Windows Server 2008 R2 Unleashed (66 page)

6to4 are enabled by default on Windows Server 2008, Windows Server 2008 R2, Windows

Vista, and Windows 7.

ptg

The ISATAP Tunneling Protocol

The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an IPv6 transition proto-

col. It provides for the automatic conversion of an IPv4 address to an IPv6 address, as well

as a mechanism for setting up a virtual IPv6 network that transmits over an IPv4 network.

The protocol does not require any manual configuration.

NOTE

Link-local addresses are network addresses that are only designed to communicate on

a segment and basically allow communications with neighboring devices without need-

ing a globally routable address. They are mandatory in IPv6 and are automatically

assigned with the FE80::/10 prefix.

The components of ISATAP are the following:

10

.
ISATAP host—
The ISATAP host communicates IPv6 over IPv4 networks with other

ISATAP hosts and with ISATAP routers.

.
ISATAP router—
The ISATAP router advertises address prefixes to the local ISATAP

subnet, forwards ISATAP traffic to IPv6 networks, and acts as the default route for

ISATAP hosts.

304

CHAPTER 10

Domain Name System and IPv6

This is useful for deploying IPv6 without having to explicitly define and configure a IPv6

network addressing scheme because it allows IPv6 devices to communicate over IPv4

networks. Figure 10.22 illustrates the ISATAP network.

IPv4 Internet

ISATAP Router

Windows 7

Windows Server 2008 R2

ISATAP Host

ISATAP Host

ptg

Windows 7

Windows Server 2008 R2

IPv6 Host

IPv6 Host

FIGURE 10.22

ISATAP network.

The Windows Vista RTM, Windows Server 2003, and Windows XP all automatically enable

and configure the ISATAP tunneling adapter if the IPv6 protocol is installed. These operat-

ing systems use the name Automatic Tunneling Pseudo-Interface rather than ISATAP to

identify the adapter.

The Windows Server 2008 R2, Windows 2008, Windows 7, and Windows Vista SP1 operat-

ing systems do not enable the ISATAP tunneling adapter unless they can resolve the name

“ISATAP” in to an IPv4 address. The ISATAP address is the IPv4 address of the local ISATAP

router. The name resolution can use any of the standard methods to resolve, including

DNS, WINS, NetBIOS broadcast, or the LMHOSTS file. When these operating systems are

able to resolve the ISATAP address, they configure the ISATAP tunneling adapter and add a

default route of ::/0 to the link-local address of the ISATAP router.

ISATAP address IPv4 to IPv6 address translation is done by concatenating a 64-bit prefix

with :0000:5EFE:w.x.y.z, where w.x.y.z is the IPv4 address in dotted decimal format. The

prefix can be a link-local prefix (that is, FE80::/64), a global prefix (for example,

FC00:1234:5678:9abc::/64), or even a global 6to4 prefix (for example,

2002:c9b:a602:1:0::/64), discussed in the next section. Table 10.3 lists some example

values for IP address conversions in ISATAP.

IPv6 Introduction

305

TABLE 10.3

Example ISATAP IP Address Conversions

IPv4 Address

IPv6 ISATAP Address

12.155.166.101

2002:c9b:a602:1:0:5EFE:12.155.166.101

192.168.2.5

FE80::5EFE:192.168.2.5

10.12.1.1

FC00:1234:5678:9abc:5EFE:10.12.1.1

NOTE

The format FE80::5EFE:w.x.y.z is functionally equivalent to the format

FE80::5EFE:WWXX:YYZZ, where the dotted decimal IPv4 address format is converted to

hexadecimal format. Each decimal number (for example, w) is converted to a two-digit

hexadecimal number (for example, WW). In the first example above, the IPv6 address

FE80::5EFE:12.155.166.101 would be expressed as FE80::5EFE:0C9B:A665. This for-

mat is known as the colon hexadecimal format.

The 6to4 Tunneling Protocol

ptg

The 6to4 protocol provides for automatic address assignment and tunneling of IPv6 across

the IPv4 Internet. The protocol is detailed in IETF RFC3056. The 6to4 protocol uses the

prefix 2002::/16—otherwise known as a 6to4 address.

The global address prefix for a given organization takes the form 2002:WWXX:YYZZ::/48,

where WWXX:YYZZ is the colon hexadecimal format of the organization’s public IPv4

dotted decimal address w.x.y.z assigned to the router.

NOTE

The 6to4 protocol only supports IPv6 computer to IPv6 computer communications. It

does not support communications between IPv6 and IPv4 computers. Both endpoints

must support IPv6.

The 6to4 protocol allows organizations to assign globally routable IPv6 address without

needing to connect to the IPv6 Internet or to request an assigned range of IPv6 addresses.

10

Because the IPv6 address is derived from the public assigned IPv4 address, it is guaranteed

to be unique.

In addition, the 6to4 address supports a subnet field for organizations with IPv4 subnet

address ranges. The format of the 6to4 IPv6 address is shown in Figure 10.23. For example,

the public IPv4 address 12.155.166.101 with subnet 255.255.255.128 would automatically

generate the global IPv6 prefix 2002:C9B:A665:80::/64.

306

CHAPTER 10

Domain Name System and IPv6

2002

WWXX:YYZZ

Subnet

Interface

16 bits

32 bits

16 bits

64 bits

FIGURE 10.23

6to4 IPv6 address format.

Table 10.4 lists some example values for IP address conversions in 6to4.

TABLE 10.4

Example 6to4 IP Address Conversions

IPv4 Address

IPv6 6to4 Address

12.155.166.101

2002:C9B:A665:1:: C9B:A665

65.55.12.249

2002:4137:CF9:1: :4137:CF9

144.48.9.14

2002:9030:90E:1::9030:90E

ptg

The 6to4 protocol defines several components that participate in the transmission of

packets. These are as follows:

.
6to4 host—
A IPv6 device that is configured with a 6to4 address (that is, a 2002::/16

prefix).

.
6to4 router—
Routes IPv6 traffic over the IPv4 Internet using 6to4 tunneling.

.
6to4 host/router—
An IPv6 device that is configured with a 6to4 address and can

also use 6to4 tunneling to communicate with other 6to4 devices over the IPv4

Internet. However, it does not route traffic to other devices.

.
6to4 relay—
Forwards 6to4 traffic between the IPv4 Internet and pure IPv6 devices.

Essentially, 6to4 and its components allow IPv6 devices to communicate while residing in

the IPv4 world. Figure 10.24 shows the components of 6to4.

Windows Server 2008 R2, Windows 2008, Windows 7, and Windows Vista can function as

a 6to4 host/router or a 6to4 router. By default, these operating systems operate as 6to4

host/router components. The Windows IPv6 protocol automatically does the following if

there is a public IPv4 address assigned to a network interface:

1. Creates a 6to4 tunnel adapter and assigns it a 6to4 address in the form

2002:WWXX:YYZZ::WWXX:YYZZ for each of the public addresses.

2. Creates a 2002::/16 route to forward all 6to4 addresses to the tunnel adapter.

IPv6 Introduction

307

IPv6 Internet

IPv4 Internet

6to4 Relay

6to4 Relay

Windows 7

Windows Server 2008 R2

Windows 7

IPv6 Host

IPv6 Host

6to4 Host/Router

Windows 7

Windows Server 2008 R2

6to4 Host

6to4 Host

ptg

FIGURE 10.24

6to4 network.

3. Does a lookup of the FQDN 6to4.ipv6.microsoft.com will give a 6to4 relay address.

That address is set as the next hop for the 6to4 tunnel adapter.

NOTE

The FQDN 6to4.ipv6.microsoft.com is the address of the 6to4 relay that is operated by

Microsoft and allows 6to4 access to the IPv6 Internet. This is a service that Microsoft

provides to help with the integration of Microsoft operating systems with IPv6.

To have a system operate as a 6to4 router component, the Internet Connection Sharing

(ICS) feature must be enabled. If ICS is enabled on network interface with an IPv4 address,

the IPv6 protocol automatically does the following:

1. Enables IPv6 forwarding on the 6to4 tunneling adapter and on any private network

10

interfaces.

2. Assigns a 6to4 subnet prefix of the form 2002:WWXX:YYZZ:I::/64, where

WWXX:YYZZ is the colon hexadecimal form of the IPv4 public IP address and I is

the interface index of the private network interface.

