Teredo - a Little Worm That Bores Holes in your Firewall

Teredo is an automated tunneling mechanism based on 6in4 for obtaining access to the IPv6 Internet from a single node in an IPv4-only network. It includes NAT Traversal, so that it can work even behind a NAT44 gateway. It is specified in RFC 4380, "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)", February 2006.

Teredo is a variant of 6to4 tunneling. It still uses Protocol 41 6in4 tunneling way down under. It adds encapsulation over UDP datagrams and a simplified version of STUN NAT Traversal, which allows the Teredo client to work behind an RFC 1918 private address (no public address is required, as is the case with 6in4 and 6to4 tunneling). Teredo servers listen on port udp/3544, and use addresses in 2001::/32 (these facts are useful if you want to block internal nodes from using Teredo - some firewalls allow you to block all protocol 41 traffic from internal nodes).

Teredo is installed in all copies of Windows Vista and later. It is possible to disable it, but this is not a simple GUI configuration option in off-the-shelf Windows. If your Windows node is a member of a Microsoft network domain (not a workgroup), then Teredo is disabled. If your node is not a member of a Microsoft domain (even if it is a member of a Microsoft network workgroup), then Teredo is enabled.

The name teredo is the scientific term (genus) of a small animal commonly called a shipworm, a nasty little creature the bores holes in wooden ship hulls or piers, causing extensive damage. Teredo will happily bore holes in your host-based firewall, using Plug-n-play, and unless your firewall knows about NAT traversal and Teredo, and has mechanisms to block it, Teredo typically goes right through your border gateway as well. Once a connection is open, traffic can go both ways, and there is no inspection of that traffic by the host-based firewall. The 6to4 tunnel in Windows will work only if your node has a public IPv4 address (not likely these days). ISATAP requires some DNS configuration to work. But unless your node is a member of a Microsoft network domain, you may well be using IPv6 via Teredo right now and don't even know it. Tunnels should only be used between the tunneled service provider and your border gateway - they should never be allowed to cross the border gateway to internal nodes, unless the gateway can inspect and control everything going through them. Unfortunately this is the way Teredo was designed to work.

I've heard a talk by a guy from Google who was involved in turning IPv6 on for YouTube. They decided to quietly enable it with no announcement to see how it worked. Their counters were set to track up to 1,000 simultaneous connections, because they couldn't imagine that many people would try connecting over IPv6 by accident. When they turned it on, their counters immediately pegged. They increased it to 10,000 then 100,000 and still they pegged. When they increased it to 1,000,000, it no longer pegged, but showed about 250,000 connections. They could not imagine how that many people discovered it was available over IPv6 (perhaps someone leaked it?). Then they noticed something interesting - almost all of the connections were from addresses in the range 2001::/32. They were from Teredo tunnels. Most of those connections were from people who probably had no idea they were using IPv6.

 

Analysis of IPv6 Connection Types over a Six Year Period

These statistics are from data collected by Eric Vyncke. They involve tens of thousands of connections to a site since 2008. During that time, Teredo usage (as a percentage of all IPv6 traffic) has stayed around 50%, with one peak to 60% in 2012 (probably related to IPv6 World Day). The breakdown by year and connection type are as follows (note that "native" includes 6in4, since there is no way to tell the difference).

Year      Native     Teredo    6to4      Free.fr   ISATAP

2008 21.75 35.57 21.89 18.29 2.50

2009

23.78 46.68 18.07  9.99 1.48
2010 25.53 48.37 19.80  5.70 0.60
2011 27.06 53.92 16.78  1.94 0.30
2012 24.07 60.48 14.14  1.12 0.19
2013

37.86

48.50 12.16  1.40 0.08

Native connections had been around 20-25%, but suddenly jumped to almost 40% in 2013. Teredo is remaining at about 50% (with a peak in 2012 to 60%). 6to4 has decreased from about 22% to just over 12%. Free.fr users have been declining as a percent of the total, because the others have grown a lot. 6in4 and 6rd cannot be distinguished from native. ISATAP started small and has almost vanished.

 

Technical Features of Teredo

Unlike 6to4 or 6in4, Teredo only allows obtaining a single "/128" IPv6 address (it can't route an entire /64 or larger block). It is designed to work from internal nodes, not a border gateway. Each internal node will build its own tunnel.

Teredo uses yet another addressing scheme. Unlike 6to4 which uses the entire 2002::/16 address block, Teredo uses only a /32 block, which is 2001:0000::/32.

Bits 0-31 contain the Teredo prefix, 2001:0000::/32.

Bits 32-64 contain the IPv4 address of the Teredo server used.

