Académique Documents
Professionnel Documents
Culture Documents
Abstract
The Microsoft Windows .NET Server family and Windows XP with Service Pack 1 include a supported version of the new IP version 6 (IPv6) protocol. This article describes five IPv6 configurations and instructions on how to create an IPv6 test lab so that application developers can test their modified applications with a supported protocol suite and Windows networking professionals to begin learning and experimenting with IPv6 prior to deploying IPv6 in their organizations.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2002 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Introduction ...................................................................................................................................1 Single Subnet with Link-local Addresses......................................................................................3 Testing Connectivity Between Two Link-local Hosts........................................................................4 Using the Zone ID ........................................................................................................................5 Using IPSec Between Two Local Link Hosts..................................................................................6 Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Security Policy Entry for Host 1...................................................................................6 First Security Association Entry for Host 1....................................................................6 Second Security Association Entry for Host 1...............................................................7 Security Policy Entry for Host 2...................................................................................8 First Security Association Entry for Host 2....................................................................9 Second Security Association Entry for Host 2...............................................................9
IPv6 Traffic Between Nodes on Different Subnets of an IPv6 Internetwork.................................. 11 IPv6 Traffic Across an IPv4 Intranet............................................................................................. 13 Table 7 Example ISATAP Addresses..................................................................................... 14
Using an ISATAP Router ............................................................................................................ 14 Resolving the ISATAP Name ................................................................................................... 15 Using the netsh interface ipv6 isatap set router Command ......................................................... 15 IPv6 Traffic Across the IPv4 Internet............................................................................................ 17 Setting up an IPv6 Test Lab......................................................................................................... 20 Setting Up the Infrastructure........................................................................................................ 20 DNS1..................................................................................................................................... 21 CLIENT1 ................................................................................................................................ 21 ROUTER1.............................................................................................................................. 22 ROUTER2.............................................................................................................................. 22 CLIENT2 ................................................................................................................................ 23 IPv6 Test Lab Tasks................................................................................................................... 23 Link-local ping......................................................................................................................... 23 Creating a static routing infrastructure ...................................................................................... 24 Using name resolution............................................................................................................. 25
iii
iv
Introduction
IP version 6 (IPv6) is a suite of standard protocols that is the next generation of network layer protocols for the Internet. The current version of the Internet Protocol (known as IP version 4 or IPv4) has not been substantially changed since RFC 791 was published in 1981. IPv4 has proven to be robust, easily implemented and interoperable, and has stood the test of scaling an internetwork to a global utility the size of today's Internet. However, the initial design of IPv4 did not anticipate: The recent exponential growth of the Internet and the impending exhaustion of the IPv4 address space. Internet growth and the ability of Internet backbone routers to maintain large routing tables. The need for simpler configuration. The requirement for security at the IP level. The need for better support for real-time delivery of data (also known as quality of service).
To address these concerns, the Internet Engineering Task Force (IETF) has developed a suite of protocols and standards known as IP version 6 (IPv6). This new version, previously named IP-The Next Generation (IPng), incorporates the concepts of many proposed methods for updating the IPv4 protocol. IPv6 is intentionally designed for minimal impact on upper and lower layer protocols by avoiding the arbitrary addition of new features. In order to justify the deployment of IPv6, it must be used by applications. Applications must be modified to use new Windows Sockets application programming interfaces (APIs) that are IP version independentthe same API function is used for IPv4 or IPv6, and the result of the API call depends on the installed protocols and the available addresses. For more information about modifying applications to work over IPv4 and IPv6, see the white paper titled "Adding IPv6 Capability to Windows Sockets Applications" and the Microsoft IPv6 Web site at http://www.microsoft.com/ipv6. The Windows .NET Server 2003 family and Windows XP with Service Pack 1 (SP1) includes a supported IPv6 protocol suite that includes a number of features that allow you to set up and test IPv6 functionality either using native IPv6 packets or by sending IPv6 packets over an IPv4 routing infrastructure. Separate sections of this article describe the following configurations: Single subnet with link-local addresses. Using IPSec between two local link hosts. IPv6 traffic between nodes on different subnets of an IPv6 internetwork. IPv6 traffic across an IPv4 intranet. IPv6 traffic across the IPv4 Internet.
