|IPv6 transition mechanisms|
Unlike 6over4 (an older similar protocol using IPv4 multicast), ISATAP uses IPv4 as a virtual nonbroadcast multiple-access network (NBMA) data link layer, so that it does not require the underlying IPv4 network infrastructure to support multicast.
How ISATAP works
ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4.
Link-local address generation
Any host wishing to participate in ISATAP over a given IPv4 network can set up a virtual IPv6 network interface. The link-local address is determined by prepending
fe80::0200:5efe:… for globally unique addresses, or
fe80::0000:5efe:… for private addresses, in front of the 32 bits of the host's IPv4 address.
For example, the global IPv4 address
192.0.2.143 would use
fe80::0200:5efe:192.0.2.143 as its link-local IPv6 address. The shortened notation would be
c0 00 02 8f is
192.0.2.143 in hexadecimal notation).
Because ISATAP uses IPv6 as a non multicast/broadcast-capable (unlike Ethernet) link layer, ICMPv6 Neighbor Discovery cannot be done in the usual manner. That is why ISATAP is a bit more complex than 6over4.
The link layer address associated with a given IPv6 address is contained in the lower-order 32-bits of the IPv6 address, so that Neighbor Discovery is not really needed. However, the lack of multicast support prevents the use of automatic Router Discovery. Therefore, ISATAP hosts must be configured with a potential routers list (PRL). Each of these routers is infrequently probed by an ICMPv6 Router Discovery message, to determine which of them are functioning, and to perform unicast-only autoconfiguration (typically, obtain the list of on-link IPv6 prefixes that can be used).
In practice, implementations build their PRL by querying the DNS, e.g. by looking up
isatap.example.com if the local domain is
example.com. The local domain is typically obtained via DHCP (over IPv4) or statically configured.
Criticisms of ISATAP
ISATAP typically builds its PRL by consulting the DNS; hence, in the OSI model it is a lower-layer protocol that relies on a higher layer. A circularity is avoided by relying on an IPv4 DNS server, which does not rely on IPv6 routing being established; however, this is a violation of network design principles, and feels brittle to some network specialists.
ISATAP carries the same security risks as 6over4: the IPv4 virtual link must be delimited carefully at the network edge, so that external IPv4 hosts cannot pretend to be part of the ISATAP link. That is normally done by ensuring that proto-41 (6in4) cannot pass through the firewall.
Implementations of ISATAP
Due to a patent claim, early in-kernel implementations were withdrawn from both KAME (*BSD) and USAGI (Linux). However the IETF IPR disclosure search engine reports that the would-be infringing patent’s holder requires no license from implementers. ISATAP support has been supported in Linux since kernel version 2.6.25, the tool isatapd [notes 1] provides a userspace helper. For prior kernels, the open source project Miredo provided an incomplete userland ISATAP implementation, which was removed in version 1.1.6.
- R. Hinden, S. Deering (April 2006). "RFC 4291 Section 2.2". IETF. Retrieved 29 December 2012.
- F. Templin, T. Gleeson, D. Thaler Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) RFC 5214, March 2008.