3. Sends router advertisements on the private network interface.

308

CHAPTER 10

Domain Name System and IPv6

For any traffic forwarded to other 6to4 sites, the Windows 6to4 router uses the default

2002::/16 route.

The Teredo Tunneling Protocol

The Teredo tunneling protocol is a protocol that provides IPv6 connectivity through

Network Address Translation (NAT) devices that are not IPv6 aware. The Teredo tunneling

protocol is described in IETF RFC4380. The Teredo protocol gets around the requirement

of the 6to4 tunneling protocol that the tunnel endpoint be a public IPv4 address. The

reality of today’s IPv4 Internet is that there is a scarcity of public IPv4 address (the entire

rational behind IPv6) and so most hosts will be behind a NAT device.

NOTE

Perhaps less than fortuitously, the Teredo protocol is named after the shipworm

“Teredo navalis,” which tunneled through the hulls of wooden ships and sank many a

vessel back in the day. These marine mollusks continue to be a threat today to any

wood structure in seawater, like dikes, docks, and piers. The Teredo protocol tunnels

through NAT firewalls in much the same fashion. The Teredo protocol was initially

named the “Shipworm” protocol, but that made it seem too much like malicious soft-

ptg

ware, and it was renamed to Teredo.

Teredo encapsulates the IPv6 packets twice: once to encapsulate the IPv6 packet in an IPv4

packet with the IPv4 protocol field set to 41, and a second time to put the resulting IPv4

packet in the message of a IPv4 UDP packet. This double encapsulation gets through the

NAT but comes at a heavy cost in protocol overhead. In addition, the Teredo tunnel also

exposes the host to scanning attacks because the Teredo tunneling adapter in effect opens

a port on the host to entities through the firewall. This port can be discovered and

attacked. Thus, due to the overhead and security concerns, the Teredo tunneling protocol

is really a tunneling protocol of last resort.

Microsoft’s implementation of the Teredo protocol includes additional measures against

IPv6 scanning attacks, including an option of which traffic to accept: from anywhere

except the Teredo tunnel (the default), from anywhere including the Teredo tunnel, or

only from the local Intranet. The default option prevents scanning of the Teredo tunnel

interface. Of course, the host can initiate traffic through the tunnel.

Teredo clients use IPv6 addresses that start with the prefix 2001::/32, otherwise known as

the Teredo prefix. The address is somewhat more complicated than the addressing for the

other tunneling protocols. The elements of the Teredo address are the following:

IPv6 Introduction

309

.
Teredo prefix (32 bits)—
This is 2001 for all Teredo addresses, per IETF RFC4380.

.
Teredo server IPv4 address (32 bits)—
The IPv4 address of the Teredo Server in

colon hexadecimal format.

.
Flags (16 bits)—
This includes a bit for the type of NAT. Microsoft uses two of the

bits to set the Universal/Local flag and the Individual/Group flag for the enhanced

security. The remaining bits are set to a random number to make scanning attacks

more difficult.

.
Obscured external port (16 bits)—
This is the external UDP port that is assigned

by the NAT, but is obscured by an XOR it with FFFF.

.
Obscured external address (32 bits)—
This is the IPv4 external address of the NAT,

but it is obscured by an XOR with FFFFFFFF.

Figure 10.25 shows the structure of a Teredo address.

Obscured External

Obscured External

2001

WWXX:YYZZ

Flags

Subnet

Port

Address

ptg

32 bits

32 bits

16 bits

16 bits

32 bits

32 bits

FIGURE 10.25

Teredo IPv6 address format.

Because of the flag randomization, UDP port assignment, and the obscuring, the final

Teredo addresses will vary considerably even within the same Teredo client.

Teredo tunneling components include the following:

.
Teredo client—
This is an IPv6/IPv4 device that has a Teredo tunneling adapter and

communicates with other Teredo clients or IPv6 networks via a Teredo Relay. The

Teredo client is typically behind a NAT.

.
Teredo server—
This is an IPv6/IPv4 device that is connected to both the IPv6 and

IPv4 networks. The Teredo server assists with the configuration of Teredo clients.

.
Teredo relay—
This is an IPv6/IPv4 device that is connected to IPv6 and IPv4