Additionally, this article contains instructions on how to use five computers to create a working IPv6 test lab network. Note: This article assumes familiarity with IPv6 concepts, protocols, and addressing. For information, see the white paper titled
IPv6 Configurations and Test Lab
Figure 1: Two nodes on a single subnet using link -local addresses By default, the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP automatically configures link-local addresses for each interface that corresponds to installed Ethernet network adapters. Link-local addresses have the prefix of FE80::/64. The last 64 bits of the IPv6 address is known as the interface identifier. It is derived from the 48-bit MAC address of the network adapter. To create the IPv6 interface identifier from the 48-bit (6-byte) Ethernet MAC address: The hexadecimal digits 0xFFFE are inserted between the third and fourth bytes of the MAC address. The Universal/Local bit (the second low-order bit of the first byte of the MAC address) is complemented. If it is a 1, it is set to 0; and if it is a 0, it is set to 1.
For example, for the MAC address of 00-60-08-52-F9-D8: The hexadecimal digits 0xFFFE are inserted between 0x08 (the third byte) and 0x52 (the fourth byte) of the MAC address, forming the 64-bit address of 00-60-08-FF-FE-52-F9-D8. The Universal/Local bit, the second low-order bit of 0x00 (the first byte) of the MAC address, is complemented. The second low-order bit of 0x00 is 0 which, when complemented, becomes 1. The result is that for the first byte, 0x00 becomes 0x02.
As a result, the IPv6 interface identifier that corresponds to the Ethernet MAC address of 00-60-08-52-F9D8 is 02-60-08-FF-FE-52-F9-D8. The link-local address of a node is the combination of the prefix FE80::/64 and the 64-bit interface identifier expressed in colon-hexadecimal notation. As a result, the link-local address of this example node, with the prefix of FE80::/64 and the interface identifier 02-60-08-FF-FE-52-F9-D8, is FE80::260:8FF:FE52:F9D8. You can view your link local address by using the netsh interface ipv6 show address command, as demonstrated in the following example output:
Interface 3: Local Area Connection Addr Type --------Link DAD State Valid Life Pref. Life Address ---------- ------------ ------------ --------------------------Preferred infinite infinite fe80::204:5aff:fe56:1006
Interface 2: Automatic Tunneling Pseudo-Interface Addr Type --------Link DAD State Valid Life Pref. Life Address ---------- ------------ ------------ --------------------------Preferred infinite infinite fe80::5efe:10.60.137.151
Interface 1: Loopback Pseudo-Interface Addr Type --------Loopback Link DAD State Valid Life Pref. Life ---------- ------------ -----------Preferred infinite infinite Preferred infinite infinite Address --------------------------::1 fe80::1
Local Area Connection is an interface that corresponds to an installed Ethernet adapter with a link-local address of FE80::204:5AFF:FE56:FA4. The IPv6 protocol for the Windows .NET Server 2003 family and Windows XP identifies an interface with either a name or an interface index, which is a number assigned to an interface by the IPv6 protocol. In the display of the netsh interface ipv6 show address command, the interface index is the number after "Interface." For example, in the previous display, the interface index of the Local Area Connection interface is 3.
(Host A and Host B) that are on the same link. For the Windows .NET Server 2003 family and for Windows XP with SP1, you can also add the IPv6 protocol using Network Connections.
2. Use netsh interface ipv6 show address on Host A to obtain the link-local address and the interface
index for the interface named Local Area Connection. For example, the link-local address of Host A is FE80::210:5AFF:FEAA:20A2 and the interface index of the named Local Area Connection is 4.
3. Use netsh interface ipv6 show address on Host B to obtain the link-local address and the interface
index for the interface named Local Area Connection. For example, the link-local address of Host B is FE80::260:97FF:FE02:6EA5 and the interface index for the named Local Area Connection is 5.
4. From Host A, use Ping.exe to ping Host B using the interface index of Host A's Local Area
Connection interface. For example, to ping Host B using our example addresses and interface index, the command is ping fe80::260:97ff:fe02:6ea5%4. Note: The use of lowercase alphabetic characters for IPv6 addresses and prefixes in Netsh and other commands in this document is by convention only. You can use either upper or lower case. Note: The ping command for the IPv6 protocol for Windows XP (prior to Service Pack 1) does not support IPv6 addresses. Use the
s command. In this example, the Ipsec6.exe command is ipsec6 s tes This creates two files with t. blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd).
2. On Host 1, edit the .spd file, adding a security policy that secures all traffic between Host 1 and Host 2.
Table 1 shows the security policy entry that is added to Test.spd before the first entry (the first entry in Test.spd is not modified). Table 1 Security Policy Entry for Host 1
Example value 2 - FE80::2AA:FF:FE92:D0F1 -* -* -* -* AH TRANSPORT * NONE BIDIRECT APPLY 0
.spd file field name Policy RemoteIPAddr LocalIPAddr Protocol RemotePort LocalPort IPSecProtocol IPSecMode RemoteGWIPAddr SABundleIndex Direction Action InterfaceIndex
Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.
