Teredo tunneling
Encyclopedia
In computer network
ing, Teredo is a transition technology that gives full IPv6
connectivity for IPv6-capable hosts which are on the IPv4
Internet
but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation
(NAT) devices such as home routers.
Teredo operates using a platform independent tunneling protocol
designed to provide IPv6
(Internet Protocol version 6) connectivity by encapsulating
IPv6 datagram packets within IPv4 User Datagram Protocol
(UDP) packets. These datagrams can be routed on the IPv4 Internet and through NAT devices. Other Teredo nodes elsewhere called Teredo relays that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on.
Teredo is designed as a last resort transition technology and is intended to be a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. Teredo should therefore be disabled when IPv6 connectivity becomes available.
Teredo was developed by Christian Huitema at Microsoft
, and was standardized in the IETF as RFC 4380. Teredo server listens on UDP port 3544.
, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, usually because of IPv4 address shortage. In such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons.
Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don't have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.
Teredo is intended to be a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. The Teredo protocol includes provisions for a sunset procedure: Teredo implementation should provide a way to stop using Teredo connectivity when IPv6 has matured and connectivity becomes available using a less brittle mechanism.
The Teredo protocol performs several functions:
Teredo client : A host which has IPv4 connectivity to the internet from behind a NAT and uses the Teredo tunneling protocol to access the IPv6 Internet. Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (
Teredo server : A well-known host which is used for initial configuration of a Teredo tunnel. A Teredo server never forwards any traffic for the client (apart from IPv6 pings), and has therefore very modest bandwidth requirements (a few hundred bits per second per client at most), which allows a single server to support large numbers of clients. Additionally, a Teredo server can be implemented in a fully stateless
manner, thus using the same amount of memory regardless of how many clients it supports.
Teredo relay : The remote end of a Teredo tunnel. A Teredo relay must forward all of the data on behalf of the Teredo clients it serves, with the exception of direct Teredo client to Teredo client exchanges. Therefore, a relay requires a lot of bandwidth and can only support a limited number of simultaneous clients. Each Teredo relay serves a range of IPv6 hosts (e.g. a single campus/company, an ISP
or a whole operator network, or even the whole IPv6 Internet); it forwards traffic between any Teredo clients and any host within said range.
Teredo host-specific relay : A Teredo relay whose range of service is limited to the very host it runs on. As such, it has no particular bandwidth or routing requirements. A computer with a host-specific relay will use Teredo to communicate with Teredo clients, but it will stick to its main IPv6 connectivity provider to reach the rest of the IPv6 Internet.
which is constructed as follows (the higher order bit is numbered 0):
Teredo IPv6 addressing table
As an example, the IPv6 address 2001:0000:4136:e378:8000:63bf:3fff:fdd2 refers to a Teredo client:
Teredo IPv6 example table
Teredo servers are used by Teredo clients to autodetect the kind of NAT behind which they are located (if any), through a simplified STUN-like qualification procedure. Teredo clients also maintain a binding on their NAT toward their Teredo server, by sending a UDP packet at regular time intervals. That ensures that the server can always contact any of its clients, which is required for hole punching
to work properly.
If a Teredo relay (or another Teredo client) has to send an IPv6 packet to a Teredo client, it will first send a Teredo bubble packet to the client's Teredo server, whose IP address can be inferred from the Teredo IPv6 address of the Teredo client. The server can then forward the bubble to the client, so the Teredo client software knows that hole punching must be done toward the Teredo relay.
Teredo servers can also transmit ICMPv6 packet from Teredo clients toward the IPv6 Internet. In practice, when a Teredo client wants to contact a native IPv6 node, it must find out where the corresponding Teredo relay is (i.e. which public IPv4 and UDP port number to send encapsulated IPv6 packets to). To do that, the client crafts an ICMPv6 Echo Request (ping) toward the IPv6 node, and sends it through its configured Teredo server. The Teredo server decapsulates the ping onto the IPv6 Internet, so that the ping should eventually reach the IPv6 node. The IPv6 node should then reply with an ICMPv6 Echo Reply, as mandated by RFC 2460. This reply packet will be routed to the closest Teredo relay, which will finally try to contact the Teredo client.
