HackDig : Dig high-quality web security articles for hackers

Teredo Tunneling

2014-10-16 20:50


In this article we will learn about a transition technology in networking known as Teredo tunneling. There are various transition technologies already in place such as 6to4, but because of some shortcoming of the existing technologies, Teredo was developed. Teredo has some security considerations which will be covered later in this document.

What is Teredo Tunneling?

There are various tunneling methods that have been developed before Teredo such as 6to4 for IPv6 (Internet Protocol version 6) packets as payload of IPv4, but with tunneling methods like 6to4 there is a limitation that it won’t work for the IPv6 devices sitting behind a NAT. To overcome this shortcoming, the Teredo tunneling method was developed, which is used to give full IPv6 connectivity to IPv6 hosts even from behind a NAT device. Teredo operates using a platform independent tunneling protocol designed to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. These datagrams can be routed on the IPv4 Internet and through NAT devices. Other Teredo nodes elsewhere called Teredo relays that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on.

Also, 6to4, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, and in such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons. Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don’t have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.

Teredo Node Types

Teredo defines various kinds of node types. The below list specifies them:

  • Teredo Client: Teredo client is host which has IPv4 connectivity to Internet behind a NAT device and uses Teredo tunneling to use an IPv6 segment.
  • Teredo Server: Teredo Server is used for initial configuration of a Teredo tunnel. It is a node which has IPv4 connectivity and can be used to provide IPv6 connectivity to Teredo clients.
  • Teredo Relay: Teredo Relay is an IPv6 router which is used to forward all of the data on behalf of Teredo client it serves.
  • Teredo Service Port: Teredo service port determines the port from which a Teredo client sends Teredo packets. The port is attached to one or more client IPv4 addresses.
  • Teredo Refresh Interval: This period states the time interval during which a Teredo IPv6 address is expected to remain valid in the absence of “refresh” traffic. For a client located behind a NAT, the interval depends on configuration parameters of the local NAT, or the combination of NATs in the path to the Teredo server.
  • Teredo Node Identifier: It is a 64 bit identifier comprising of a port and IPv4 address at which a client can be reached through the Teredo service, as well as a flag indicating the type of NAT through which the client accesses the IPv4 Internet.
  • Teredo Mapped Address and Mapped Port: A global IPv4 address and a UDP port that results from the translation of the IPv4 address and UDP port of a client’s Teredo service port by one or more NATs.

How does Teredo Work?

The below section describes the way in which Teredo along with its various functions together.

  • Teredo tunneling starts with Teredo clients communicating with a Yeredo server. In this initial phase, client location is determined, i.e. whether it is behind a symmetric NAT, cone or a restricted cone.
  • After the position of the client is determined, the Teredo IPv6 address embeds the address and port through which the client can receive IPv4/UDP packets encapsulating IPv6 packets.
  • After this, Teredo clients can exchange the IPv6 packets with other compatible IPv6 nodes through Teredo relays. Teredo relays advertise reachability of the Teredo prefix to a certain subset of the IPv6 Internet.
  • Then Teredo clients have to discover Teredo clients that are closed to the native IPv6 node. Here a spoofing attack is possible where a malicious node can act as a legitimate IPv6 compatible node. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.
  • Message is encapsulated in UDP and sent by the client to its Teredo serve, then the server decapsulates the IPv6 message and forwards it to the intended IPv6 destination. The payload of the echo request contains a large random number. The echo reply is sent by the peer to the IPv6 address of the client, and is forwarded through standard IPv6 routing mechanisms.
  • Thus the packet will reach the relay which is closest to the TIPv6 node. For future requests, the Teredo client will discover the IPv4 address and UDP port used by the relay to send the echo reply, and will send further IPv6 packets to the peer by encapsulating them in a UDP packet sent to this IPv4 address and port. In order to prevent spoofing, the Teredo client verifies that the payload of the echo reply contains the proper random number. The Teredo server never carries actual data traffic.

Security Considerations

Teredo Tunneling comes with various security issues that should be kept in mind before it is deployed in the network.

Attack Surface

Teredo Tunneling increases the attack surface as it assigns routable IPv6 address to otherwise non-routable devices which are sitting behind a NAT device. Thus Teredo increases exposure of complete IPv6 stack and tunneling software to attacks.

UDP on Firewall

Since Teredo embeds the IPv6 inside UDP packets and then transmits them within IPv4 packets, UDP traffic must be allowed on the firewall to allow Teredo to work.

DoS on Teredo Clients

Since Teredo clients use mapped address and ports from Teredo servers, this service must be protected from malicious 3rd party servers which act as Teredo servers and send crafted malicious inputs to Teredo clients. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

DDoS on Teredo Relay

Since Teredo Relay acts asa relay for IPv6 packets, this service must be protected against crafted packets that can be used by attackers to hide their address and conduct a Denial of Service attack.


Source: /gnilennut-oderet/moc.etutitsnicesofni.secruoser

Read:3279 | Comments:0 | Tags:General Security feature general security

“Teredo Tunneling”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud