In my previous three IPv6 articles—"The Inevitability of IPv6, Part 1," "The Inevitability of IPv6, Part 2," and "Managing Your Migration and Transition from IPv4 to IPv6"—I introduced you to the fundamentals of IPv6, described various aspects of its use in Windows and non-Windows environments, and discussed migration and transition technologies.
Now, with Windows Server 2008 in the picture, I want to focus on using the new server OS to support IPv6 in your environments, including how to use it in the common migration and transition scenarios. When Microsoft released Server 2008, the company made some changes to how IPv6 is supported to improve security and to ease migration and transition to IPv6. I'll cover those changes, too.
IPv6 changes in Server 2008
To better support IPv6 and improve security, Microsoft made some key changes to common features and to the OS itself. The two most obvious changes are the addition of Dynamic Host Configuration Protocol for IPv6 (DHCPv6), and improved support for IPv6 addresses in DNS, particularly for the registration and display of IPv6 addresses. But two other changes are of significant note.
The first is that Server 2008, by default, won't generate an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) if no ISATAP router is available. Server 2008 will determine that no ISATAP router is available if the host name ISATAP can't be resolved through standard means, including DNS queries, HOST file lookup, and name broadcast. This security feature prevents nodes that have ISATAP interfaces from connecting to Server 2008 using IPv6 packets encapsulated in IPv4 packets, potentially bypassing router Access Control Lists (ACLs) and firewalls. The theory is that if the host name ISATAP can be resolved, then the network administrator wants to permit IPv6 connectivity through encapsulation of IPv6 in IPv4 packets. If you need to enable the ISATAP interface when there no ISATAP router is available—say, to support IPv6-only applications—you can manually enable the ISATAP interface and force Server 2008 to accept incoming encapsulated traffic by typing the command
netsh interface ipv6 isatap set state enabled
Note that all other version of Windows that support IPv6—Windows Vista, Windows XP, and Windows Server 2003—will allocate an address to the ISATAP interface even if the host name ISATAP can't be resolved, and it can be used to communicate with other ISATAP-enabled hosts.
The second noteworthy change in Server 2008 is also related to ISATAP. If you create an A record in a DNS zone on a Server 2008-based DNS server for ISATAP, the DNS server won't respond to DNS queries for the host name ISATAP, by default. This feature, also security-related, prevents a user from inadvertently (or maliciously) starting a machine called ISATAP and having an A record created in DNS that can then be resolved. A machine with the name ISATAP is presumed to be an ISATAP router, and all IPv6 nodes will attempt to communicate with it—via encapsulation of IPv6 packets in IPv4 packets—to request IPv6 addresses through router solicitation. If the machine named ISATAP responds with an IPv6 address prefix, it will become the default router for all IPv6 traffic, allowing a rogue administrator to intercept all traffic.
If you want to use ISATAP as part of your migration and transition strategy, and you've installed and configured an ISATAP server, you can enable Server 2008–based DNS to serve responses to queries for an A record for the host name ISATAP by editing the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList. This entry is a multi-string and contains two entries—
isatap and
wpad (which also has security implications). Simply remove the
isatap entry and restart the DNS server. You'll need to make this change on all the DNS servers that contain the zone(s) in which the entry ISATAP is defined. You can also use the Dnscmd command line utility. For more information about configuring the global query block list, including how to use Dnscmd tool to manage it, download the Microsoft article
"DNS Server Global Query Block List."