3. On Host 1, edit the .sad file, adding SA entries to secure all traffic between Host 1 and Host 2. Two
security associations must be created, one for traffic to Host 2 and one for traffic from Host 2. Table 2 shows the first SA entry that is added to Test.sad (for traffic to Host 2). Table 2 First Security Association Entry for Host 1
Example value
SAEntry SPI SADestIPAddr DestIPAddr SrcIPAddr Protocol DestPort SrcPort AuthAlg KeyFile Direction SecPolicyIndex
2 3001 FE80::2AA:FF:FE92:D0F1 POLICY POLICY POLICY POLICY POLICY HMAC-MD5 Test.key OUTBOUND 2
Type a semicolon at the end of the entry configuring this SA. Table 3 shows the second SA entry that is added to Test.sad (for traffic from Host 2). Table 3 Second Security Association Entry for Host 1
Example value 1 3000 FE80::2AA:FF:FE53:A92C POLICY POLICY POLICY POLICY POLICY HMAC-MD5 Test.key INBOUND 2
.sad file field name SAEntry SPI SADestIPAddr DestIPAddr SrcIPAddr Protocol DestPort SrcPort AuthAlg KeyFile Direction SecPolicyIndex
Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.
4. On Host 1, create a file that contains data used to create and validate the Message Digest 5 (MD5)
keyed hash on each IPSec-protected packet that is exchanged with Host 2. In this example, a text file is used. Test.key is created with the contents "This is a test." with no extra characters, spaces, or lines. The IPv6 protocol for the Windows .NET Server 2003 family and Windows XP supports only manually configured keys for quick mode SAs (also known as IPSec or Phase II SAs), because main mode negotiation through Internet Key Exchange (IKE) is not performed. Manual keys are configured by creating files that contain either the text or binary data of the manual key. In this example, the same key
for the SAs is used in both directions. You can use different keys for inbound and outbound SAs by creating different key files and referencing them with the KeyFile field in the .sad file.
5. On Host 2, use the ipsec6 s command to create blank security association (.sad) and security policy
(.spd) files. In this example, the Ipsec6.exe command is ipsec6 s test. This creates two files with blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd). To simplify the example, the same file names for the .sad and .spd files are used on Host 2. You can choose to use different file names on each host.
6. On Host 2, edit the .spd file, adding a security policy that secures all traffic between Host 2 and Host 1.
Table 4 shows the security policy entry that is added to Test.spd before the first entry (the first entry in Test.spd is not modified). Table 4 Security Policy Entry for Host 2
Example value 2 - FE80::2AA:FF:FE53:A92C -* -* -* -* AH TRANSPORT * NONE BIDIRECT APPLY 0
.spd file field name Policy RemoteIPAddr LocalIPAddr Protocol RemotePort LocalPort IPSecProtocol IPSecMode RemoteGWIPAddr SABundleIndex Direction Action InterfaceIndex
Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.
7. On Host 2, edit the .sad file, adding SA entries to secure all traffic between Host 2 and Host 1. Two
security associations must be created: one for traffic to Host 1 and one for traffic from Host 1. Table 5 shows the first SA entry that is added to Test.sad (for traffic to Host 1).
Table 5
.sad file field name SAEntry SPI SADestIPAddr DestIPAddr SrcIPAddr Protocol DestPort SrcPort AuthAlg KeyFile Direction SecPolicyIndex
Type a semicolon at the end of the entry configuring this SA. The following table shows the second SA entry that is added to Test.sad (for traffic from Host 1): Table 6 Second Security Association Entry for Host 2
Example value 1 3001 FE80::2AA:FF:FE92:D0F1 POLICY POLICY POLICY POLICY POLICY HMAC-MD5 Test.key INBOUND 2
.sad file field name SAEntry SPI SADestIPAddr DestIPAddr SrcIPAddr Protocol DestPort SrcPort AuthAlg KeyFile Direction SecPolicyIndex
Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.
8. On Host 2, create a text file that contains a text string that is used to authenticate the SAs created with
Host 1. In this example, Test.key is created with the contents "This is a test." with no extra characters, spaces, or lines.
9. On Host 1, use the ipsec6 l command to add the configured security policies and SAs from the .spd and
.sad files. In this example, the ipsec6 l test command is run on Host 1.
10.On Host 2, use the ipsec6 l command to add the configured security policies and SAs from the .spd and
.sad files. In this example, the ipsec6 l test command is run on Host 2.
11.On Host 2, use the ping command to ping Host 1.
