Tuesday, July 26, 2011

The Teredo Tunneling Protocol

The Teredo tunneling protocol is a protocol that provides IPv6 connectivity through Network Address Translation (NAT) devices that are not IPv6 aware. The Teredo tunneling protocol is described in IETF RFC4380. The Teredo protocol gets around the requirement of the 6to4 tunneling protocol that the tunnel endpoint be a public IPv4 address. The reality of today’s IPv4 Internet is that there is a scarcity of public IPv4 address (the entire rational behind IPv6) and so most hosts will be behind a NAT device.

Teredo encapsulates the IPv6 packets twice: once to encapsulate the IPv6 packet in an IPv4 packet with the IPv4 protocol field set to 41, and a second time to put the resulting IPv4 packet in the message of a IPv4 UDP packet. This double encapsulation gets through the NAT but comes at a heavy cost in protocol overhead. In addition, the Teredo tunnel also exposes the host to scanning attacks because the Teredo tunneling adapter in effect opens a port on the host to entities through the firewall. This port can be discovered and attacked. Thus, due to the overhead and security concerns, the Teredo tunneling protocol is really a tunneling protocol of last resort.

Microsoft’s implementation of the Teredo protocol includes additional measures against IPv6 scanning attacks, including an option of which traffic to accept: from anywhere except the Teredo tunnel (the default), from anywhere including the Teredo tunnel, or only from the local Intranet. The default option prevents scanning of the Teredo tunnel interface. Of course, the host can initiate traffic through the tunnel.

Teredo clients use IPv6 addresses that start with the prefix 2001::/32, otherwise known as the Teredo prefix. The address is somewhat more complicated than the addressing for the other tunneling protocols. The elements of the Teredo address are the following:

» Teredo prefix (32 bits)—This is 2001 for all Teredo addresses, per IETF RFC4380.

» Teredo server IPv4 address (32 bits)—The IPv4 address of the Teredo Server in colon hexadecimal format.

» Flags (16 bits)—This includes a bit for the type of NAT. Microsoft uses two of the bits to set the Universal/Local flag and the Individual/Group flag for the enhanced security. The remaining bits are set to a random number to make scanning attacks more difficult.

» Obscured external port (16 bits)—This is the external UDP port that is assigned by the NAT, but is obscured by an XOR it with FFFF.

» Obscured external address (32 bits)—This is the IPv4 external address of the NAT, but it is obscured by an XOR with FFFFFFFF.

Because of the flag randomization, UDP port assignment, and the obscuring, the final Teredo addresses will vary considerably even within the same Teredo client.

Teredo tunneling components include the following:

» Teredo client—This is an IPv6/IPv4 device that has a Teredo tunneling adapter and communicates with other Teredo clients or IPv6 networks via a Teredo Relay. The Teredo client is typically behind a NAT.

» Teredo server—This is an IPv6/IPv4 device that is connected to both the IPv6 and IPv4 networks. The Teredo server assists with the configuration of Teredo clients.

» Teredo relay—This is an IPv6/IPv4 device that is connected to IPv6 and IPv4 networks. The Teredo relay routes between Teredo clients and IPv6 hosts in the IPv6 network.

» Teredo host-specific relay—This is an IPv6/IPv4 device that is connected to IPv6 and IPv4 networks. It can communicate with the IPv6 network, the IPv4 network, and Teredo clients without a Teredo relay. Windows Server 2008 R2, Windows Server 2008, Windows 7, and Windows Vista can all operate as Teredo clients and Teredo host-specific relays.

The Windows Teredo clients send Router Solicitation messages to Teredo servers. These responses to the router solicitation messages are used to build the Teredo address and what type of NAT is in place.

Once the Teredo address has been determined, the Teredo client can then communicate with Teredo clients. This is facilitated by the Teredo server, which brokers communications between the two Teredo clients during the initial start of communications. Following the initial setup of communications, the two Teredo clients communicate directly.

Source of Information : Sams - Windows Server 2008 R2 Unleashed (2010)

No comments: