Technical explanation of "IPV6" ISATAP tunnel

first, the basic concept   ISATAP (intra-siteautomatic Tunnel addressing Protocol)ISATAP is a very easy to deploy and use IPV6 transition mechanism. In a IPv4 network, we can very easily ISATAP deployment, first of all your PC needs to be v4/v6 dual-stack pc, then, need to have a support ISATAP router, ISATAP router can be anywhere in the network, as long as the PC can ping it (of course, You need to know the IPV4 address of the router). Then, we can deploy ISATAP on the router so that the ISATAP dual-stack host is supported on the network, and the ISATAP tunnel can be established with the ISATAP router when it needs to access IPv6 resources. The ISATAP host constructs its own IPV6 address according to the IPV6 prefix issued by the ISATAP router (this IPV6 address is automatically associated to a ISATAP virtual network card generated locally by the ISATAP host),   And this ISATAP router is set to its own IPV6 default gateway, so that the subsequent host will be able to access IPv6 resources through this ISATAP router. This method is very simple to deploy, in many cases, customers in order to save costs, but also hope that the network IPV6 host can access the V6 resources, but also do not want to make large-scale changes in the existing network and equipment upgrade, then you can use this method to buy a ISATAP-supported router, You can even hang the ISATAP router next to the network, as long as it has access to the V6 resource and responds to the ISATAPPC tunnel-building request. Second, the functional components of ISATAP are as follows:? 1. Automatic Tunnel:The tunneling mechanism of the ISATAP is also automatic, and the tunnel is created between the host and the ISATAP router. The host prefers to know the IPv4 address of the ISATAP router. 2. ISATAP address format:The IPV6 address assigned to the ISATAP router is a global unicast address, and the prefix of that address is used by the ISATAP host for its own IPV6 address construction. The ISATAP host receives a IPV6 prefix of/64 from the message sent by the ISATAP router through the ISATAP tunnel established in IPV4, and constructs its own IPV6 address using this prefix in conjunction with the "Special interface identifier". 3, the interface identification:When ISATAP is enabled on the host, it generates a ISATAP virtual network card that generates a special interface identifier of 64bits, somewhat similar to EUI-64, but with a different mechanism, which is reserved for ISATAP by 32-bit 0200 : 5EFE plus the IPV4 address configured on the host, for example, assuming that the IPv4 address of the ISATAP host configuration is 1.1.1.1, then the 64bits interface identifier of the ISATAP virtual network card is: On the other hand, after deploying ISATAP on a router, the router also generates an tunnel interface that responds to the ISATAP host's tunneling request, which also generates an interface identifier. The format of the address is the IPV4 address of 32-bit appended to the IANA reserved for ISATAP's 32-bit 0000:5efe. For example, assuming that the IPV4 address configured for the ISATAP router (for tunneling) is 2.2.2.2, then the Isataptunnel interface identifier is Here is a description of the "reserved for ISATAP" high-order 32bits in the interface identifier for 64bits on Wikipedia: "The link-localaddress is determined by concatenatingfe80:0 000:0000:0000:0200:5efe:for Global unique Andfe80:0000:0000:0000:0000:5efe:for private addresses with the 32bits of the Host ' s ipv4address.   There seems to be a globally unique and private divide, but more of the 0200:5efe is found in the relevant IETF draft, and in my test environment, the system on the Windows host is using 0200:5ede, and the Cisco router uses 0000:5efe. This 64btis interface identifier generated by the ISATAP host and the ISATAP router can be further used to construct the linklocal address of the tunnel interface, as well as the IPV6 global unicast address.   