x.y.z assigned to the router.
NOTE
The 6to4 protocol only supports IPv6 computer to IPv6 computer communications. It
does not support communications between IPv6 and IPv4 computers. Both endpoints
must support IPv6.
The 6to4 protocol allows organizations to assign globally routable IPv6 address without
needing to connect to the IPv6 Internet or to request an assigned range of IPv6 addresses.
10
Because the IPv6 address is derived from the public assigned IPv4 address, it is guaranteed
to be unique.
In addition, the 6to4 address supports a subnet field for organizations with IPv4 subnet
address ranges. The format of the 6to4 IPv6 address is shown in Figure 10.23. For example,
the public IPv4 address 12.155.166.101 with subnet 255.255.255.128 would automatically
generate the global IPv6 prefix 2002:C9B:A665:80::/64.
306
CHAPTER 10
Domain Name System and IPv6
2002
WWXX:YYZZ
Subnet
Interface
16 bits
32 bits
16 bits
64 bits
FIGURE 10.23
6to4 IPv6 address format.
Table 10.4 lists some example values for IP address conversions in 6to4.
TABLE 10.4
Example 6to4 IP Address Conversions
IPv4 Address
IPv6 6to4 Address
12.155.166.101
2002:C9B:A665:1:: C9B:A665
65.55.12.249
2002:4137:CF9:1: :4137:CF9
144.48.9.14
2002:9030:90E:1::9030:90E
ptg
The 6to4 protocol defines several components that participate in the transmission of
packets. These are as follows:
.
6to4 host—
A IPv6 device that is configured with a 6to4 address (that is, a 2002::/16
prefix).
.
6to4 router—
Routes IPv6 traffic over the IPv4 Internet using 6to4 tunneling.
.
6to4 host/router—
An IPv6 device that is configured with a 6to4 address and can
also use 6to4 tunneling to communicate with other 6to4 devices over the IPv4
Internet. However, it does not route traffic to other devices.
.
6to4 relay—
Forwards 6to4 traffic between the IPv4 Internet and pure IPv6 devices.
Essentially, 6to4 and its components allow IPv6 devices to communicate while residing in
the IPv4 world. Figure 10.24 shows the components of 6to4.
Windows Server 2008 R2, Windows 2008, Windows 7, and Windows Vista can function as
a 6to4 host/router or a 6to4 router. By default, these operating systems operate as 6to4
host/router components. The Windows IPv6 protocol automatically does the following if
there is a public IPv4 address assigned to a network interface:
1. Creates a 6to4 tunnel adapter and assigns it a 6to4 address in the form
2002:WWXX:YYZZ::WWXX:YYZZ for each of the public addresses.
2. Creates a 2002::/16 route to forward all 6to4 addresses to the tunnel adapter.
IPv6 Introduction
307
IPv6 Internet
IPv4 Internet
6to4 Relay
6to4 Relay
Windows 7
Windows Server 2008 R2
Windows 7
IPv6 Host
IPv6 Host
6to4 Host/Router
Windows 7
Windows Server 2008 R2
6to4 Host
6to4 Host
ptg
FIGURE 10.24
6to4 network.
3. Does a lookup of the FQDN 6to4.ipv6.microsoft.com will give a 6to4 relay address.
That address is set as the next hop for the 6to4 tunnel adapter.
NOTE
The FQDN 6to4.ipv6.microsoft.com is the address of the 6to4 relay that is operated by
Microsoft and allows 6to4 access to the IPv6 Internet. This is a service that Microsoft
provides to help with the integration of Microsoft operating systems with IPv6.
To have a system operate as a 6to4 router component, the Internet Connection Sharing
(ICS) feature must be enabled. If ICS is enabled on network interface with an IPv4 address,
the IPv6 protocol automatically does the following:
1. Enables IPv6 forwarding on the 6to4 tunneling adapter and on any private network
10
interfaces.
2. Assigns a 6to4 subnet prefix of the form 2002:WWXX:YYZZ:I::/64, where
WWXX:YYZZ is the colon hexadecimal form of the IPv4 public IP address and I is
the interface index of the private network interface.
