-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Investigating my router, I suddenly noticed something weird: Under the "forwarding" section, "UPnP", there are two local IPs which are using something named "Teredo". Both machines have been running Windows 7 for at least some hours. The wikipedia says: <http://en.wikipedia.org/wiki/Teredo_tunneling> +++································ In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers. Teredo operates using a platform independent tunneling protocol designed to provide IPv6 (Internet Protocol version 6) connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. These datagrams can be routed on the IPv4 Internet and through NAT devices. Other Teredo nodes elsewhere called Teredo relays that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on. Teredo is designed as a last resort transition technology and is intended to be a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. Teredo should therefore be disabled when native IPv6 connectivity becomes available. Teredo was developed by Christian Huitema at Microsoft, and was standardized in the IETF as RFC 4380. The Teredo server listens on UDP port 3544. ································++- So, is something in those Windows machines using IPv6 via an automatic tunnel? Apparently, yes. <http://security.stackexchange.com/questions/10090/is-teredo-in-my-router-a-back-door> In W7, disable from command prompt as admin with: netsh interface teredo set state disable enable netsh interface teredo set state enable If something you want fails, re-enable. <http://www.sixscape.com/joomla/sixscape/index.php/ipv6-training-certification/ipv6-forum-official-certification/ipv6-forum-network-engineer-silver/network-engineer-silver-transition-mechanisms/tunnels/teredo-a-little-worm-that-bores-holes-in-your-firewall> Teredo - a Little Worm That Bores Holes in your Firewall +++································ Teredo is an automated tunneling mechanism based on 6in4 for obtaining access to the IPv6 Internet from a single node in an IPv4-only network. It includes NAT Traversal, so that it can work even behind a NAT44 gateway. It is specified in RFC 4380, "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)", February 2006. Teredo is a variant of 6to4 tunneling. It still uses Protocol 41 6in4 tunneling way down under. It adds encapsulation over UDP datagrams and a simplified version of STUN NAT Traversal, which allows the Teredo client to work behind an RFC 1918 private address (no public address is required, as is the case with 6in4 and 6to4 tunneling). Teredo servers listen on port udp/3544, and use addresses in 2001::/32 (these facts are useful if you want to block internal nodes from using Teredo - some firewalls allow you to block all protocol 41 traffic from internal nodes). Teredo is installed in all copies of Windows Vista and later. It is possible to disable it, but this is not a simple GUI configuration option in off-the-shelf Windows. If your Windows node is a member of a Microsoft network domain (not a workgroup), then Teredo is disabled. If your node is not a member of a Microsoft domain (even if it is a member of a Microsoft network workgroup), then Teredo is enabled. ································++- https://www.symantec.com/avcenter/reference/Teredo_Security.pdf by J Hoagland - Related articles The Teredo Protocol: Tunneling Past Network Security and Other Security Implications. Dr. James Hoagland. Principal Security Researcher. Symantec ... https://www.google.es/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&sqi=2&ved=0CE4QFjAF&url=https%3A%2F%2Fwww.symantec.com%2Favcenter%2Freference%2FTeredo_Security.pdf&ei=YGZNU4eJJ_PA7AbbuoDwBA&usg=AFQjCNHqcoti3xbZM1sP_Zws55ldsZL9qQ&bvm=bv.64764171,d.bGQ&cad=rja +++································ Teredo creates an open-ended tunnel through the NAT to the client. Teredo is designed as an IPv6 tunneling mechanism for end nodes behind a NAT. It works without the cooperation of any non-Teredo components. Additionally, since it is a new mechanism, pre-existing network-based security controls (for example, firewalls and IPSs) on the client’s network do not see through the tunnel to apply the controls to the traffic being tunneled. One could therefore say that Teredo is evading those controls, which has to be a concern for those who set them up, since those controls are supposed to adequately regulate all traffic. In addition, it might be difficult to monitor or block Teredo traffic, as discussed in “Teredo mitigation” section. If network controls are bypassed due to the use of IPv6 via Teredo, the burden of controls shifts to the Teredo client host. Since the host may not have full control over all the nodes on the network, security administrators sometimes prefer to implement security controls on the network. In addition, having both network controls and host controls provides defense in depth, a basic security principle. ································++- <http://technet.microsoft.com/en-us/library/bb457011.aspx> +++································ Teredo Overview Published: January 01, 2003 | Updated: January 15, 2007 Abstract Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs). To traverse IPv4 NATs, IPv6 packets are sent as IPv4-based User Datagram Protocol (UDP) messages. This article provides an overview of Teredo—including Teredo addresses and packet structures—and detailed explanations of how communication is initiated between Teredo clients, Teredo host-specific relays, and IPv6-only hosts using the IPv4 Internet, the IPv6 Internet, Teredo servers, and Teredo relays. ································++- I'm unsure what are the implications for the rest of my local network, using Linux. For the moment, I have disabled UPnP in the router, and will disable Teredo in Windows inmediately. Then I have to find out if I can disable Teredo in my router without clossing out UPnP completely - which I don't remember why I enabled. Something required it, I think, or was simply easier (perhaps the mule). - -- Cheers Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlNNdM4ACgkQtTMYHG2NR9VwXQCfQF4n6BF7XvjkupCizN2Jp/6g MGIAnRxP5LbF9cl9aA22IROS9B+G/0Wl =CJ7K -----END PGP SIGNATURE-----
Carlos E. R. wrote: ---- One of the first things I disabled, as I noted it went right through my FW stuff to MS. I knew I didn't know enough about ipv6 to come up with a reasonable security policy, and it was too much work for any benefit, so it's been disabled since. Due to that tech, many computers have been using IPV6, but at the expense of routing it through IPV4 -- creating overhead, slowdowns and latency. That was one of the reasons its been recommended to try IPV4 before IPV6 connectivity, as most people's IPV6 was a 'sham', created by tunnels and was really just adding overhead. UPNP works w/o ipv6... at least on my home net.. haven't found any real use for it yet, but it seems to be there. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-17 02:26, Linda Walsh wrote:
Carlos E. R. wrote: ---- One of the first things I disabled, as I noted it went right through my FW stuff to MS. I knew I didn't know enough about ipv6 to come up with a reasonable security policy, and it was too much work for any benefit, so it's been disabled since.