Maintaining a Teredo server requires little bandwidth because they are not involved into the actual transmission and reception of IPv6 traffic packets. Also, it does not involve any access to the Internet routing protocols. The only requirements for a Teredo server are:
Public teredo servers:
In practice, network administrators can set up a private Teredo relay for their company or campus; this will provide a short path between their IPv6 network and any Teredo client. However setting up a Teredo relay on a scale beyond that of a single network requires the ability to export BGP IPv6 routes to the other autonomous systems
(AS's).
Unlike 6to4
, where the two halves of a connection can use different relays, traffic between a native IPv6 and a Teredo host will use the same Teredo relay, namely the one that is closest to the native IPv6 host network-wise. The Teredo host cannot localize a relay by itself (since it cannot send IPv6 packets by itself); if it needs to initiate a connection to a native-v6 host, it will send the first packet through the Teredo server, which sends a packet to the native-v6 host using the client's Teredo IPv6 address. The native-v6 host then responds as usual to the client's Teredo IPv6 address, which will eventually cause the packet to find a Teredo relay, which will initiate a connection to the client (possibly using the Teredo server for NAT piercing). The relay is then used for communication between the two hosts for as long as is needed. This design means that neither the Teredo server nor client needs to know the IPv4 address of any Teredo relays; a suitable one is automatically found by means of the global IPv6 routing table, since all Teredo relays advertise the network 2001:0::/32.
On March 30, 2006, Italian ISP ITGate was the first AS to start advertising a route toward 2001::/32 on the IPv6 Internet, so that RFC 4380-compliant Teredo implementations would be fully usable. As of 16 February 2007, it is not functional.
In Q1 2009, IPv6 backbone Hurricane Electric
enabled 14 Teredo relays in an anycast
implementation and advertising 2001::/32 globally. The relays were located in Seattle, Fremont, Los Angeles, Chicago, Dallas, Toronto, New York, Ashburn, Miami, London, Paris, Amsterdam, Frankfurt and Hong Kong.
It is expected that large network operators will be maintaining Teredo relays. As with 6to4, it remains however unclear how well the Teredo service will scale up if a large proportion of Internet hosts start using IPv6 through Teredo in addition to IPv4.
While Microsoft has been operating a set of Teredo servers ever since the first Teredo pseudo-tunnel for Windows XP was released, it has never provided a Teredo relay service for the IPv6 Internet as a whole.
proposed SymTeredo which enhanced the original Teredo protocol to support symmetric NATs, and the Microsoft and Miredo implementations implement certain unspecified non-standard extensions to improve support for symmetric NATs. However, connectivity between a Teredo client behind a symmetric NAT, and a Teredo client behind a port-restricted or symmetric NAT remains seemingly impossible.
Indeed, Teredo assumes that when two clients exchange encapsulated IPv6 packets, the mapped/external UDP port numbers used will be the same as those that were used to contact the Teredo server (and building the Teredo IPv6 address). Without this assumption, it would not be possible to establish a direct communication between the two clients, and a costly relay would have to be used to perform triangle routing. A Teredo implementation tries to detect the type of NAT at startup, and will refuse to operate if the NAT appears to be symmetric. (This limitation can sometimes be worked around by manually configuring a port forwarding rule on the NAT box, which requires administrative access to the device).
Teredo can only provide a single IPv6 address per tunnel endpoint. As such, it is not possible to use a single Teredo tunnel to connect multiple hosts, contrary to 6to4 and some point-to-point IPv6 tunnels.
The bandwidth available to all Teredo clients toward the IPv6 Internet is limited by the availability of Teredo relays (which are no different in that respect from 6to4 relays).
requires a public IPv4 address, but provides a large 48-bit IPv6 prefix for each tunnel endpoint, and has a lower encapsulation overhead
.