If you use Network Monitor to capture the traffic, you should see the exchange of ICMPv6 Echo Request and Echo Reply messages, with an Authentication Header (AH) between the IPv6 header and the ICMPv6 header. To remove the IPSec settings for this example, type the following commands on both Host 1 and Host 2: ipsec6 d sp 2 ipsec6 d sa 1 ipsec6 d sa 2
10
Figure 2: Two hosts on separate network segments connected by a router By default, the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP configures linklocal IP addresses for each LAN interface that corresponds to Ethernet or FDDI network adapters. Linklocal addresses have the prefix of FE80::/64. The last 64 bits of the IPv6 address are the interface identifier, as derived from the 48-bit MAC address of the network adapter. With link-local addresses, Host A and Host B can communicate with the router computer, but not with each other. In this configuration, the router advertises additional site-local prefixes. The site-local prefixes are used by Host A and Host B to automatically configure site-local addresses that are derived from the 48-bit MAC address of the network adapter. After Host A and Host B have site-local addresses, they can communicate with each other. On the router computer, type the netsh interface ipv6 show interface command to obtain the interface names and index numbers of the two network adapters. Subnet 1 is the network segment to which Host A is attached. Subnet 2 is the network segment to which Host B is attached. After you have obtained the names and interface index numbers, type the following commands on the router computer: netsh interface ipv6 set interface Subnet1InterfaceNameOrIndex forwarding=enabled advertise=enabled netsh interface ipv6 set interface Subnet2InterfaceNameOrIndex forwarding=enabled advertise=enabled netsh interface ipv6 add route fec0:0:0:1::/64 Subnet1InterfaceNameOrIndex publish=yes netsh interface ipv6 add route fec0:0:0:2::/64 Subnet2InterfaceNameOrIndex publish=yes
11
where: Subnet1InterfaceNameOrIndex is either the name or interface index of the router computer's network adapter that is attached to Subnet 1 Subnet2InterfaceNameOrIndex is either the name or interface index of the router computer's network adapter that is attached to Subnet 2
For example, if the names of the interfaces attached to Subnet 1 and Subnet 2 are "Local Area Connection" and "Local Area Connection 2" respectively, the commands are: netsh interface ipv6 set interface "Local Area Connection" forwarding=enabled advertise=enabled netsh interface ipv6 set interface "Local Area Connection 2" forwarding=enabled advertise=enabled netsh interface ipv6 add route fec0:0:0:1::/64 "Local Area Connection" publish=yes netsh interface ipv6 add route fec0:0:0:2::/64 "Local Area Connection 2" publish=yes You should wait about 30 seconds for the router computer to advertise new site-local prefixes on Subnets 1 and 2, and for Hosts A and B to automatically configure site-local addresses based on these prefixes. On Host A, type the netsh interface ipv6 show interface command to check for a new IPv6 address for the Ethernet adapter that is based on the site-local prefix of FEC0:0:0:1::/64. On Host B, type the netsh interface ipv6 show interface command to check for a new IPv6 address for the Ethernet adapter that is based on the site-local prefix of FEC0:0:0:2::/64. On Host A, use the ping command and the site-local address of Host B to ping Host B. For example, if the Host B site-local address is FEC0::2:260:97FF:FE02:6EA5, the command is ping fec0::2:260:97ff:fe02:6ea5.
12
The ISATAP interface ID can be combined with any 64-bit prefix that is valid for IPv6 unicast addresses. This includes the link-local address prefix (FE80::/64), site-local prefixes, and global prefixes (including 6to4 prefixes). ISATAP addresses contain an embedded IPv4 address that is used to determine either source or destination IPv4 addresses within the IPv4 header when ISATAP-addressed IPv6 traffic is tunneled across an IPv4 network. By default, the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP automatically configures an ISATAP address of FE80::5EFE:w.x.y.z on the Automatic Tunneling Pseudo-Interface (interface index 2) for each IPv4 address that is assigned to the node. This link-local ISATAP address allows two hosts to communicate over an IPv4 network by using each other's link-local ISATAP address. For an example, see the example output of the netsh interface ipv6 show address command in "Single subnet with link-local addresses" in this article. For example, Host A is configured with the IPv4 address of 10.40.1.29 and Host B is configured with the IPv4 address of 192.168.41.30. When the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP is started, Host A is automatically configured with the ISATAP address of FE80::5EFE:10.40.1.29 and Host B is automatically configured with the ISATAP address of
13
FE80::5EFE:192.168.41.30. When Host A sends IPv6 traffic to Host B by using Host B's ISATAP address, the source and destination addresses for the IPv4 and IPv6 headers are listed in Table 7. Table 7
Field IPv6 Source Address IPv6 Destination Address IPv4 Source Address IPv4 Destination Address
To test connectivity, use the ping command. For example, Host A would use the following command to ping Host B by using its link-local ISATAP address: ping fe80::5efe:192.168.41.30%2 Because the destination of the ping command is a link-local address, the %ZoneID portion of the command is used to specify the interface index of the link from which traffic is sent. In this case, %2 specifies link 2, which is the link ID assigned to the Automatic Tunneling Pseudo-Interface on Host A.
When an ISATAP host receives a router advertisement from an ISATAP router that is acting as a default router, a default route (::/0) is added using the Automatic Tunneling Pseudo-Interface and with next-hop address set to the link-local ISATAP address that corresponds to the logical subnet interface of the ISATAP router. When packets destined to locations outside the logical subnet are sent, they are tunneled to the IPv4 address of the ISATAP router corresponding to the ISATAP router's interface on the logical IPv6 subnet defined by the IPv4 intranet containing the ISATAP router and ISATAP host. The ISATAP router then forwards the IPv6 packet. For the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP with SP1, the configuration of the intranet IPv4 address of the ISATAP router is obtained through either of the following:
14
The successful resolution of the name "ISATAP" to an IPv4 address. The netsh interface ipv6 isatap set router command.
Note: The IPv6 protocol for Windows XP (prior to Service Pack 1) attempts to resolve the name "_ISATAP", rather than "ISATAP". Resolving the ISATAP Name When the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP with SP1 starts, it attempts to resolve the name ISATAP to an IPv4 address using normal TCP/IP host and NetBIOS name resolution techniques. If successful, the host sends an IPv4-encapsulated Router Solicitation message to the ISATAP router. The ISATAP router responds with an IPv4-encapsulated unicast Router Advertisement message advertising itself as a default router and containing prefixes to use for autoconfiguration of ISATAP-based addresses. To ensure that the resolution of ISATAP is successful, you can do one of the following: If the ISATAP router is a computer running a member of the Windows .NET Server 2003 family or Windows XP, name the computer ISATAP and it will automatically attempt to register the appropriate records in DNS (provided DNS dynamic update is enabled on the DNS server of the ISATAP router) and WINS. Manually create an ISATAP address (A) record in the appropriate domain in DNS. For example, for the example.com domain, create an A record for isatap.example.com. Manually create a static WINS record in WINS for the NetBIOS name "ISATAP <00>".
Add the following entry to the Hosts file of the computers that need to resolve the name ISATAP: IPv4Address ISATAP
Add the following entry to the Lmhosts file of the computers that need to resolve the name ISATAP: IPv4Address ISATAP
Using the netsh interface ipv6 isatap se t router Command Although the automatic resolution of the ISATAP name is the recommended method for determining the IPv4 address of the ISATAP router, you can perform manual configuration with the netsh interface ipv6 isatap set router command. The syntax of this command is: netsh interface ipv6 isatap set router RouterNameOrAddress where RouterNameOrAddress is the name of the router that is resolved to the IPv4 address of the ISATAP router's intranet interface or the IPv4 address of the ISATAP router's intranet interface. For example, if the ISATAP router's IPv4 address is 192.168.39.1, the command is: netsh interface ipv6 isatap set router 192.168.39.1 Once configured, the host sends an IPv4-encapsulated Router Solicitation message to the ISATAP router. The ISATAP router responds with an IPv4-encapsulated unicast Router Advertisement message containing prefixes to use for autoconfiguration of ISATAP-based addresses. This additional configuration is only needed when there is no IPv6 router on the host's subnet. Note: The IPv6 protocol for Windows XP (prior to Service Pack 1) does not support the netsh interface ipv6 isatap set router command. Use the ipv6 rlu command instead.
IPv6 Configurations and Test Lab
15
16
17
the destination site removes the IPv4 header and forwards the IPv6 packet to the appropriate 6to4 host by using the IPv6 routing infrastructure of the destination site. A 6to4 host can communicate with hosts on the IPv6 Internet. This type of communication occurs when a 6to4 host forwards IPv6 traffic that is destined for a IPv6 Internet host to the local site 6to4 router. The local site 6to4 router encapsulates the IPv6 traffic with an IPv4 header and sends it to a 6to4 relay router that is connected to both the IPv4 Internet and the IPv6 Internet. The 6to4 relay router removes the IPv4 header and forwards the IPv6 packet to the appropriate IPv6 Internet host by using the IPv6 routing infrastructure of the IPv6 Internet. All of these types of communication use IPv6 traffic without the requirement of obtaining either a direct connection to the IPv6 Internet or an IPv6 global address prefix from an Internet service provider (ISP). Figure 3 shows how 6to4 is used to communicate between 6to4 hosts, 6to4 sites, and the IPv6 Internet.
