Windows 7 / Networking

Tunneling

Right now, there are many network services that are IPv4-only, and comparatively few that require IPv6. Those IPv6 services are coming, however.

The DirectAccess remote networking feature in Windows Server 2012 and Windows 8 is an example of an IPv6-only technology, and much of its complexity is due to the need to establish IPv6 connections over the IPv4 Internet.

The primary method for transmitting IPv6 traffic over an IPv4 network is called tunneling. Tunneling, in this case, is the process by which a system encapsulates an IPv6 datagram within an IPv4 packet. The system then transmits the IPv4 packet to its destination, with none of the intermediate systems aware of the packet's contents.

Tunneling can work in a variety of configurations, depending on the network infrastructure, including router-to-router, host-to-host, router-to-host, and host-to-router. However, the most common configuration is router-to-router, as in the case of an IPv4-only connection between an IPv6 branch office and an IPv6 home office.

The two routers support both IPv4 and IPv6, and the local networks at each site use IPv6. However, the link connecting the two sites is IPv4-only. By creating a tunnel between the routers in the two offices, using their IPv4 interfaces, they can exchange IPv6 traffic as needed.

Computers at either site can send IPv6 traffic to the other site, and the routers are responsible for encapsulating the IPv6 data in IPv4 packets for the trip through the tunnel.

Windows supports several different tunneling methods, both manual and automatic, as described in the following sections.

CONFIGURING TUNNELS MANUALLY

It is possible to manually create semipermanent tunnels that carry IPv6 traffic through an IPv4-only network. When a computer running Windows Server 2012 or Windows 8 is functioning as one end of the tunnel, you can use the following command:

netsh interface ipv6 add v6vtunnel "interface" localaddress remoteaddress

In this command, interface is a friendly name you want to assign to the tunnel you are creating and localaddress and remoteaddress are the IPv4 addresses forming the two ends of the tunnel. An example of an actual command would be as follows:

netsh interface ipv6 add v6vtunnel "tunnel" 206.73.118.18.157.54.206.43

CONFIGURING TUNNELS AUTOMATICALLY

There are also a number of mechanisms that automatically create tunnels over IPv4 connections. These are technologies designed to be temporary solutions during the transition from IPv4 to IPv6. All of them include a mechanism for expressing an IPv4 address in the IPv6 format. The IPv4-to-IPv6 transition technologies that Windows supports are described in the following sections.

6TO4

The 6to4 mechanism essentially incorporates the IPv4 connections in a network into the IPv6 infrastructure by defining a method for expressing IPv4 addresses in IPv6 format and encapsulating IPv6 traffic into IPv4 packets.

ISATAP

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an automatic tunneling protocol used by the Windows workstation operating systems that emulates an IPv6 link using an IPv4 network.

ISATAP also converts IPv4 addresses into IPv6 link-layer address format, but it uses a different method than 6to4. ISATAP does not support multicasting, so it cannot locate routers in the usual manner, using the Neighbor Discovery protocol. Instead, the system compiles a potential routers list (PRL) using DNS queries and sends Router Discovery messages to them on a regular basis, using Internet Control Message Protocol version 6 (ICMPv6).

TEREDO

To use 6to4 tunneling, both endpoints of the tunnel must have registered IPv4 addresses. However, on many networks, the system that would function as the endpoint is located behind a NAT router, and therefore has an unregistered address. In such a case, the only registered address available is assigned to the NAT router itself, and unless the router supports 6to4 (which many don't), it is impossible to establish the tunnel.

Teredo is a mechanism that addresses this shortcoming by enabling devices behind non-IPv6 NAT routers to function as tunnel endpoints. To do this, Teredo encapsulates IPv6 packets within transport-layer User Datagram Protocol (UDP) datagrams, rather than network-layer IPv4 datagrams, as 6to4 does.

For a Teredo client to function as a tunnel endpoint, it must have access to a Teredo server, with which it exchanges Router Solicitation and Router Advertisement messages to determine whether the client is located behind a NAT router.

To initiate communications, a Teredo client exchanges null packets called bubbles with the desired destination, using the Teredo servers at each end as intermediaries. The function of the bubble messages is to create mappings for both computers in each other's NAT routers.

[Previous] [Contents] [Next]

In this tutorial:

  1. Deploying and configuring core network services
  2. Configure IPv4 and IPv6 addressing
  3. Classless Inter-Domain Routing
  4. IPv4 subnetting
  5. Assigning IPv4 addresses
  6. IPv6 addressing
  7. IPv6 address types
  8. Assigning IPv6 addresses
  9. Planning an IP transition
  10. Tunneling
  11. Configure servers
  12. DHCP communications
  13. Deploying a DHCP serve
  14. Using PXE
  15. Deploying a DHCP relay agent
  16. Deploy and configure the DNS service
  17. DNS server caching
  18. DNS forwarders
  19. Deploying a DNS server
  20. Creating resource records