This will be described below. In addition, because ISATAP operates within the site, the IPV4 address of the ISATAP host and ISATAP router can be either private or public IP. iii. mechanism of work   First of all, we have a IPv4 network, most of the network devices in IPV4 networks do not support IPV6, in addition to the terminal host, as well as a router, this can access the IPV6 resources we need. Now, one of the cheapest ways to deploy ISATAP on this router is to create a isataptunnel between the terminal ISATAP host and the router, so that the PC can directly put IPV6 traffic into the tunnel router and through the entire ISATAP network.  1) Now we have the corresponding configuration on the ISATAP router, the IPV4 address assigned to the router is 2.2.2.2/24, and a tunnel interface is established for ISATAP, At this point the tunnel interface generates a 64bits interface identifier based on the IPV4 address. This interface identifies the FE80 with high-level:: The linklocal address of the tunnel interface is formed: fe80::0000:5efe:202:202. In addition, it is necessary to configure a global unicast IPV6 address for the Isataptunnel interface, which can be configured manually or by prefix +eui64, where the EUI-64 is the special 64bits interface identifier described above. For example, the built-in IPV6 address is 2001:1111::0000:5efe:0202.0202/64, so the IPv4 prefix is 2001:1111::/64, this prefix will be sent tunnel to the ISATAP host later, So that it can build its own IPV6 address.  2) Now we are on the ISATAP host, configuring the ISATAP, generally speaking, the IPV6 protocol stack is installed by default on the WIN7 system, there will be a ISATAP virtual network card by default. After we have configured the IPV4 address such as 1.1.1.1/24 for the physical network card of the PC, the ISATAP virtual network card will automatically calculate the special interface ID described above according to this IPv4 address: 0200:5efe:1.1.1.1, note that this format is equivalent to 0200:5efe:0 101.0101, we can see the simple wording of the former on the Windows system.  3) When we have configured the ISATAP router on the host (pointing to the IPv4 address of the ISATAP router), the ISATAP host begins to send RS messages to the ISATAP router, such as:  this RS message is transmitted through the IPV4 tunnel, The outer layer is the head of the IPV4, the source address is ISATAP's IPV4 address 1.1.1.1, the destination address is 2.2.2.2, which is ISATAP's IPV4 address. IPv4 in the head is wrapped in IPv6 message, the source address is IsaThe linklocal address of the ISATAP virtual network card for the TAP host, which is the linklocal address of the ISATAP router.  4) This RS message issued by the ISATAP host is routed through the IPV4 network and eventually forwarded to the ISATAP router. This will cause the router to immediately respond with an RA:  and the RA message in this response contains the/64 prefix of the IPV6 global unicast address configured on the ISATAP.  5) ISATAP host received this RA response, will take out the inside of the IPV6 prefix, and then add their own ISATAP Virtual network card 64bits Interface identification address, constitute 128bits of the IPV6 global unicast address, and will produce a default route, Linklocal address to the ISATAP router: 6) From now on, the ISATAP host needs to access IPV6 resources when the IPV6 packet is encapsulated in the IPv4 tunnel, that is, the ISATAP head of the IPv4 tunnel, and then passed to the ISATAP router, The ISATAP router is then unpacked, and then helps forward the IPV6 data.   Four, the typical experiment