Figure 3: Using 6to4 to communicate between 6to4 hosts, 6to4 sites, and the IPv6 Internet Support for 6to4 hosts and routers is provided in the 6to4 component that is included with the IP v6 protocol for the Windows .NET Server 2003 family and Windows XP. If an IPv6 router advertisement is not received (either from a router on a local link or from an ISATAP router) and the computer has a public IPv4 address assigned, the 6to4 component automatically performs the following: Creates an interface that is named 6to4 Tunneling Pseudo-Interface and configures 6to4 addresses on the interface for all public IPv4 addresses that are assigned to interfaces on the computer. Creates a 2002::/16 route that forwards all 6to4 traffic with the 6to4 Tunneling Pseudo-Interface. All traffic forwarded by this host to 6to4 destinations is encapsulated with an IPv4 header. Automatically determines the IPv4 address of a 6to4 relay router on the IPv4 Internet.
Through this automatic configuration, any host that is running the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP is automatically configured as a 6to4 host. A 6to4 host can perform its own tunneling to reach 6to4 hosts in other sites or hosts on the IPv6 Internet.
18
If Internet Connection Sharing (ICS) is enabled on an interface that is assigned a public IPv4 address, the 6to4 components: Enable routing on the private interface. Send Router Advertisements that contain 6to4 address prefixes that are based on the public IPv4 address of the public interface. The SLA ID in the 6to4 address prefix is set to the interface index of the interface on which the advertisements are sent.
By enabling ICS, you can use a computer running the IPv6 protoc ol for the Windows .NET Server 2003 family and Windows XP as a 6to4 router, which is capable of both encapsulating and forwarding 6to4 traffic to other 6to4 hosts or sites on the Internet, and forwarding IPv6 Internet traffic to a 6to4 relay router on the Internet. Figure 4 shows how Windows XP and the Windows .NET Server 2003 family supports 6to4.
Figure 4: 6to4 support in Windows XP and the Windows .NET Server 2003 family Each site uses a computer running a member of the Windows .NET Server 2003 family or Windows XP with ICS enabled on the public interface to create a 6to4 router. Alternately, an Internet gateway device (IGD) the supports 6to4 can be used. Host computers running a member of the Windows .NET Server 2003 family or Windows XP on the private network segments receive the router advertisement that is sent by their site's 6to4 router and contains a 6to4 address prefix. As the result, two 6to4 hosts (6to4 host A and 6to4 host C) can communicate or a 6to4 host can communicate with the IPv6 Internet (6to4 host A and IPv6 host D) by using 6to4 addresses over the IPv4 Internet. Host computers running a member of the Windows .NET Server 2003 family or Windows XP that are directly connected to the Internet act as a 6to4 host and router and create their own 6to4 site (6to4 host/router E).
19
Figure 5: The configuration of the IPv6 test lab There are three network segments: A network segment known as Subnet 1 that uses the private IP network ID of 10.0.1.0/24 and sitelocal subnet ID of FEC0:0:0:1::/64. A network segment known as Subnet 2 that uses the private IP network ID of 10.0.2.0/24 and site-
20
local subnet ID of FEC0:0:0:2::/64. A network segment known as Subnet 3 that uses the private IP network ID of 10.0.3.0/24 and sitelocal subnet ID of FEC0:0:0:3::/64.
All computers on each subnet are connected to a separate common hub or Layer 2 switch. Both router computers, ROUTER1 and ROUTER2, have two network adapters installed. For the IPv4 configuration, each computer is manually configured with the appropriate IP address, subnet mask, default gateway, and DNS server IP address. Dynamic Host Configuration Protocol (DHCP) and Windows Internet Name Service (WINS) servers are not used. For the IPv6 configuration, link-local addresses are used initially. The following sections describe how each of the computers in the test lab is configured. To reconstruct this test lab, please configure the computers in the order presented. Note: The following instructions are for configuring an IPv6 test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including addresses and all other configuration parameters, is designed only to work on a separate test lab network. DNS1 DNS1 is a computer running a member of the Windows 2000 or Windows .NET Server 2003 families. It is providing DNS Server services for the testlab.example.com DNS domain. To configure DNS1 for this service, perform the following steps:
1. Install a member of the Windows 2000 or Windows .NET Server 2003 families as a stand-alone
updates.
