[IPv6] Detailed description of ISATAP tunnel technology

[IPv6] Detailed description of ISATAP tunnel technology
I. Basic Concepts

ISATAP (Intra-SiteAutomatic Tunnel Addressing Protocol)
ISATAP is an IPv6 transition mechanism that is easy to deploy and use. In an IPv4 network, we can easily deploy ISATAP. First, you need a V4/V6 dual-stack PC. Then, you need a vro that supports ISATAP, the ISATAP router can be anywhere in the network, as long as the PC can ping it (of course, you need to know the IPv4 address of the router ). Next, we can deploy isatap on the vro to support ISATAP dual-stack hosts. When you need to access IPv6 resources, you can establish an ISATAP tunnel with the ISATAP router, the ISATAP host constructs its own IPv6 address based on the IPv6 prefix assigned by the ISATAP router (this IPv6 address is an ISATAP virtual network card automatically associated with the ISATAP host ), in addition, this ISATAP router is set as its own IPv6 default gateway. As a result, this host will be able to access IPv6 resources through this ISATAP router.
This method is easy to deploy. In many cases, the customer wants IPv6 hosts in the network to access V6 resources to save costs, at the same time, you are not willing to perform large-scale changes and device upgrades to the existing network. Therefore, you can purchase a vro that supports ISATAP, or even attach the ISATAP vro to the network, as long as it can access V6 resources and respond to the ISATAPPC tunnel establishment request.

Ii. functional components of ISATAP are as follows:
Bytes
1. Automatic tunnel:
The ISATAP tunnel mechanism is also automatic, and the tunnel is created between the host and the ISATAP router. The IPv4 address of the ISATAP router is preferred for the host.

2. ISATAP address format:
The IPv6 address assigned to the ISATAP router is a global unicast address. The prefix of this address is used by the ISATAP host for its own IPv6 address construction. The ISATAP host receives/64 IPv6 prefixes from messages sent by the ISATAP router through the ISATAP tunnel established in IPv4, use this prefix and the "special interface identifier" to construct your own IPv6 address.

3. Interface ID:
After ISATAP is enabled on the host, an ISATAP virtual NIC will be generated, which will generate a special interface identifier of 64bits, a bit similar to the EUI-64, but the generation mechanism is different, it consists of a 32-bit 0200: 5EFE reserved for ISATAP and an IPv4 address configured on the host. For example, assume that the IPv4 address configured for the ISATAP host is 1.1.1.1, the 64bits Interface ID of the ISATAP virtual ENI is:
 

On the other hand, after ISATAP is deployed on the vro, The vro will also generate a tunnel interface to respond to the tunnel creation request of the ISATAP host. This tunnel interface will also generate an interface ID. The format of the address is the 0000: 5EFE Of the 32-bit IPv4 address reserved by IANA to ISATAP, and then the 32-bit IPv4 address is appended. For example, if the IPv4 address (for tunnel) configured for the ISATAP router is 2.2.2.2, the interface ID of ISATAPtunnel is:
 

Here, The high-order 32bits IN The 64bits interface identifier "reserved for ISATAP" is described in Wikipedia as follows: "The link-localaddress is determined by concatenatingfe80: 0000: 0000: 0000: 0200: 5efe: for global unique andfe80: 0000: 0000: 0000: 5efe: for private addresses with the 32 bits of the host's limit 4address. ". It seems that there are globally unique and private differences. However, the IETF draft found a description of 0200: 5efe. In my testing environment, on a windows host, the system uses 0200: 5ede, while the CISCO router uses 0000: 5efe.
The 64btis Interface ID generated by the ISATAP host and ISATAP router can be further used to construct the Linklocal address of the tunnel interface and the IPv6 global unicast address. This is described below.
In addition, because the ISATAP operation scope is within the site, the IPv4 addresses of ISATAP hosts and ISATAP routers can be private IP addresses or public IP addresses.

Iii. Working Mechanism


 
First, we have an IPv4 network. Most network devices in the IPv4 network do not support IPv6. In addition to terminal hosts and a router, this can access the IPv6 resources we need. Now, the cheapest way is to deploy ISATAP on this vro, and establish an ISATAPtunnel between the ISATAP host and the vro, in this way, the PC can directly put IPv6 traffic into the tunnel and transmit it to the ISATAP router to traverse the entire IPv4 network.