• Environment description

1. PC is ISATAP host, it is a double-stack pc, here we use a win7 system computer to do the test. The IP address of the computer network card is 1.1.1.1/24, the gateway is 1.1.1.254, and the gateway is the interfacevlan10 of SW1.
2. SW1 creates two vlan:vlan10 and 20, respectively, corresponding to the PC and the ISATAP router. The VLAN20 's SVI port IP is 2.2.2.254, which is the default gateway for the ISATAP router.
3. The Isataprouter interface IP is 2.2.2.2. The IPV4 address is used in subsequent ISATAP configurations, where ISATAP hosts find isataprouter and establish ISATAP tunnel with this IP. Isataprouter is also connected to a IPV6 network, where we use the loopback simulation: 2001:8888::8/64 for subsequent testing.
4. The final experimental result is that the PC must be able to ping the IPv4 address of the ISATAP router, which is 2.2.2.2. The PC then establishes the tunnel with the Isataprouter and gets the IPV6 address, and is able to ping through 20001:8888::8

• Device configuration

configuration of the PC1:The network adapter configures the IP address 1.1.1.1/24, and the gateway installs the IPV6 protocol stack for 1.1.1.254, at which time Win7 automatically generates a ISATAP tunnel virtual interface: Tunnel Adapter ISATAP. {0DB7233C-89B7-49DB-A8C0-D1AA005F4E6A}: configuration of the SW1:VLAN 10vlan 20interface fast0/1 switchport access VLAN 10interface FAST0/15 switchport access VLAN 20interface VLAN 10 IP address 1.1.1.254 255.255.255.0interface VLAN IP address 2.2.2.254 255.255.255.0 configuration of the router:IPv6 unicast-routing!interface Fastethernet0/0  ip address 2.2.2.2 255.255.255.0  no shutdown! Interface Tunnel1  ip unnumbered fastethernet 0/0             !! This IPv4 address is the destination of the ISATAP tunnel   ipv6 Enable  ipv6 address 2001:1111::/64 eui-64           !! The prefix for this IPV6 address is advertised to the ISATAP host   no ipv6th suppress-ra  tunnel source fastethernet 0/0   Tunnel mode Ipv6ip isatap!interface Loopback0  ipv6 Enable  ipv6 address 2001:8888::8/64!ip Route 0.0.0.0 0.0.0.0 2.2.2.254  Note the configuration of the ISATAP router, the key part is the tunnel configuration, tunnel mode is IPV6IPISATAP, and note the tunnel address configured here, Is the address of the ISATAP router in the CMD command configured on the corresponding ISATAP host. We demonstrated this experiment is tunnel directly with the fa0/0 address, of course, tunnel can also have their own IPv4 address, as long as the ISATAP host to this IPV4 address routing can be reached on the line. Another tunnel IPv6 address, the corresponding prefix is to be sent to the ISATAP host prefix, in this experiment, we tunnel the IPV6 global unicast address using the prefix +eui-64 configuration method, The eui-64 here actually refers to the special 64bits interface ID we introduced earlier. (Black tea Three Cups original blog, copyright, reproduced please noteMing source Http://weibo.com/vinsoney)  

• Experimental test

Let's take a look at the router first: r2#show IPv6 interface Brieffastethernet0/0 [Up/up]tunnel0 [up/up] fe80::5efe:202:202 2001:1111::5efe:202:202 Note that the L here Inklocal Address: fe80::5efe:202:202 is a ISATAP format address, the final 64bits is a 32bits of 0000:5efe plus 32bits of the interface IPv4 address (here is 2.2.2.2) constituted, such as. The IPV6 global unicast address is also made up of 64bits interface identifiers, and of course, you can manually configure IPV6 global unicast addresses, not necessarily using interface identifiers.

Next, we enter in cmd mode on the ISATAP host:netsh interface ipv6 isatap set router 2.2.2.2 the PC will start sending RS with the following message:

We see this RS ICMPv6 message outside is IPv6 's head, IPV6 's head outside is IPv4 's head. Note the outer IPv4 head, the source is 1.1.1.1, the purpose is 2.2.2.2 and then the inner IPV6 header, the source is ISATAP address of the host, the linklocal address of the ISATAP router. after the router receives the RS back in response to an RA:

In this RA that the router responds to, there is a ICMPv6 option, which contains the IPV6 prefix of the ISATAP router. and ISATAP host can be based on this prefix, combined with their own interface identity to build IPV6 address. the IPV4 address obtained by the final PC is as follows:Tunnel adapter ISATAP. {0DB7233C-89B7-49DB-A8C0-D1AA005F4E6A}: Connection-specific DNS suffix .... : IPv6 address ..... ....: 2001:1111::200:5efe:1.1.1.1 local link IPv6 address ..... : Fe80::200:5efe:[email protected] Default gateway ............ . : Fe80::5efe:[email protected] We see the PC first based on its locally configured IPV4 address: 1.1.1.1, which generates an interface ID of 64bits:

The interface ID of this 64bits, with the first 64bits from the ISATAP router acquired to the IPV6 global unicast address prefix 2001:1111::, constitutes the IPV6 global unicast address of the PC: 2001:1111::200:5efe:1.1.1.1. This 64bits interface ID, together with FE80::/10, constitutes the linklocal address of the PC: fe80::200:5efe:1.1.1.1 at the same time, the PC will ISATAP the linklocal address of the router Fe80::5efe : 2.2.2.2 is set as the default gateway when the host communicates with other IPV6 hosts, forwarding from the tunnel interface will remove the IPV4 address from the next hop IPv6 address of the message as the destination address of the IPV4 package. If the destination host is within this site, then the next hop is the destination host itself, if the destination host is not within the site, then the next hop is the address of the ISATAP router. We finally do another test, that is, ISATAP host to ping 2008:8888::1.

This loopback IPV6 packet that arrives at ISATAP, is covered with a ISATAP IPv4 tunnel header, which is then passed to the ISATAP router for the next IPv6 forwarding by the router.

Technical explanation of "IPV6" ISATAP tunnel