6. Install the IPv6 protocol using the netsh interface ipv6 install command.
Note: The domain name testlab.example.com is used here for example purposes only. You can use any domain name in your test lab configuration. CLIENT1 CLIENT1 is a computer that is being used as a client. To configure CLIENT1 as a client computer, perform the following steps:
1. On CLIENT1, install a member of the Windows .NET Server 2003 family or Windows XP as a
21
4. Configure the TCP/IP protocol with the IP address of 10.0.1.3, the subnet mask of 255.255.255.0, a
default gateway of 10.0.1.1, and the DNS server IP address of 10.0.1.2. ROUTER1 ROUTER1 is a computer that is being used as a router between Subnet 1 and Subnet 2. To configure ROUTER1 as a router, perform the following steps:
1. On ROUTER1, install a member of the Windows .NET Server 2003 family or Windows XP as a
"Subnet 1 Connection" and rename the LAN connection connected to Subnet 2 to "Subnet 2 Connection."
5. For Subnet 1 Connection, configure the TCP/IP protocol with the IP address of 10.0.1.1, the subnet
Services\ Tcpip\Parameters\ IPEnableRouter to 1. Restart the computer. This step enables IPv4 routing between Subnet 1 and Subnet 2. ROUTER2 ROUTER2 is a computer that is being used as a router between Subnet 2 and Subnet 3. To configure ROUTER2 as a router, perform the following steps:
1. On ROUTER2, install a member of the Windows .NET Server 2003 family or Windows XP as a
"Subnet 2 Connection" and rename the LAN connection connected to Subnet 3 to "Subnet 3 Connection."
5. For Subnet 2 Connection, configure the TCP/IP protocol with the IP address of 10.0.2.2, the subnet
Services\ Tcpip\Parameters\ IPEnableRouter to 1. Restart the computer. This step enables IPv4 routing between Subnet 2 and Subnet 3.
22
CLIENT2 CLIENT2 is a computer that is being used as a client. To configure CLIENT2 as a client computer, perform the following steps:
1. On CLIENT2, install a member of the Windows .NET Server 2003 family or Windows XP as a
This step tests whether IPv4 packets can be forwarded between CLIENT2 on Subnet 3 and CLIENT1 on Subnet 1.
Link-local ping To ping a node using link-local addresses and view the entries created in the neighbor and route caches, complete the following steps:
1. On ROUTER1, type the netsh interface ipv6 show address command to obtain the link-local
address and interface index of the interface named Local Area Connection.
3. On CLIENT1, type the following command to ping the link-local address of ROUTER1's interface on
Subnet 1: ping ROUTER1LinkLocalAddress%ZoneID For example, if the link-local address of ROUTER1's interface on Subnet 1 is FE80::2AA:FF:FE9D:10C5, and the interface index for the Local Area Connection interface on CLIENT1 is 3, the command is: ping fe80::2aa:ff:fe9d:10c5%3
4. On CLIENT1, type the following command:
23
Note the entry in the CLIENT1 neighbor cache for ROUTER1. You should see an entry for ROUTER1's link-local address.
5. On CLIENT1, type the following command:
netsh interface ipv6 show destinationcache Note the view the entry in the CLIENT1 destination cache for ROUTER1.
6. On CLIENT1, type the following command:
netsh interface ipv6 show routes This command displays the entries in the CLIENT1 routing table. Creating a static routing infrastructure To configure a static routing infrastructure so that all test lab nodes are reachable using IPv6 traffic, complete the following steps:
1. On ROUTER1, type the netsh interface ipv6 show address command to obtain the interface
indexes of the interfaces named Subnet 1 Connection and Subnet 2 Connection and their link-local addresses.
2. On ROUTER2, type the netsh interface ipv6 show address command to obtain the interface
indexes of the interfaces named Subnet 2 Connection and Subnet 3 Connection and their link-local addresses.
