ISATAP Addressing Explained: Technical Differences Between Link-Local and Global IPv6 Addresses


1 views

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) uses both link-local and global addresses to fulfill different network communication requirements:

// Typical ISATAP address formats
Link-local: fe80::5efe:192.0.2.1       // Embedded IPv4 (192.0.2.1)
Global:     2001:db8::5efe:192.0.2.1   // Same IPv4 embedded globally

Link-Local Addresses (fe80::/64):

  • Non-routable (limited to local link)
  • Used for neighbor discovery and interface configuration
  • Autoconfigured using the fe80::/64 prefix

Global Addresses:

  • Routable across IPv6 networks
  • Derived from the site's global IPv6 prefix
  • Required for cross-subnet communication

Here's how Windows implements ISATAP addressing:

netsh interface ipv6 isatap set router 192.0.2.100
netsh interface ipv6 set interface "Local Area Connection" forwarding=enable

The separation provides:

  1. Fail-safe local communication when global routing fails
  2. Neighbor discovery without requiring global connectivity
  3. Clear separation of local vs. global traffic policies

Check assigned ISATAP addresses:

ipconfig /all
# Look for:
#   Tunnel adapter ISATAP:
#     Link-local IPv6 Address: fe80::5efe:c000:201%13
#     IPv6 Address: 2001:db8::5efe:c000:201

Ping tests demonstrate scope differences:

ping fe80::5efe:c000:201%13   // Local-link only
ping 2001:db8::5efe:c000:201  // Global reachability test

The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) uses dual addressing to facilitate IPv6 communication over IPv4 networks. The key distinction lies in their scope:

// ISATAP address format examples
link_local = "fe80::5efe:" + IPv4_to_hex(192.0.2.1) // fe80::5efe:c000:0201
global = "2001:db8:1:2::5efe:" + IPv4_to_hex(192.0.2.1) // 2001:db8:1:2::5efe:c000:0201

Link-local addresses (fe80::/64):

  • Non-routable beyond the local link
  • Used for neighbor discovery and auto-configuration
  • Always contain the 5efe interface identifier

Global addresses:

  • Routable across IPv6 domains
  • Require manual configuration or DHCPv6
  • Use standard IPv6 prefix + 5efe identifier

Here's how Windows implements ISATAP addressing:

netsh interface ipv6 isatap set router 192.0.2.1
netsh interface ipv6 set interface "Local Area Connection" forwarding=enable

Linux configuration example:

ip tunnel add isatap mode sit remote 192.0.2.1 local 192.0.2.100 ttl 64
ip link set dev isatap up
ip addr add 2001:db8:1:2::5efe:c000:226/64 dev isatap

The coexistence serves critical purposes:

  1. Neighbor Discovery: Link-local enables automatic interface identification
  2. Routing Separation: Global addresses maintain end-to-end connectivity
  3. Transition Safety: Link-local prevents accidental routing of test traffic

Diagnosing address assignment issues:

# Windows
netsh interface ipv6 show addresses

# Linux
ip -6 addr show dev isatap

# Common problems:
# - Missing 5efe in identifier (configuration error)
# - Duplicate addresses (requires DAD)
# - IPv4 connectivity broken (tunnel establishment fails)