Learning ISATAP – Part 1 – Overview

IPv6 Transition technologies are pretty cool, now that I understand them. It took a _long_ time for me to wrap my head around ISATAP. Like everything else though, it’s a pretty simple concept once you understand what’s going on.

What Is ISATAP and why do I care?

When implementing IPv6, you will sometimes have routers or network links which don’t support IPv6. This can be a real problem when rolling out an IPv6-based service (say…DirectAccess). This is where IPv6 transition technologies come into play. They try to bridge these ‘gaps’ in your IPv6 roll-out.

There are three major IPv6 Transition Technologies

  1. 6to4 – works with public IPv4 addresses.
  2. Isatap – works with private IPv4 addresses.
  3. Teredo – works when both hosts are behind their own separate NAT.

OK, but what does it like…do?

On a high level, enabling ISATAP on a system gives the system a virtual interface with an IPv6 address. When an application on the system tries to send an IPv6 packet, the networking stack sends the packet to the ISATAP virtual interface. The ISATAP virtual interface then wraps the outgoing IPv6 packet in IPv4 headers, and sends it out via the ‘real’ IPv4 interface.

Similarly, if the system receives an IPv4 packet that looks like it has an IPv6 packet wrapped inside, the ‘real’ IPv4 interface on the system unpacks the IPv6 packet and forwards it to the ISATAP virtual interface. The ISATAP virtual interface then processes the IPv6 packet normally, and sends it on to any listening applications.

Sounds a bit complicated, right? But it lets your IPv4-only hosts communicate over IPv6.

OK, but I’m still not sure how it works…

Here’s some background on the magic of ISATAP.


ISATAP gives your systems an address that looks like the following:

(IPv6 Site Prefix) + 0:5efe: + (System IPv4 Address)

For example, here’s an example ISATAP IPv6 Address: fd1a:6cf8:7eeb:400:0:5efe:

You might also see the last 32 bits in hex format: fd1a:6cf8:7eeb:400:0:5efe:a0a:a02.

Now you might be asking, where do we get that “IPv6 Site Prefix”? Great question. You can either make one that’s ‘site-local’ (like private ipv4 address space), or you can request one from your ISP.

There’s a really important subtlety here to understand. ISATAP implementation in an organization is designed to take your entire IPv4 network, and make it one big IPv6 logical link. You don’t “subnet” ISATAP networks. By convention, all of your IPv4 becomes one large IPv6 subnet as far as ISATAP is concerned. This isn’t a big deal for two reasons. First, ISATAP doesn’t support multicast. Second, all of your IPv4 firewall and routing rules still apply since ISATAP is 100% dependent on IPv4. If you are sitting on a workstation named ‘ClientA’, and you are prevented from pinging a host named “ClientB” at it’s IPv4 address, you will also be prevented from pinging ClientB on it’s ISATAP address.

The cool part of this is that, once configured, ISATAP host-to-host communication is not directly dependent on an ISATAP router.

You’ll notice that the last 32-bits of an ISATAP address represent the actual IPv4 address of your ISATAP host. This is how all of the ISATAP adapters across your organization will function. They key part to understand is that the prefix for your entire organization is going to be the same for all ISATAP addresses.

ISATAP Routing

You might be asking: if ISATAP communication between hosts doesn’t need an ISATAP router, what is an ISATAP router used for? Two things:

  1. Publishing a prefix for ISATAP IPv6 auto-addressing.
  2. Routing from an ISATAP network to native IPv6 networks.

Finding the Router

When a host auto-configures it’s ISATAP address, it first contacts the ISATAP router to learn it’s prefix. Normally, a native IPv6 interface does this also by listening to Router Advertisements, or sending out an ICMP6 ‘Router Solicitation’ packet. Since the IPv4 routers would not be sending out RA’s, and ISATAP doesn’t support broadcasts, we need another way to find the ISATAP router. Windows uses DNS to accomplish this.

Here’s the process:

  1. A windows host comes online.
  2. It tries to lookup the address ISATAP.[dns-suffix].
  3. If a lookup succeeds, the ISATAP router is contacted and the interface is configured. Otherwise, the ISATAP virtual interface is set to ‘Media Disconnected’.

ISATAP-to-Native Communication

When an ISATAP host wants to communicate with another host on the ISATAP logical link, the IPv4 infrastructure handles everything. However, when an ISATAP host wants to communicate with a native IPv6 host, it needs to contact the ISATAP router. The ISATAP router takes the wrapped IPv4 packet, extracts the IPv6 packet, then sends the packet through it’s native IPv6 interface (and vice-versa).

In my next post, I’ll cover configuring a semi-complex IPv4 network. In my third post, we’ll enable ISATAP routing together.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s