Point-to-point tunnels can be more reliable and are more accountable than Teredo, and typically provides permanent IPv6 addresses that do not depend on the IPv4 address of the tunnel endpoint. Some point-to-point tunnel broker
s additionally support UDP encapsulation to traverse NATs (for instance, the AYIYA protocol can do this). On the other hand, point-to-point tunnels normally require registration. Automated tools (for instance AICCU
) exist to make it easy to use Point-to-Point tunnels.
by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which are otherwise mostly unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. It also exposes the IPv6 stack and the Teredo tunneling software to attacks should they have any remotely exploitable vulnerability.
The Microsoft IPv6 stack has a "protection level" socket
option. This allows applications to specify whether they are willing to handle traffic coming from the Teredo tunnel, from anywhere except Teredo (the default), or only from the local Intranet
.
Teredo tunneling software will detect a fatal error and stop if outgoing IPv4 UDP traffic is blocked. Also, blocking of outgoing traffic to UDP port 3544 can interfere with Teredo activity.
. The idea was that the protocol would pierce holes through NAT devices, much like the shipworms bore tunnels through wood. Shipworms are responsible for the loss of very many wooden hulls, but Christian Huitema in the original draft noted that "the animal only survives in relatively clean and unpolluted water; its recent comeback in several Northern American harbors is a testimony to their newly retrieved cleanliness. Similarly, by piercing holes through NAT, the service would contribute to a newly retrieved transparency of the Internet."
Christian Huitema quickly changed the name to Teredo to avoid confusion with computer worm
s. Teredo navalis is the Latin name of one of the best known species of shipworm.
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
ing, Teredo is a transition technology that gives full IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
connectivity for IPv6-capable hosts which are on the IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) devices such as home routers.
Teredo operates using a platform independent tunneling protocol
Tunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
designed to provide IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
(Internet Protocol version 6) connectivity by encapsulating
Encapsulation (networking)
In computer networking, encapsulation is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects....
IPv6 datagram packets within IPv4 User Datagram Protocol
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
(UDP) packets. These datagrams can be routed on the IPv4 Internet and through NAT devices. Other Teredo nodes elsewhere called Teredo relays that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on.
Teredo is designed as a last resort transition technology and is intended to be a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. Teredo should therefore be disabled when IPv6 connectivity becomes available.
Teredo was developed by Christian Huitema at Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, and was standardized in the IETF as RFC 4380. Teredo server listens on UDP port 3544.
Purpose
6to46to4
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels...
, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, usually because of IPv4 address shortage. In such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons.
Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don't have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.
Teredo is intended to be a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. The Teredo protocol includes provisions for a sunset procedure: Teredo implementation should provide a way to stop using Teredo connectivity when IPv6 has matured and connectivity becomes available using a less brittle mechanism.
Overview
- For a complete explanation, see Teredo Overview in External links.
The Teredo protocol performs several functions:
- Diagnoses UDP over IPv4 (UDPv4) connectivity and discovers the kind of NAT present (using a simplified replacement to the STUNSTUNSTUN is a standardized set of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications....
protocol) - Assigns a globally routable unique IPv6 address to each host using it
- Encapsulates IPv6 packets inside UDPv4 datagrams for transmission over an IPv4 network (this includes NAT traversalNAT traversalNAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
) - Routes traffic between Teredo hosts and native (or otherwise non-Teredo) IPv6 hosts
Node types
Teredo defines several different kinds of node:Teredo client : A host which has IPv4 connectivity to the internet from behind a NAT and uses the Teredo tunneling protocol to access the IPv6 Internet. Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (
2001:0::/32).Teredo server : A well-known host which is used for initial configuration of a Teredo tunnel. A Teredo server never forwards any traffic for the client (apart from IPv6 pings), and has therefore very modest bandwidth requirements (a few hundred bits per second per client at most), which allows a single server to support large numbers of clients. Additionally, a Teredo server can be implemented in a fully stateless
Stateless server
In computing, a stateless protocol is a communications protocol that treats each request as an independent transaction that is unrelated to any previous request so that the communication consists of independent pairs of requests and responses...
manner, thus using the same amount of memory regardless of how many clients it supports.