Due to that tech, many computers have been using IPV6, but at the expense of routing it through IPV4 -- creating overhead, slowdowns and latency.
That was one of the reasons its been recommended to try IPV4 before IPV6 connectivity, as most people's IPV6 was a 'sham', created by tunnels and was really just adding overhead.
UPNP works w/o ipv6... at least on my home net.. haven't found any real use for it yet, but it seems to be there.
It really does not matter if it uses IPv6 or 4. This Teredo thing is in fact used, apparently, by some M$ programs to call phone out of the control of firewalls and filters, without anybody seeing it. Something about "microsoft user experience or happiness" ... I forget the exact wording. It is a tunnel, that pipes IPv6 inside, through NAT. As any such thing it needs collaboration from a known server on the outside to set it up, and this one belongs to Microsoft. Of course, any other program might set up any other type of tunnel without asking or control. It could be used by malware. Apparently, it does not affect anything else in the network. I did not find, yet, anything in Linux related to "teredo". I think that a Linux based firewall will not even be aware of it. I noticed because there was a section on the UPnP on my firewall, that directly and permanently connected anything incoming on a certain outside port to an specific machine inside. Two machines, actually, and one had been powered down for days - but the tunnel in the router-firewall was still active. Maybe a bug in the router firmware, or the timeout was defined so long. No way to know. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Le 17/04/2014 12:28, Carlos E. R. a écrit :
It really does not matter if it uses IPv6 or 4. This Teredo thing is in fact used, apparently, by some M$ programs to call phone out of the control of firewalls and filters,
isn't that a gamer's thing? Gamers uses such things to discuss between players jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-17 12:32, jdd wrote:
Le 17/04/2014 12:28, Carlos E. R. a écrit :
It really does not matter if it uses IPv6 or 4. This Teredo thing is in fact used, apparently, by some M$ programs to call phone out of the control of firewalls and filters,
isn't that a gamer's thing? Gamers uses such things to discuss between players
I don't have any games in my Windows systems. I keep a very strict control of what I install on them. But yes, of course, any application that needs to set up channels between different computers would like to use IPv6 because there is no NAT. You can address any machine in the world, even inside a local network. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
jdd wrote:
isn't that a gamer's thing? Gamers uses such things to discuss between players
It's just a method of tunnelling IPv6 over IPv4. Other methods are 6to4, 6rd, 6in4. I believe Teredo uses UDP, but the others can use UDP or IP protocol 41, depending on whether NAT is in the way. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
It really does not matter if it uses IPv6 or 4. This Teredo thing is in fact used, apparently, by some M$ programs to call phone out of the control of firewalls and filters, without anybody seeing it. Something about "microsoft user experience or happiness" ... I forget the exact wording.
It may be used by anything on the client end that wants to talk an IPv6 host. A client application will not be aware it is using teredo, 6rd or some third mechanism.
It is a tunnel, that pipes IPv6 inside, through NAT. As any such thing it needs collaboration from a known server on the outside to set it up, and this one belongs to Microsoft.
There are many such servers, not just one. There are also several Teredo relays.
Apparently, it does not affect anything else in the network. I did not find, yet, anything in Linux related to "teredo". I think that a Linux based firewall will not even be aware of it.
You could block outbound destination port 3544. -- Per Jessen, Zürich (10.5°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-17 12:55, Per Jessen wrote:
Carlos E. R. wrote:
It may be used by anything on the client end that wants to talk an IPv6 host. A client application will not be aware it is using teredo, 6rd or some third mechanism.
Might be useful...
It is a tunnel, that pipes IPv6 inside, through NAT. As any such thing it needs collaboration from a known server on the outside to set it up, and this one belongs to Microsoft.