1) Now we configure the ISATAP router. The IPv4 address assigned to the router is 2.2.2.2/24, and a tunnel interface is created for ISATAP, in this case, the tunnel interface generates an interface ID of 64bits Based on the IPv4 address. The link local address of the tunnel interface is: fe80: 0000: 5efe: 202: 202. In addition, you also need to configure a global unicast IPv6 address for the ISATAPtunnel interface. You can configure it manually or by prefix + EUI64, the EUI-64 here is the special 64bits interface identifier described above. For example, the constructed IPv6 address is 2001: 1111: 0000: 5efe: 0202.0202/64. Therefore, the IPv4 prefix is 2001: 1111:/64, this prefix will be delivered to the ISATAP host through tunnel later, so that it can build its own IPv6 address.

2) Now we have configured isatap on the isatap host. Generally, the IPv6 protocol stack is installed by default on the WIN7 system, and an ISATAP virtual Nic is created by default. After we configure an IPv4 address for the physical Nic of the PC, for example, 1.1.1.1/24, the ISATAP virtual Nic automatically calculates the special interface ID: 0200: 5efe: 1.1.1.1. Note that this format is equivalent to 0200: 5efe: 0101.0101. in windows, we can see that the former is easy to write.

3) after the ISATAP router is configured on the host (pointing to the IPv4 address of the ISATAP router), The ISATAP host starts to send the RS message to the ISATAP router, for example:
 

This RS message is transmitted through an IPv4 Tunnel. The outer layer is the IPv4 header. The source address is ISATAP's IPv4 address 1.1.1.1, And the destination address is 2.2.2.2, that is, ISATAP's IPv4 address. The IPv4 header contains IPv6 packets. The source address is the Linklocal address of the ISATAP virtual network card of the ISATAP host, and the destination address is the Linklocal address of the ISATAP router.

4) The RS message sent by the ISATAP host will be routed to the ISATAP router in the IPv4 network. This causes the router to immediately respond with an RA:
 

In this response, the RA message contains the/64 prefix of the IPv6 global unicast address configured on ISATAP.

5) after the ISATAP host receives the RA response, it will take out the IPv6 prefix and then add the interface ID address of 64bits of its ISATAP virtual Nic to the end, the IPv6 global unicast address that constitutes bits, and a default route is generated, pointing to the Linklocal address of the ISATAP router:
 

6) from now on, when the ISATAP host needs to access IPv6 resources, it encapsulates the IPv6 packet in the IPv4 Tunnel, that is, it mounts the IPv4 header of the ISATAP tunnel and then transmits it to the ISATAP router, the ISATAP router unpacks the data and forwards the IPv6 data.
4. Typical experiments
Environment Description PC is an ISATAP host, which is a dual-stack PC. Here we use a computer in the win7 system for testing. The IP address of the NIC is 1.1.1.1/24, the gateway is 1.1.1.254, And the gateway is interfacevlan10 of sw1. SW1 creates two VLANs: VLAN10 and 20, which correspond to the PC and ISATAP routers respectively. The SVI port IP address of VLAN20 is 2.2.2.254, which is the default gateway of the ISATAP router. The interface IP address of ISATAPRouter is 2.2.2.2. This IPv4 address is used in subsequent ISATAP configurations. The ISATAP host finds the ISATAPRouter through this IP address and establishes an ISATAP tunnel with it. ISATAPRouter is connected to an IPv6 network at the same time. Here we use loopback to simulate: 2001: 8888: 8/64 for subsequent tests. The final experiment result is that the PC must be able to ping the IPv4 address of the ISATAP Router, that is, 2.2.2.2. Then the PC and ISATAProuter establish a tunnel and get the IPv6 address, and you must be able to ping the 20001: 8888: 8 device to configure the PC1 Configuration:
Nic IP address 1.1.1.1/24, Gateway 1.1.1.254
Install the IPv6 protocol stack. At this time, Win7 will automatically generate an ISATAP tunnel Virtual Interface:
Tunnel adapter isatap. {0DB7233C-89B7-49DB-A8C0-D1AA005F4E6A }:

SW1 Configuration:
Vlan 10
Vlan 20
Interface fast0/1
Switchport access vlan 10
Interface fast0/15
Switchport access vlan 20
Interface vlan 10
Ip address 1.1.1.254 255.255.255.0
Interface vlan 20
Ip address 2.2.2.254 255.255.255.0