3. Sends router advertisements on the private network interface.
308
CHAPTER 10
Domain Name System and IPv6
For any traffic forwarded to other 6to4 sites, the Windows 6to4 router uses the default
2002::/16 route.
The Teredo Tunneling Protocol
The Teredo tunneling protocol is a protocol that provides IPv6 connectivity through
Network Address Translation (NAT) devices that are not IPv6 aware. The Teredo tunneling
protocol is described in IETF RFC4380. The Teredo protocol gets around the requirement
of the 6to4 tunneling protocol that the tunnel endpoint be a public IPv4 address. The
reality of today’s IPv4 Internet is that there is a scarcity of public IPv4 address (the entire
rational behind IPv6) and so most hosts will be behind a NAT device.
NOTE
Perhaps less than fortuitously, the Teredo protocol is named after the shipworm
“Teredo navalis,” which tunneled through the hulls of wooden ships and sank many a
vessel back in the day. These marine mollusks continue to be a threat today to any
wood structure in seawater, like dikes, docks, and piers. The Teredo protocol tunnels
through NAT firewalls in much the same fashion. The Teredo protocol was initially
named the “Shipworm” protocol, but that made it seem too much like malicious soft-
ptg
ware, and it was renamed to Teredo.
Teredo encapsulates the IPv6 packets twice: once to encapsulate the IPv6 packet in an IPv4
packet with the IPv4 protocol field set to 41, and a second time to put the resulting IPv4
packet in the message of a IPv4 UDP packet. This double encapsulation gets through the
NAT but comes at a heavy cost in protocol overhead. In addition, the Teredo tunnel also
exposes the host to scanning attacks because the Teredo tunneling adapter in effect opens
a port on the host to entities through the firewall. This port can be discovered and
attacked. Thus, due to the overhead and security concerns, the Teredo tunneling protocol
is really a tunneling protocol of last resort.
Microsoft’s implementation of the Teredo protocol includes additional measures against
IPv6 scanning attacks, including an option of which traffic to accept: from anywhere
except the Teredo tunnel (the default), from anywhere including the Teredo tunnel, or
only from the local Intranet. The default option prevents scanning of the Teredo tunnel
interface. Of course, the host can initiate traffic through the tunnel.
Teredo clients use IPv6 addresses that start with the prefix 2001::/32, otherwise known as
the Teredo prefix. The address is somewhat more complicated than the addressing for the
other tunneling protocols. The elements of the Teredo address are the following:
IPv6 Introduction
309
.
Teredo prefix (32 bits)—
This is 2001 for all Teredo addresses, per IETF RFC4380.
.
Teredo server IPv4 address (32 bits)—
The IPv4 address of the Teredo Server in
colon hexadecimal format.
.
Flags (16 bits)—
This includes a bit for the type of NAT. Microsoft uses two of the
bits to set the Universal/Local flag and the Individual/Group flag for the enhanced
security. The remaining bits are set to a random number to make scanning attacks
more difficult.
.
Obscured external port (16 bits)—
This is the external UDP port that is assigned
by the NAT, but is obscured by an XOR it with FFFF.
.
Obscured external address (32 bits)—
This is the IPv4 external address of the NAT,
but it is obscured by an XOR with FFFFFFFF.
Figure 10.25 shows the structure of a Teredo address.
Obscured External
Obscured External
2001
WWXX:YYZZ
Flags
Subnet
Port
Address
ptg
32 bits
32 bits
16 bits
16 bits
32 bits
32 bits
FIGURE 10.25
Teredo IPv6 address format.
Because of the flag randomization, UDP port assignment, and the obscuring, the final
Teredo addresses will vary considerably even within the same Teredo client.
Teredo tunneling components include the following:
.
Teredo client—
This is an IPv6/IPv4 device that has a Teredo tunneling adapter and
communicates with other Teredo clients or IPv6 networks via a Teredo Relay. The
Teredo client is typically behind a NAT.
.
Teredo server—
This is an IPv6/IPv4 device that is connected to both the IPv6 and
IPv4 networks. The Teredo server assists with the configuration of Teredo clients.
.
Teredo relay—
This is an IPv6/IPv4 device that is connected to IPv6 and IPv4