isatapd(8) - Linux man page

Name

isatapd - userland ISATAP pseudo-tunnel daemon

Synopsis

isatapd [-c config_file] [-f] [-u user] [ -t chrootdir] [router IPv4 address]

Descripton

ISATAPd is a daemon program providing an ISATAP pseudo-tunnel interface in userland, compatible with the "Intra-Site Automatic Tunnel Addressing Protocol" Internet experimental protocol (RFC 4214).

This is mostly useful to provide IPv6 connectivity to dual-stack nodes on a IPv4 network.

If used as a ISATAP router, you will also most likely want to run radvd on the tunnel interface, to provide autoconf services to other nodes.

Options

-c config_file or --config config_file

Specify an alternate configuration file for ISATAPd instead of the default, /etc/isatapd.conf.

-f or --foreground

Do not detach from the console. Run the program in the foreground.

-h or --help

Display some help and exit.

-t or --chrootdir

Specify a directory to use as a root after initialization is completed. When used as a Teredo client, the hostname resolver library files must be present in the chroot. The directory can safely be left empty for a Teredo relay.

-u username or --user username

Override the user that the program will run as. By default, it runs as nobody.

-V or --version

Display program version and license and exit.

Diagnostics

The ISATAP router sends duplicated packets or none at all.

If there is another IPv6-over-IPv4 (pseudo)tunnel running on the same router, make sure it is bound explicitly to another IPv4 address. In particular, you cannot use the sit0 tunnel device on Linux while running isatapd, since you cannot bind sit0 to a specific IPv4 address.

Dead loop on virtual device XXX, fix it urgently!

Your routing table is probably incomplete or stalled. Keep in mind you must always configure network interfaces explicitly on IPv6 routers, including the ISATAP virtual interface.

Router advertisements are not sent to clients.

ISATAP does not support multicast. You must configure the Router Advertisement daemon to send unicast advertisements only. With radvd, this is done by specifying

ISATAP clients loose their autoconfigured addresses after a while.

Linux (and possibly other IPv6 stacks) only try autoconfiguration when the network interface link state changes. For isatapd, that means only at startup. Therefore, you must ensure that the Router Advertisements specify lifetimes that are longer than the longest possible continuous uptime of isatapd on any ISATAP client. If this is not feasible, do not use autoconfiguration, do not use isatapd, or force manual periodic router solicitations with rdisc6 (from the ndisc6 package).

Bugs

It would not be very complicated to implement support for ISATAP within the existing IPv6-over-IPv4 tunnel framework that exists in the Linux and BSD kernels. This has even been implemented before, but these implementation never entered the official kernels, and eventually got withdrawn, because of a patent claim. In the mean time, the patent's holder has defined its policy as No License Required for Implementers, so we will hopefully see in-kernel implementations back soon.

ISATAPd only provide limited support for ISATAP client at the moment. Only one router can be used (Potential Routers List is not properly implemented).

Also, because of a limitation in the tunnel driver interface provided by the Linux and BSD IPv6 stacks, some packets may be unduely sent to the ISATAP router instead of another client on same ISATAP virtual network segment. That being noted, it would be much worse if you used a plain point-to-point tunnel to connect to an ISATAP network. More generally, gateway addresses in the routing table are ignored.

Security

ISATAPd requires root privileges to create its IPv6 tunneling network interface, to set it up properly, and also to open a raw IPv6-over-IPv4 socket. Once its initialization is complete, it will setgid, chroot into an empty directory and ultimately setuid (see option -u), so as to decrease the system's exposure to potential security issues.

Extreme care must be taken to ensure that ISATAP packets cannot cross the network edge. Otherwise, it might be possible for IPv4 outsiders to pretend to be part of the local IPv6 network segment. Blocking incoming and outgoing IPv6-over-IPv4 (proto-41) packets crossing the border firewall should address this issue.

Signals

SIGHUP Force a reload of the daemon.

SIGINT, SIGTERM Shutdown the daemon.

SIGUSR1, SIGUSR2 Do nothing, might be used in future versions.

Files

/etc/isatapd.conf

The default configuration file.

/var/run/isatapd.pid

The process-id file.

See Also

isatapd.conf(5), ipv6(7), radvd(8), rdisc6(8)

Author

Rémi Denis-Courmont <rdenis at simphalempin.com>

$Id: isatapd.8-in 1849 2006-12-15 16:17:05Z remi $

http://www.simphalempin.com/dev/miredo/