Teredo relay : The remote end of a Teredo tunnel. A Teredo relay must forward all of the data on behalf of the Teredo clients it serves, with the exception of direct Teredo client to Teredo client exchanges. Therefore, a relay requires a lot of bandwidth and can only support a limited number of simultaneous clients. Each Teredo relay serves a range of IPv6 hosts (e.g. a single campus/company, an ISP
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
or a whole operator network, or even the whole IPv6 Internet); it forwards traffic between any Teredo clients and any host within said range.
Teredo host-specific relay : A Teredo relay whose range of service is limited to the very host it runs on. As such, it has no particular bandwidth or routing requirements. A computer with a host-specific relay will use Teredo to communicate with Teredo clients, but it will stick to its main IPv6 connectivity provider to reach the rest of the IPv6 Internet.
IPv6 addressing
Each Teredo client is assigned a public IPv6 addressIPv6 address
An Internet Protocol Version 6 address is a numerical label that is used to identify a network interface of a computer or other network node participating in an IPv6-enabled computer network....
which is constructed as follows (the higher order bit is numbered 0):
- Bits 0 to 31 are set to the Teredo prefix (normally 2001:0000::/32).
- Bits 32 to 63 embed the primary IPv4 address of the Teredo server that is used.
- Bits 64 to 79 can be used to define some flags. Currently only the higher order bit is used; it is set to 1 if the Teredo client is located behind a cone NAT, 0 otherwise. For Microsoft's Windows Vista and Windows Server 2008 implementations, more bits are used. In those implementations, the format for these 16 bits is "CRAAAAUG AAAAAAAA", where "C" remains the "Cone" flag. The "R" bit is reserved for future use. The "U" bit is for the Universal/Local flag (set to 0). The "G" bit is Individual/Group flag (set to 0). The A bits are set to a 12-bit randomly generated number chosen by the Teredo client to introduce additional protection for the Teredo node against IPv6-based scanning attacks.
- Bits 80 to 95 contains the obfuscated UDP port number. This is the port number that is mapped by the NAT to the Teredo client with all bits inverted.
- Bits 96 to 127 contains the obfuscated IPv4 address. This is the public IPv4 address of the NAT with all bits inverted.
Teredo IPv6 addressing table
| Bits | 0 - 31 | 32 - 63 | 64 - 79 | 80 - 95 | 96 - 127 |
|---|---|---|---|---|---|
| Length | 32 bits | 32 bits | 16 bits | 16 bits | 32 bits |
| Description | Prefix | Teredoserver IPv4 | Flags | ObfuscatedUDP port | Client public IPv4 |
As an example, the IPv6 address 2001:0000:4136:e378:8000:63bf:3fff:fdd2 refers to a Teredo client:
- using Teredo server at address 65.54.227.120 (4136e378 in hexadecimalHexadecimalIn mathematics and computer science, hexadecimal is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and A, B, C, D, E, F to represent values ten to fifteen...
), - located behind a cone NAT (bit 64 is set),
- using UDP mapped port 40000 on its NAT (in hexadecimal 63bf xor ffff equals 9c40, or decimal number 40000),
- whose NAT has public IPv4 address 192.0.2.45 (3ffffdd2 xor ffffffff equals c000022d, which is to say 192.0.2.45).
Teredo IPv6 example table
| Bits | 0 - 31 | 32 - 63 | 64 - 79 | 80 - 95 | 96 - 127 |
|---|---|---|---|---|---|
| Length | 32 bits | 32 bits | 16 bits | 16 bits | 32 bits |
| Description | Prefix | Teredoserver IPv4 | Flags | ObfuscatedUDP port | Client public IPv4 |
| Part | 2001:0000 | 4136:e378 | 8000 | 63bf | 3fff:fdd2 |
| Decoded | 65.54.227.120 | cone NAT | 40000 | 192.0.2.45 |
Servers
- For a list of existing Teredo servers, see the list in External links.
Teredo servers are used by Teredo clients to autodetect the kind of NAT behind which they are located (if any), through a simplified STUN-like qualification procedure. Teredo clients also maintain a binding on their NAT toward their Teredo server, by sending a UDP packet at regular time intervals. That ensures that the server can always contact any of its clients, which is required for hole punching
Hole punching
Hole punching is a computer networking technique for establishing communications between two parties in separate organizations who are both behind restrictive firewalls. Used for applications such as online gaming, P2P and VoIP, both clients establish a connection with an unrestricted third-party...
to work properly.
