Teredo
IPv6 transition mechanisms | |
---|---|
4in6 | Tunneling from IPv4 to IPv6 |
6in4 | Tunneling from IPv6 to IPv4 |
6over4 | Transport of IPv6 data packets between dual-stack nodes over an IPv4 network |
6to4 | Transport of IPv6 data packets over an IPv4 network (obsolete) |
AYIYA | Anything In Anything |
Dual stack | Network nodes with IPv4 and IPv6 in parallel operation |
Dual-Stack Lite (DS-Lite) | Like dual stack, but with global IPv6 and carrier NAT IPv4 |
6rd | IPv6 rapid deployment |
ISATAP | Intra-Site Automatic Tunnel Addressing Protocol (deprecated) |
Teredo | Encapsulation of IPv6 packets in IPv4 UDP -Datenpaketen |
NAT64 | Translation of IPv4 addresses into IPv6 addresses |
464XLAT | Translation from IPv4 to IPv6 to IPv4 addresses |
SIIT | Stateless IP / ICMP translation |
Teredo is an IPv6 transition mechanism. This communication protocol for data traffic with the Internet is specified in accordance with RFC 4380 Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) . Implementations exist in particular as part of Microsoft Windows (Teredo) and for Unix systems (Miredo).
The protocol defines a method for accessing the IPv6 - network behind a NAT device. IPv6 packets are encapsulated with UDP over IPv4 . This is done using Teredo servers .
purpose
The scarcity of IPv4 addresses has resulted in many companies and private users using NAT to access the Internet with several end devices using only one public IP address . The most widely used protocol to tunnel IPv6 directly over IPv4 (protocol 41; see also tunnel broker ) requires that the client has a public IP address (which is not absolutely necessary; good routers can also handle protocol 41). Teredo makes it possible for IPv4 computers that cannot use 6to4 to use IPv6 via tunnels.
hazards
By tunneling the IPv6, there is a risk that the security functions of NAT-based IPv4 routers in particular can be completely undermined. The IPv4 UDP packets generated by Teredo are packets for which the packet filters available in this scenario have no effect. An analysis by Symantec has been available since 2007 which confirms this fact. The security-oriented administrator is therefore recommended to completely block the UDP port 3544 used by Teredo until the appropriate firewalls are available .
specification
Teredo is specified in RFC 4380 (Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)). It's mainly the work of Christian Huitema , a Microsoft employee working on IPv6. In September 2010 the update RFC 5991 (Teredo Security Updates) and in January 2011 RFC 6081 (Teredo Extensions) appeared.
Implementations
Microsoft Windows
- a Teredo client is included with Microsoft Windows XP and newer (first appeared in the Advanced Networking Pack in Service Pack 1) and enabled by default.
A shutdown is possible with the command:netsh interface ipv6 set teredo disable
. The reactivation takes place by:netsh interface ipv6 set teredo default
- Microsoft offers a Teredo server and relay in beta for Microsoft Windows Server 2003 .
Linux
- Miredo is an implementation for Linux and BSDs (subject to the GNU General Public License )
- NICI-Teredo consists of a Teredo relay for the Linux kernel and a server for the user space
Alternatives
Other mechanisms that can be used to tunnel IPv6 packets into IPv4 include
- 6to4 ,
- ISATAP and
- Tunnel broker .
A comparison of the tunnel mechanisms can be found under IPv6 # tunnel mechanisms .
literature
- Teredo , chapter in Understanding IPv6 (pp. 317–354) by Joseph Davies. Microsoft Press, 2nd edition, Redmond 2008. (English)
Individual evidence
- ↑ Dr. James Hoagland, Matt Conover, Tim Newsham, Ollie Whitehouse: Windows Vista Network Attack Surface Analysis. (PDF) March 20, 2007, p. 116 , accessed on November 9, 2010 (English, size: 2.3 MB).
- ↑ Daniel Bachfeld: Vista's network functions examined carefully. In: heise online . March 14, 2007, accessed November 9, 2010 .
- ↑ RFC 4380
- ↑ http://www.remlab.net/miredo/
- ↑ http://sourceforge.net/projects/nici-teredo/
Web links
- Overview of Teredo from Microsoft
- heise online : Teredo drills IPv6 tunnels through firewalls , March 3, 2009