ISATAP (intra-site automatic tunnel addressing protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. It is defined in the informational RFC 5214.[1]
Unlike 6over4 (an older similar protocol using IPv4 multicast), ISATAP uses IPv4 as a virtual non-broadcast multiple-access network (NBMA) data link layer, so that it does not require the underlying IPv4 network infrastructure to support multicast.
ISATAP typically builds its Potential Router List (PRL) by consulting the DNS; hence, in the OSI model it is a lower-layer protocol that relies on a higher layer. A circularity is avoided by relying on an IPv4 DNS server, which does not rely on IPv6 routing being established; however, some network specialists claim that these violations lead to insufficient protocol robustness.[2]
ISATAP carries the same security risks as 6over4: the IPv4 virtual link must be delimited carefully at the network edge, so that external IPv4 hosts cannot pretend to be part of the ISATAP link. That is normally done by ensuring that proto-41 (6in4) cannot pass through the firewall.
ISATAP is implemented in Microsoft Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Mobile, Linux, and in Cisco IOS (since IOS 12.2(14)S and IOS XE Release 2.1).[3]
Due to a patent claim, early in-kernel implementations were withdrawn from both KAME (*BSD) and USAGI (Linux). However, the IETF IPR disclosure search engine reports that the would-be infringing patent's holder requires no license from implementers.[4] ISATAP support has been supported in Linux since kernel version 2.6.25,[5] the tool isatapd [6] provides a userspace helper. For prior kernels, the open source project Miredo provided an incomplete userland ISATAP implementation, which was removed in version 1.1.6.