If a Teredo relay (or another Teredo client) has to send an IPv6 packet to a Teredo client, it will first send a Teredo bubble packet to the client's Teredo server, whose IP address can be inferred from the Teredo IPv6 address of the Teredo client. The server can then forward the bubble to the client, so the Teredo client software knows that hole punching must be done toward the Teredo relay.
Teredo servers can also transmit ICMPv6 packet from Teredo clients toward the IPv6 Internet. In practice, when a Teredo client wants to contact a native IPv6 node, it must find out where the corresponding Teredo relay is (i.e. which public IPv4 and UDP port number to send encapsulated IPv6 packets to). To do that, the client crafts an ICMPv6 Echo Request (ping) toward the IPv6 node, and sends it through its configured Teredo server. The Teredo server decapsulates the ping onto the IPv6 Internet, so that the ping should eventually reach the IPv6 node. The IPv6 node should then reply with an ICMPv6 Echo Reply, as mandated by RFC 2460. This reply packet will be routed to the closest Teredo relay, which will finally try to contact the Teredo client.
Maintaining a Teredo server requires little bandwidth because they are not involved into the actual transmission and reception of IPv6 traffic packets. Also, it does not involve any access to the Internet routing protocols. The only requirements for a Teredo server are:
- the ability to emit ICMPv6 packets with a source address belonging to the Teredo prefix
- two distinct public IPv4 addresses (although not written down in the official specification, Microsoft Windows clients expect both addresses to be consecutive); the second IPv4 address is needed for the purpose of NAT detection
Public teredo servers:
- teredo.remlab.net / teredo-debian.remlab.net (France)
- teredo.autotrans.consulintel.com (Spain)
- teredo.ipv6.microsoft.com (USA, Redmond) (default for WindowsXP/2003/Vista/2008 OS)
- teredo.ngix.ne.kr (South Korea)
- teredo.managemydedi.com (USA, Chicago)
- teredo.trex.fi (Finland)
Relays
A Teredo relay potentially requires a lot of network bandwidth. Also, it must export (advertise) a route toward the Teredo IPv6 prefix (2001:0::/32) to other IPv6 hosts. That way, the Teredo relay will receive traffic from the IPv6 hosts addressed to any Teredo client, and forward it over UDP/IPv4. Symmetrically, it will receive packets from Teredo clients addressed to native IPv6 hosts over UDP/IPv4 and inject those into the native IPv6 network.In practice, network administrators can set up a private Teredo relay for their company or campus; this will provide a short path between their IPv6 network and any Teredo client. However setting up a Teredo relay on a scale beyond that of a single network requires the ability to export BGP IPv6 routes to the other autonomous systems
Autonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
(AS's).
Unlike 6to4
6to4
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels...
, where the two halves of a connection can use different relays, traffic between a native IPv6 and a Teredo host will use the same Teredo relay, namely the one that is closest to the native IPv6 host network-wise. The Teredo host cannot localize a relay by itself (since it cannot send IPv6 packets by itself); if it needs to initiate a connection to a native-v6 host, it will send the first packet through the Teredo server, which sends a packet to the native-v6 host using the client's Teredo IPv6 address. The native-v6 host then responds as usual to the client's Teredo IPv6 address, which will eventually cause the packet to find a Teredo relay, which will initiate a connection to the client (possibly using the Teredo server for NAT piercing). The relay is then used for communication between the two hosts for as long as is needed. This design means that neither the Teredo server nor client needs to know the IPv4 address of any Teredo relays; a suitable one is automatically found by means of the global IPv6 routing table, since all Teredo relays advertise the network 2001:0::/32.
- For near-realtime information on Teredo and BGP, see the External links.
On March 30, 2006, Italian ISP ITGate was the first AS to start advertising a route toward 2001::/32 on the IPv6 Internet, so that RFC 4380-compliant Teredo implementations would be fully usable. As of 16 February 2007, it is not functional.
In Q1 2009, IPv6 backbone Hurricane Electric
Hurricane Electric
Hurricane Electric is a global Internet backbone , with a specific focus on IPv6. Hurricane Electric operates datacenters in the San Francisco Bay Area, primarily within the city of Fremont...
enabled 14 Teredo relays in an anycast
Anycast
Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.-Addressing methodologies:...
implementation and advertising 2001::/32 globally. The relays were located in Seattle, Fremont, Los Angeles, Chicago, Dallas, Toronto, New York, Ashburn, Miami, London, Paris, Amsterdam, Frankfurt and Hong Kong.
It is expected that large network operators will be maintaining Teredo relays. As with 6to4, it remains however unclear how well the Teredo service will scale up if a large proportion of Internet hosts start using IPv6 through Teredo in addition to IPv4.
While Microsoft has been operating a set of Teredo servers ever since the first Teredo pseudo-tunnel for Windows XP was released, it has never provided a Teredo relay service for the IPv6 Internet as a whole.
Limitations
Teredo is not compatible with all NAT devices. Using the terminology of RFC 3489, full cone, restricted and port-restricted NAT devices are supported, while symmetric NATs are not. National Chiao Tung UniversityNational Chiao Tung University
National Chiao Tung University is a public university located in Hsinchu, Taiwan. It is recognized as one of the most prestigious and selective universities in Taiwan and is renowned for its research and teaching excellence in electrical engineering, computer science, engineering, management, and...
proposed SymTeredo which enhanced the original Teredo protocol to support symmetric NATs, and the Microsoft and Miredo implementations implement certain unspecified non-standard extensions to improve support for symmetric NATs. However, connectivity between a Teredo client behind a symmetric NAT, and a Teredo client behind a port-restricted or symmetric NAT remains seemingly impossible.
Indeed, Teredo assumes that when two clients exchange encapsulated IPv6 packets, the mapped/external UDP port numbers used will be the same as those that were used to contact the Teredo server (and building the Teredo IPv6 address). Without this assumption, it would not be possible to establish a direct communication between the two clients, and a costly relay would have to be used to perform triangle routing. A Teredo implementation tries to detect the type of NAT at startup, and will refuse to operate if the NAT appears to be symmetric. (This limitation can sometimes be worked around by manually configuring a port forwarding rule on the NAT box, which requires administrative access to the device).
Teredo can only provide a single IPv6 address per tunnel endpoint. As such, it is not possible to use a single Teredo tunnel to connect multiple hosts, contrary to 6to4 and some point-to-point IPv6 tunnels.
The bandwidth available to all Teredo clients toward the IPv6 Internet is limited by the availability of Teredo relays (which are no different in that respect from 6to4 relays).
Alternatives
6to46to4
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels...
requires a public IPv4 address, but provides a large 48-bit IPv6 prefix for each tunnel endpoint, and has a lower encapsulation overhead
Computational overhead
In computer science, overhead is generally considered any combination of excess or indirect computation time, memory, bandwidth, or other resources that are required to attain a particular goal...
.
Point-to-point tunnels can be more reliable and are more accountable than Teredo, and typically provides permanent IPv6 addresses that do not depend on the IPv4 address of the tunnel endpoint. Some point-to-point tunnel broker
Tunnel broker
In the context of computer networking, a tunnel broker is a service which provides a network tunnel. These tunnels can provide encapsulated connectivity over existing infrastructure to a new infrastructure....
s additionally support UDP encapsulation to traverse NATs (for instance, the AYIYA protocol can do this). On the other hand, point-to-point tunnels normally require registration. Automated tools (for instance AICCU
AICCU
AICCU is a popular cross-platform utility for automatically configuring an IPv6 tunnel. It is free software available under a BSD license. The utility is originally provided for the SixXS Tunnel Broker but it can also be used by a variety of other tunnel brokers.-History and development:AICCU is...
) exist to make it easy to use Point-to-Point tunnels.
Exposure
Teredo increases the attack surfaceAttack surface
The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services....
by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which are otherwise mostly unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. It also exposes the IPv6 stack and the Teredo tunneling software to attacks should they have any remotely exploitable vulnerability.
