How to use ISATAP on KAME

SUZUKI, Shinsuke at KAME Project

$Id: index.html,v 1.6 2005/02/08 06:40:32 suz Exp $

  1. IPR status
  2. Introduction
  3. What you need
  4. What you have to do for ISATAP host
  5. What you have to do for ISATAP router
  6. Confirmed configuration
  7. c.f.) how to enable ISATAP on Windows-XP

  1. IPR status
  2. SRI had been claimed an IPR for ISATAP, and due to that KAME stopped the distribution of ISATAP implementation.

    However, the contact person of this IPR sent us an e-mail confirming our release to use ISATAP with no license from SRI. Hence, KAME decided to revive ISATAP in KAME SNAP. If you are to use KAME's ISATAP in your product, please ask the SRI contact person to obtain an official permission by yourself (you can find the contact point here. According to the SRI contact person, SRI will update the IPR claim in IETF to allow unrestricted use of ISATAP with no license.)

  3. Introduction
  4. This document describes how to use ISATAP on KAME.

    ISATAP is an automatic tunneling technique especially suited for intranet. Its addressing architecture is a little bit different from 6to4, a well-known automatic tunneling technique; In this mechanism, IPv4 address is embedded at the lower 32bit of IPv6 address, which enables the use of linklocal unicast address like normal physical interfaces.

            ISATAP client---(IPv4 only internet/intranet)---ISATAP routers--(IPv6 Internet)----
                           1. RS to all the ISATAP routers
                              by IPv4 unicast packet encapsulating IPv6 RS
                           2. RA to the ISATAP client
                              by an IPv4 unicast packet encapsulating IPv6 RA

    KAME's ISATAP implementation is based on draft-ietf-ngtrans-isatap-08.txt, but can accept Router Solicitation from older draft implementations (e.g. Windows-XP) using ff02::2 to solicit RA.

  5. What you need

    • KAME-snap after Dec 1, 2004
      • kernel built with "pseudo-device ist" configuration (for ISATAP router/host)
      • ifconfig in this package (for ISATAP router/host)
      • rtadvd in this package (for ISATAP router)
      • rtsold in this package (for ISATAP host)
    • IPv4 address (for ISATAP router/host)
      • It may be a private address, if ISATAP router and host can communicate without NAT in between.
    • an /64 IPv6 non-linklocal prefix (only for ISATAP router)
      • it is distributed to ISATAP hosts by RA.
    • External IPv6 connectivity (only for ISATAP router)
      • of course :-)
    ISATAP router ISATAP host
    KAME snap kernel x x
    KAME snap ifconfig x x
    KAME snap rtadvd x -
    KAME snap rtsold - x
    IPv4 address x x
    /64 IPv6 prefix x -
    External IPv6 connectivity x -

  6. What you have to do for ISATAP host
    1. configure ISATAP linklocal address using your IPv4 address.

      If you have, then use the following command.

      # /usr/local/v6/sbin/ifconfig ist0 inet6 fe80::5efe: prefixlen 64

    2. define ISATAP router's IPv4 address.

      If it's statically defined as "", then use the following command to configure it.

      # /usr/local/v6/sbin/ifconfig ist0 isataprtr

      If it's defined as "isatap.appropriate-domain", then execute the following shell script periodically (every 1 hour according to draft-ietf-ngtrans-isatap-08.txt) by cron or shell-script to dynamically update ISATAP router info.

      #user configuration
      dig=/usr/local/bin/dig  # BIND9's dig
      ifconfig=/usr/local/v6/sbin/ifconfig     # KAME's ifconfig
      #internal variables; don't edit
      newprl=`${dig} +short +domain=$domain +search $prlname a | grep '^[0-9.]*$'`
      oldprl=`${ifconfig} ist0 | grep isataprtr | awk '{print $2}'`
      for r in $newprl; do
      # case 1. has already appeared in the new list (i.e. already exists
      #	  in the current list) -> do nothing
              found=`echo "find-isataprrtr $curprl" | grep $r`
      	if [ "X$found" != X ]; then
      # case 2. already exists in the old list -> update the old list
              found=`echo "find-isataprrtr $oldprl" | grep $r`
      	if [ "X$found" != X ]; then
      		oldprl=`echo $oldprl | sed s/$r//`
      # case 3. otherwise -> write down the new isataprtr and update
      #         the old list and the current list.
      	${ifconfig} ist0 isataprtr $r
      	curprl="$r $curprl"
      	oldprl=`echo $oldprl | sed s/$r//`
      for r in $oldprl; do
              ${ifconfig} ist0 deleteisataprtr $r

    3. Solicite RA periodically.
      	# /usr/local/v6/sbin/rtsold ist0
      Please take care that "rtsol" is not enough, because the obtained prefix will soon be expired since ISATAP router can only send solicited RAs.

  7. What you have to do for ISATAP router
    1. configure a linklocal address on ISATAP interface using your IPv4 address.
      	# /usr/local/v6/sbin/ifconfig ist0 inet6 fe80::5efe: prefixlen 64
    2. configure one or multiple non-linklocal addresses as necessary.
      please embed the same IPv4 address as linklocal address.
      	# /usr/local/v6/sbin/ifconfig ist0 inet6 3ffe:ffff:ffff:ffff::5efe: prefixlen 64 alias
    3. Advertise the non-linklocal prefixes by RA
      	# /usr/local/v6/sbin/rtadvd ist0

  8. What is confirmed
  9. The following configuration has been confirmed to be working.
    • ISATAP router=KAME-FreeBSD4, ISATAP host=Windows-XP
    • ISATAP router=KAME-FreeBSD4, ISATAP host=KAME-FreeBSD4
    • ISATAP router=KAME-FreeBSD4, ISATAP host=KAME-NetBSD
    • ISATAP router=KAME-FreeBSD4, ISATAP host=KAME-OpenBSD
    • ISATAP router=KAME-FreeBSD4, ISATAP host=Linux(USAGI)
    • ISATAP router=KAME-NetBSD, ISATAP host=KAME-FreeBSD4
    • ISATAP router=IX5003(NEC), ISATAP host=KAME-FreeBSD4

  • c.f.) how to enable ISATAP on Windows-XP
    1. Register a DNS A-record "isatap" to your DNS server, so that you can ping(IPv4) to your ISATAP router using a hostname "isatap".

      If it's impossible, please invoke the following command from cmd.exe console.

      	 c:\> netsh interface ipv6 isatap set router (ISATAP router's address)

    2. That's all, if your ISATAP router is properly configured:-) You can confirm it using the following command

      	 c:\> ipconfig 
      	 Tunnel adapter Automatic Tunneling Pseudo-Interface:
       	 Connection-specific DNS Suffix . : (blank)
      	 IP Address . . . . . . . . . . . : fe80::5efe:x.x.x.x%2
      	 IP Address . . . . . . . . . . . : (some global prefix)::5efe:x.x.x.x
      	 Default Gateway  . . . . . . . . : fe80::5efe:y.y.y.y%2