3. On ROUTER1, type the following commands:
netsh interface ipv6 set interface "Subnet 1 Connection" forwarding=enabled advertise=enabled netsh interface ipv6 set interface "Subnet 2 Connection" forwarding=enabled advertise=enabled netsh interface ipv6 add route fec0:0:0:1::/64 "Subnet 1 Connection" publish=yes netsh interface ipv6 add route fec0:0:0:2::/64 "Subnet 2 Connection" publish=yes netsh interface ipv6 add route ::/0 "Subnet 2 Connection" nexthop=ROUTER2AddressOnSubnet2 publish=yes where ROUTER2AddressOnSubnet2 is the link-local address assigned to ROUTER2's Subnet 2 Connection interface. For example, if ROUTER2's Subnet 2 Connection interface is FE80::2AA:FF:FE87:4D5C, the last command is typed as follows: netsh interface ipv6 add route ::/0 "Subnet 2 Connection" nexthop=fe80::2aa:ff:fe87:4d5c publish=yes
4. On ROUTER2, type the following commands:
netsh interface ipv6 set interface "Subnet 2 Connection" forwarding=enabled advertise=enabled netsh interface ipv6 set interface "Subnet 3 Connection" forwarding=enabled advertise=enabled netsh interface ipv6 add route fec0:0:0:2::/64 "Subnet 2 Connection" publish=yes netsh interface ipv6 add route fec0:0:0:3::/64 "Subnet 3 Connection" publish=yes
24
netsh interface ipv6 add route ::/0 "Subnet 2 Connection" nexthop=ROUTER1AddressOnSubnet2 publish=yes where ROUTER1AddressOnSubnet2 is the link-local address assigned to ROUTER1's Subnet 2 Connection interface. For example, if the link-local address of the ROUTER1's Subnet 2 interface is FE80::2AA:FF:FE9A:203F, the last command should be typed as follows: netsh interface ipv6 add route ::/0 "Subnet 2 Connection" nexthop=fe80::2aa:ff:fe9a:203f publish=yes
5. On CLIENT1, type the netsh interface ipv6 show address command to view a new address on the
ping CLIENT2SiteLocalAddress On CLIENT1, type the following tracert command with the -d option to trace the route between CLIENT1 and CLIENT2: tracert -d CLIENT2SiteLocalAddress In the tracert display, you can view the site-local address of the Subnet 1 Connection for ROUTER1 and the site-local address of the Subnet 2 Connection for ROUTER2.
10.On ROUTER1, type the following commands:
netsh interface ipv6 show neighbors to view the entries in the ROUTER1 neighbor cache for CLIENT1 and ROUTER2. netsh interface ipv6 show destinationcache to view the entries in the ROUTER1 destination cache for CLIENT1 and ROUTER2. Note: The IPv6 protocol for the Windows .NET Server 2003 2003 family advertises directly attached off-link prefixes as specific routes using the Route Information option in Router Advertisement messages. These specific routes become routes in the routing table of the receiving host. Note: The tracert command for the IPv6 protocol for Windows XP (prior to Service Pack 1) does not support IPv6 addresses. Use the tracert6 command instead. Using name resolution To configure DNS and the local Hosts file to resolve names to IPv6 addresses, complete the following steps:
25
1. On DNS1, use the DNS snap-in to view the A and AAAA records in the testlab.example.com forward
lookup zone that were dynamically registered by the computers in the test lab. Verify that an AAAA, or quad A, record for CLIENT2 exists.
2. If an AAAA record for CLIENT2 does not exist, create a AAAA (quad-A) resource record for CLIENT2
with the DNS name client2.testlab.example.com for its site-local IPv6 address using the IPv6 Host (AAAA) resource record type. For example, if CLIENT2's site-local address is FEC0::3:260:8FF:FE52:F9D8, the AAAA resource record is configured as follows: Host: client2 IP version 6 host address: FEC0:0:0:3:260:8FF:FE52:F9D8
3. On CLIENT1, type the following command:
ping client2.testlab.example.com The name client2.testlab.example.com is resolved to its site-local address by sending a DNS query to DNS1.
4. On CLIENT2, create the following entry in the Hosts file (located in the
For example, if CLIENT1's site-local address is FEC0::1:260:8FF:FE2A:15F2, the entry in the Hosts file is: client1 fec0::1:260:8ff:fe2a:15f2
ping client1 The name client1 is resolved to its site-local address by using the local Hosts file. Using temporary addresses To use temporary addresses (also known as anonymous addresses) for global address prefixes, complete the following steps:
1. On ROUTER1, type the following command:
interface named Local Area Connection that is based on the global prefix of 3FFE:FFFF:0:1::/64. There should be two addresses that are based on the 3FFE:FFFF:0:1::/64 prefix. One address uses an interface identifier that is based on the EUI-64 address of the interface. The other address is a temporary address for which the interface identifier is randomly derived.
4. On ROUTER1, type the following command:
26
netsh interface ipv6 delete route 3ffe:ffff:0:1::/64 "Subnet 1 Connection" This removes the global prefix from the ROUTER1 routing table and prevents ROUTER1 from advertising it on its interfaces.
27
Summary
The configurations described in this article include using a single subnet with link-local addresses, using IPSec between two local link hosts, sending IPv6 traffic between nodes on different subnets of an IPv6 internetwork, sending IPv6 traffic across an IPv4 intranet with ISATAP, and sending IPv6 traffic across the IPv4 Internet using 6to4. Additionally, this article included instructions on how to use five computers to create a working IPv6 test lab network.
28
Related Links
For more information on Microsoft's support for IPv6, check out our Web site a http://www.microsoft.com/ipv6. For the latest information about Windows .NET Server 2003, see the Windows .NET Server 2003 Web site at http://www.microsoft.com/windows.netserver.
29