The Microsoft IPv6 stack has a "protection level" socket
Berkeley sockets
The Berkeley sockets application programming interface comprises a library for developing applications in the C programming language that perform inter-process communication, most commonly for communications across a computer network....
option. This allows applications to specify whether they are willing to handle traffic coming from the Teredo tunnel, from anywhere except Teredo (the default), or only from the local Intranet
Intranet
An intranet is a computer network that uses Internet Protocol technology to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network...
.
Firewalling, filtering, and blocking
For a Teredo pseudo-tunnel to operate properly, outgoing UDP packets must not be filtered. Moreover, replies to these packets (i.e. "solicited traffic") must also not be filtered. This corresponds to the typical setup of a NAT and its stateful firewall functionality.Teredo tunneling software will detect a fatal error and stop if outgoing IPv4 UDP traffic is blocked. Also, blocking of outgoing traffic to UDP port 3544 can interfere with Teredo activity.
DoS via routing loops
Some new methods to create denial of service attacks via routing loops using Teredo tunnels have been uncovered recently. They are relatively easy to prevent.Implementations
Several implementations of Teredo are currently available:- Windows XP SP2 includes a client and host-specific relay (also in the Advanced Networking Pack for Service Pack 1).
- Windows Server 2003Windows Server 2003Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
has a relay and server provided under the MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Beta program. - Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows 7 have built-in support for Teredo with an unspecified extension for symmetric NAT traversal. However, if there is only a link-local and teredo address present, these operating systems will not attempt to resolve ipv6 DNS AAAA records if a DNS A record is present, in which case IPv4 will be used. Therefore, typically only literal IPv6 URLs will use teredohttp://www.potaroo.net/ispcol/2011-04/teredo.html. In the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters, add a DWORD value: AddrConfigControl = 0, and IPv6 will work over teredo. - MiredoMiredoMiredo is an open-source Teredo IPv6 tunneling software included in many Linux and BSD operating systems and is also available for recent versions of Mac OS X.It includes working implementations of:* a Teredo client,* a Teredo relay and* a Teredo server....
is a client, relay and server for LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, *BSD and Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, - ng_teredo is a relay and server based on netgraphNetgraphnetgraph is the graph based kernel networking subsystem of FreeBSD. Netgraph provides support for L2TP, PPTP, ATM, bluetooth using a modular set of nodes that are the graph.Netgraph has also been ported on other Operating Systems:...
for FreeBSDFreeBSDFreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
from the LIP6LIP6The Laboratoire d'Informatique de Paris 6, or LIP6, the computer science laboratory of Pierre & Marie Curie University , is a joint research laboratory of UPMC and CNRS, the French national research organization. It was founded in January, 1997, with the fusion of three smaller laboratories:...
University and 6WIND. - NICI-Teredo is a relay for the Linux kernelLinux kernelThe Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
and a userland Teredo server, developed at the National Chiao Tung University.
Choice of the name
The initial nickname of the Teredo tunneling protocol was shipwormShipworm
Shipworms are not worms at all, but rather a group of unusual saltwater clams with very small shells, notorious for boring into wooden structures that are immersed in sea water, such as piers, docks and wooden ships...
. The idea was that the protocol would pierce holes through NAT devices, much like the shipworms bore tunnels through wood. Shipworms are responsible for the loss of very many wooden hulls, but Christian Huitema in the original draft noted that "the animal only survives in relatively clean and unpolluted water; its recent comeback in several Northern American harbors is a testimony to their newly retrieved cleanliness. Similarly, by piercing holes through NAT, the service would contribute to a newly retrieved transparency of the Internet."
Christian Huitema quickly changed the name to Teredo to avoid confusion with computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s. Teredo navalis is the Latin name of one of the best known species of shipworm.
External links
- Teredo Overview on Microsoft TechNet
- Teredo relays: list of Teredo relays on BGPmon.net
- Current anycast Teredo BGP routes
- TEREDO-MNT: list of operators advertising the Teredo prefix via BGP
- List of Teredo servers maintained by SixXS
- Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs). RFC 4380, C. Huitema. February 2006.