Bits 64-79 contain various flags. Currently, only the most significant bit (bit 64) is documented. If this is set to 1, the client is behind Hide-mode NAT44, otherwise the node address is public (and STUN NAT Traversal is not used). Microsoft implementation may use additional bits, but these are not documented in the RFC.

Bits 80-95 contain the obfuscated UDP port number (the port number mapped by NAT, with all bits inverted).

Bits 96-127 contain the obfuscated IPv4 address of the node as seen by external nodes (i.e. public IPv4 address of the NAT gateway, with all bits inverted).

For example, the Teredo address 2001:0:4136:e378:8000:63bf:3fff:fdd2 is interpreted as follows:

Bits 0-31 contain the Teredo prefix, 2001:0000::/32.

Bits 32-64 contain 0x4136e378, which interpreted in dotted decimal is 65.54.227.120 (the address of a Teredo server).

Bits 64-79 contain 0x8000, so the node is behind Hide-mode NAT44.

Bits 80-95 contain 63bf. If you invert the bits, and display the result in decimal, this is port 40,000.

Bits 96-127 contain 0x3ffffdd2. If you invert the bits, and display in dotted decimal, this is 192.0.2.45, which is the public IPv4 address this node is behind (this is the address the user would see on whatismyipaddress.com).

The "obfuscating" (intentional garbling) of the port and address are not for security purposes - the "encryption" scheme is public knowledge and trivial to undo (just invert the bits). The reason it is done is to keep firewalls that do deep packet inspection from getting confused. They must have a low opinion of firewall designers.

 

Non-Microsoft Support for Teredo

There is an open source project that implements Teredo tunneling for Linux, *BSD and Mac OS-X called Miredo. It can act as a client, a relay and/or a server.

There are publicly available Teredo Relay Routers (similar to the 6to4 Relay Routers) that allow any node that supports Teredo tunneling to access the IPv6 Internet.

There is a list of public Teredo services on www.bgpmon.net/teredo.php.

Hurricane Electric runs quite a few public Teredo relay routers via anycast address 2001::/32, in various US states and several other countries.

Microsoft also runs public Teredo servers.

 

How to Disable Teredo

You can easily disable Teredo with NetConf, or configure it to run even if your node is a member of a Microsoft domain (should you want to).

To disable Teredo on Windows, you need to change a registry entry (be careful doing this - with regedit, if you don't know what you're doing you can render your Windows node inoperable). The registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents. By default that key does not exist, which is interpreted as having a value of 0 (all featured enabled). If you create this key (as a DWORD), the bits of it control various IPv6 networking components. Components are enabled or disabled by setting various bits:

0x20 - if set, modify prefix policy table to prefer IPv4 over IPv6
0x10 - if set, disable IPv6 on all non-tunnel interfaces (LAN and PPP)
0x08 - if set, disable all Teredo interfaces
0x04 - if set, disable all ISATAP interfaces
0x02 - if set, disable all 6to4 interfaces
0x01 - if set, disable all IPv6 interfaces except for loopback

Microsoft provides wizards to control some of these options without using regedit, at  http://support.microsoft.com/kb/929852. Note that changes to these bits take effect only after the next reboot.

 

Configure Teredo on Windows 7

There are a number of things you must do to make Teredo work on Windows 7 due to Microsoft's implementation.

First, change your node to IPv4 only (you may have to disable any source of Router Advertisements, or 6in4 tunnels running in your border gateway).

Make sure IPv6 is enabled on your node.

If you have disabled Teredo, enable it now (set the disabledcomponents key to 0 with regedit).

The followint netsh commands require administrator privilege, so start a command prompt with "Run as Administrator".

Assuming you are running Windows 7 Professional or Ultimate, run gpedit.msc. In gpedit, navigate to Computer Configuration / Administrative Templates / Network / TCPIP Settings / IPv6 Transition Technologies

Under this, double click Teredo Default Qualified and change setting from Not Configured to Enabled.

Force this to update by running gpupdate /force.

If you are not a member of a Microsoft network domain, enable teredo with:

netsh int ipv6 set teredo type=client

If you are a member of a Microsoft network domain, enable teredo with:

netsh int ipv6 set teredo type=enterpriseclient

By default, the DNS resolver on Windows will never resolve a domain name to IPv6 as long as the node has only a link-local address and a Teredo address. So, define a bogus static address (2002:c0a8:102::/48 will work fine - don't worry, it will never be used other than to allow DNS to work).