There are many such servers, not just one. There are also several Teredo relays.
Apparently, it does not affect anything else in the network. I did not find, yet, anything in Linux related to "teredo". I think that a Linux based firewall will not even be aware of it.
You could block outbound destination port 3544.
I just blocked on the router "LAN" firewall port 3544. There is no description, so I don't know in what direction it blocks. There another set of rules to block IPs, LAN or WAN, any direction you wish, tcp, udp, or all, within a time frame or not. However... you can not specify which ports! Ah, ok, found it. Just the Windows machine hast port 3544 blocked. Direction unclear. Thanks for the hint :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
Apparently, it does not affect anything else in the network. I did not find, yet, anything in Linux related to "teredo". I think that a Linux based firewall will not even be aware of it.
IIRC, there is Linux support for Teredo. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-17 14:27, James Knott wrote:
Carlos E. R. wrote:
Apparently, it does not affect anything else in the network. I did not find, yet, anything in Linux related to "teredo". I think that a Linux based firewall will not even be aware of it.
IIRC, there is Linux support for Teredo.
Apropos teredo found nothing, nor locate. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2014-04-17 14:27, James Knott wrote:
Carlos E. R. wrote:
Apparently, it does not affect anything else in the network. I did not find, yet, anything in Linux related to "teredo". I think that a Linux based firewall will not even be aware of it.
IIRC, there is Linux support for Teredo.
Apropos teredo found nothing, nor locate.
Google: http://www.remlab.net/miredo/ -- Per Jessen, Zürich (13.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-17 15:10, Per Jessen wrote:
Carlos E. R. wrote:
IIRC, there is Linux support for Teredo.
Apropos teredo found nothing, nor locate.
Google:
Curious! -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Per Jessen wrote:
Apropos teredo found nothing, nor locate. Google:
One thing about Teredo, 6to4 and 6rd is that your IPv6 address is dependent on your IPv4 address. So, if you use DHCP for your IPv4 address, you may find your IPv6 address changes. With 6in4, this doesn't happen, as the IPv6 address is independent of the IPv4 address. I have a /56 subnet (2^72 addresses or about a trillion times the entire IPv4 address space) and those addresses are static. I haven't used all those addresses yet. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Linda Walsh wrote:
One of the first things I disabled, as I noted it went right through my FW stuff to MS. I knew I didn't know enough about ipv6 to come up with a reasonable security policy, and it was too much work for any benefit, so it's been disabled since.
Firewall filters are the same as with IPv4. In fact, when set up for protocol, the same filter works for both IPv4 & IPv6, unless specifically configured otherwise. Filtering on addresses will be the same, but with the appropriate addresses. Also, Windows systems require IPv6 to be enabled if Home Group networking is used. It works only via IPv6.
Due to that tech, many computers have been using IPV6, but at the expense of routing it through IPV4 -- creating overhead, slowdowns and latency.
It only goes via IPv4 as far as the tunnel end point and over the IPv6 network the rest of the way. With 6in4 tunnelling, an IPv4 header is tacked on the IPv6 packet. This makes routing over the IPv4 network just as efficient as native IPv4. Tunnelling is supported on many routers these days. I do it in my Linux firewall/router. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-17 14:26, James Knott wrote:
Firewall filters are the same as with IPv4. In fact, when set up for protocol, the same filter works for both IPv4 & IPv6, unless specifically configured otherwise. Filtering on addresses will be the same, but with the appropriate addresses. Also, Windows systems require IPv6 to be enabled if Home Group networking is used. It works only via IPv6.
Well... I suppose I only need "Home Group networking" at home, not outside. They can talk IPv6 directly, the router is IPv6 capable. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
Well... I suppose I only need "Home Group networking" at home, not outside. They can talk IPv6 directly, the router is IPv6 capable.
Actually, HG networks won't make it past a router. It uses the link local addresses that start with FE80. Every IPv6 device has a link local address. You need a different IPv6 address to get past a router. The public unicast addresses will pass through a router, as will unique local addresses, which are similar in function to the RFC 1918 addresses in IPv4. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
It still uses Protocol 41 6in4 tunneling way down under. It adds encapsulation over UDP datagrams and a simplified version of STUN NAT Traversal
Minor error in that article. IP protocol 41 does not use UDP. It's the protocol that attaches an IPv4 header to IPv6 for transport over an IPv4 network. If tunnelling uses UDP, it's not protocol 41. I run an IPv6 tunnel via protocol 41 and Wireshark sees it as native IPv6, even though it has the IPv4 header attached. This does not happen when UDP is used. 41 is a transport layer protocol, with it's own number, just like TCP & UDP. There is another number which is used to tunnel IPv4 over IPv4 in a similar manner. You don't need extra protocol numbers in IPv6, as the next header function is used instead. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Carlos E. R. -
Carlos E. R. -
James Knott -
jdd -
Linda Walsh -
Per Jessen