Last month I had the opportunity to work with a company to perform an IPv6 pilot. There are a lot of elements to light up for an organization to use IPv6, most of them (but not all) being technical in nature. One of the mechanism I used was ISATAP.
In the past I have not given ISATAP much attention. It’s baked into all modern versions of Windows and turned on by default. Much of my IPv6 attention focused on how to turn it off. In the config of my network gear I turn off (or don’t configure) features that are not used. Using that same logic, why not turn off parts of the Windows networking stack that are not in use? It will simplify troubleshooting, reduce the configuration surface and eliminate a possible attack vector.
netsh interface isatap show state netsh interface isatap set state disabled
I feel we as network engineers should not be afraid to work with the Windows people and understand their systems. The NICs and network stacks within these Windows machines are arguably part of the network. Not knowing what they are doing is a handicap. So I always recommend getting to know the Windows admins within any organization. Talk to them about the protocols that are in use. If ISATAP is not going to be used, I think you can convince them that turning it off is a great idea. KISS.
There is a PowerShell equivalent that does the same thing as the netsh command. These commands are not available on all platforms so I lean towards using the netsh version.
get-netisatapconfiguration set-netisatapconfiguration -state disabled
Your Microsoft admin people will know the best way to roll these commands out to hundreds or thousands of machines. I think there’s also a Group Policy object that will do the job as well. As a network engineer you don’t need to be a Windows expert, but knowing about how Windows interacts with the network goes a long way.
Great. Now we know how to turn off ISATAP. In Part 2 we’ll find out how we can turn it on and interact with our Cisco gear.