We also need to force it to route traffic through the Teredo interface first. Determine the interface ID of your teredo interface with "route print". In my case it was interface 15. Issue the following command (replace the XX with your teredo interface ID number):

netsh interface ipv6 add route ::/0 interface=XX

Now you should be able to use IPv6 via Teredo. First do an ipconfig /all. I got the following:

C:\Users\lhughes>ipconfig /all
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Lawrence-PC
   Primary Dns Suffix  . . . . . . . : hughesnet.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hughesnet.local
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 50-46-5D-6B-7A-54
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:c0a8:102::(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2030:9139:9cd5:ab52%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.20.2.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.20.0.1
   DHCPv6 IAID . . . . . . . . . . . : 240141917
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-BA-30-56-50-46-5D-6B-7A-54
   DNS Servers . . . . . . . . . . . : 172.20.0.13
                                       172.20.0.14
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{8C29F61F-7AFF-42E2-8535-F508C29EAAFC}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1035:b56:83ac:c744(Prefe
rred)
   Link-local IPv6 Address . . . . . : fe80::1035:b56:83ac:c744%15(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter 6TO4 Adapter:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

 

The automatically configured Teredo IPv6 address is 2001:0:4137:9e76:1035:b56:83ac:c744. The default gateway is fe80::1035:b56:83ac:c744.

Try pinging an IPv6 address literal. This should work normally:

 

C:\Users\lhughes>ping 2001:470:20::2
 
Pinging 2001:470:20::2 with 32 bytes of data:
Reply from 2001:470:20::2: time=619ms
Reply from 2001:470:20::2: time=213ms
Reply from 2001:470:20::2: time=214ms
Reply from 2001:470:20::2: time=212ms
 
Ping statistics for 2001:470:20::2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 212ms, Maximum = 619ms, Average = 314ms

 

Try pinging an domain name that has both A and AAAA records. It will resolve to IPv4. This is normal behavior for Teredo.

 
C:\Users\lhughes>ping www.sixscape.com
 
Pinging www.sixscape.com [184.105.238.120] with 32 bytes of data:
Reply from 184.105.238.120: bytes=32 time=186ms TTL=50
Reply from 184.105.238.120: bytes=32 time=185ms TTL=50
Reply from 184.105.238.120: bytes=32 time=180ms TTL=50
Reply from 184.105.238.120: bytes=32 time=185ms TTL=50
 
Ping statistics for 184.105.238.120:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 180ms, Maximum = 186ms, Average = 184ms

 

Try pinging an domain name that has only AAAA records. It will resolve to IPv6.

C:\Users\lhughes>ping www6.sixscape.com
 
Pinging www6.sixscape.com [2001:470:3d:100::120] with 32 bytes of data:
Reply from 2001:470:3d:100::120: time=582ms
Reply from 2001:470:3d:100::120: time=189ms
Reply from 2001:470:3d:100::120: time=189ms
Reply from 2001:470:3d:100::120: time=190ms
 
Ping statistics for 2001:470:3d:100::120:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 189ms, Maximum = 582ms, Average = 287ms
 

Now try surfing to www6.v6address.com. (If I surf to www.v6address.com, I get IPv4). Here's what I got:

 
teredo1
 

As you can see, the source address was the Teredo address, and it accepted the connection on the normal IPv6 global address for the site.

If I surf to www.ipv6-test.com, I get the following:

 

teredo ipv6-test
 

Note that it shows the Teredo IPv6 node address, and it defaults to IPv4 if both are available (normal Teredo behavior). It recognizes the address as Teredo, and shows my public IPv4 address 9124.83.56.187) and the port used (62633). It also shows the Teredo server used (65.55.158.118). It even recognized that my public IPv4 address is from the Philppines.

Finally let's surf to www.test-ipv6.com:

 

teredo test-ipv6
 

It does show the correct IPv4 and IPv6 addresses and recognizes the IPv6 address as Teredo. It does not indicate that IPv4 is preferred or interpret the Teredo address for us. The other tests are not run for Teredo connections.

 

Summary

Teredo does give a node automatic access to IPv6, but for full functionality on Windows, you must defeat some of the things that Windows does, esp. with DNS. If a site is dual stack, you will get IPv4. It is useful only for accessing IPv6-only sites (of which there are not a lot at this time). It is far better to just disable all three automated tunneling mechanisms on Windows Vista and later, and make your subnet native dual stack, by tunneling in an entire /64 (or larger) over 6in4 (assuming you have at least one public IPv4 address with your ISP service).

If you did the above steps to make Teredo work on your node, don't forget to reset everything to normal operation. You can disable Teredo with the following (required administrator privilege):

netsh int ipv6 set teredo type=disabled

Note: some of the above steps were taken from the following blog. You can find more detailed information and directions for making Teredo work on other Windows platforms there.

http://esihere.wordpress.com/2012/01/19/a-step-by-step-guide-on-how-to-set-up-teredo-tunneling/