Configuration of the Router:
Ipv6 unicast-routing
!
Interface FastEthernet0/0
Ip address 2.2.2.2 255.255.255.0
No shutdown
!
Interface Tunnel1
The ip unnumbered fastEthernet 0/0 !! The IPv4 address is the destination address of the ISATAP tunnel.
Ipv6 enable
Ipv6 address 2001: 1111:/64 eui-64 !! The prefix of this IPv6 address will be advertised to the ISATAP host.
No ipv6 nd suppress-ra
Tunnel source fastEthernet 0/0
Tunnel mode ipv6ip isatap
!
Interface loopback0
Ipv6 enable
Ipv6 address 2001: 8888: 8/64
!
Ip route 0.0.0.0 0.0.0.0 2.2.2.254

Pay attention to the ISATAP router configuration. The key part is the tunnel configuration. The tunnel mode is ipv6ipisatap. Pay attention to the IPV4 address configured in tunnel, the address of the ISATAP router in the CMD command configured on the ISATAP host. This experiment demonstrates that tunnel uses the fa0/0 address directly. Of course, tunnel can also have its own IPv4 address, as long as the ISATAP host can be routed to this IPv4 address. In addition, the IPv6 address of tunnel corresponds to the prefix that will be sent to the ISATAP host later. In this experiment, our tunnel IPv6 global unicast address uses the prefix + eui-64 configuration method, the eui-64 here actually refers to the special 64bits interface identifier we introduced earlier. To test the experiment, first check on the vro:
R2 # show ipv6 interface brief
FastEthernet0/0
Tunnel0
FE80: 5EFE: 202: 202
2001: 1111: 5EFE: 202: 202

Note that the Linklocal address: FE80: 5EFE: 202: 202 is an ISATAP format address. The final 64bits is composed of 0000 of 32bits: 5EFE and 32bits interface IPv4 address (2.2.2.2), as shown in. IPv6 global unicast addresses are composed of 64 bits interface IDs. Of course, you can also manually configure IPv6 global unicast addresses, instead of interface IDs.
 

Next, on the ISATAP host, in CMD mode, enter:
Netsh interface ipv6 isatap set router 2.2.2.2

The PC starts to send the RS. The message is as follows:
 

We can see that the RS ICMPv6 Packet is outside the IPv6 Header, And the IPv6 Header is outside the IPv4 header.
Note that the header of the outer IPv4 address is 1.1.1.1 and the source is 2.2.2.2.
Next, the IPv6 Header is the Linklocal address of the ISATAP host. The source is the Linklocal address of the ISATAP router.

After the router receives the RS, it returns an RA:
 

There is an ICMPv6 Option in the RA responded by the router, which contains the IPv6 prefix of the ISATAP router. The ISATAP host can build an IPv6 address based on the prefix and Interface ID.

The IPv4 address obtained by the PC is as follows:
Tunnel adapter isatap. {0DB7233C-89B7-49DB-A8C0-D1AA005F4E6A }:
Connection to a specific DNS suffix .......:
IPv6 address ......: 2001: 1111: 5efe: 1.1.1.1
Local IPv6 address ......: fe80: 200: 5efe: 1.1.1.1 @
Default Gateway ......: fe80: 5efe: 2.2.2.2 @
We can see that the PC first generates the 64bits Interface ID based on the Local IPv4 address 1.1.1.1:
 

This 64bits Interface ID, and the first 64 bits of the IPv6 global unicast address prefix 2001: 1111: obtained from the ISATAP router, constitute the IPv6 global unicast address of the PC: 2001: 1111: 200: 5efe: 1.1.1.1.
The 64bits Interface ID and FE80:/10 constitute the Linklocal address of the PC: fe80: 200: 5efe: 1.1.1.1
In addition, the PC sets the Linklocal address fe80: 5efe: 2.2.2.2 of the isatap router to the default gateway.
When the host communicates with other IPv6 hosts, the IPv4 address is taken from the next hop IPv6 address of the packet as the destination address in IPv4 encapsulation. If the target host is located at the site, the next hop is the target host itself. If the target host is not located at the site, the next hop is the address of the ISATAP router.

In the last test, the ISATAP host is pinged to 2008: 8888: 1.
 

The IPv6 packet that arrives at ISATAP loopback is mounted to an IPv4 Tunnel header of ISATAP and then transmitted to the ISATAP router for next IPv6 forwarding.