Teredo tunneling

IPv6 transition mechanisms
Standards Track
4in6 Lightweight 4over6 6in4 6over4 DS-Lite 6rd 6to4 NAT64/DNS64 Teredo SIIT MAP
Experimental
TSP 4rd
Informational
Tunnel broker IVI TRT 464XLAT Public 4over6 ISATAP
Drafts
AYIYA dIVI
Deprecated
NAT-PT NAPT-PT
v t e

Incomputer networking,Teredois atransition technologythat gives fullIPv6connectivity for IPv6-capable hosts that are on theIPv4Internetbut have no native connection to an IPv6 network. Unlike similar protocols such as6to4,it can perform its function even from behindnetwork address translation(NAT) devices such as home routers.

Teredo operates using aplatform independenttunneling protocolthat providesIPv6(Internet Protocol version 6) connectivity byencapsulatingIPv6datagrampackets within IPv4User Datagram Protocol(UDP) packets. Teredo routes these datagrams on theIPv4 Internetand through NAT devices. Teredo nodes elsewhere on the IPv6 network (calledTeredo relays) receive the packets, un-encapsulate them, and pass them on.

Teredo is a temporary measure. In the long term, all IPv6 hosts should use native IPv6 connectivity. Teredo should be disabled when native IPv6 connectivity becomes available.Christian Huitemadeveloped Teredo atMicrosoft,and theIETFstandardized it as RFC 4380. The Teredo server listens onUDPport3544.

This sectiondoes notciteanysources.Please helpimprove this sectionbyadding citations to reliable sources.Unsourced material may be challenged andremoved.(September 2021)(Learn how and when to remove this message)

For6to4,the most common IPv6 over IPv4 tunneling protocol, requires that the tunnel endpoint have a public IPv4 address. However, many hosts currently attach to the IPv4 Internet through one or several NAT devices, usually because ofIPv4 address shortage.In such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint must be implemented on the NAT device itself. The problem is that many NAT devices currently deployed cannot be upgraded to implement 6to4, for technical or economic reasons.

Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can serve as Teredo tunnel endpoints even when they don't have a dedicated public IPv4 address. In effect, a host that implements Teredo can gain IPv6 connectivity with no cooperation from the local network environment.

In the long term, all IPv6 hosts should use native IPv6 connectivity. The temporary Teredo protocol includes provisions for asunset procedure:Teredo implementation should provide a way to stop using Teredo connectivity when IPv6 matures and connectivity becomes available using a less brittle mechanism. As of IETF89^{[clarification needed]},Microsoft plans to deactivate their Teredo servers for Windows clients in the first half of 2014^{[needs update]}(exact date TBD), and encourage the deactivation of publicly operated Teredo relays.

The Teredo protocol performs several functions:

1. Diagnoses UDP over IPv4 (UDPv4) connectivity and discovers the kind of NAT present (using a simplified replacement to theSTUNprotocol)
2. Assigns a globally routable unique IPv6 address to each host using it
3. Encapsulates IPv6 packets inside UDPv4 datagrams for transmission over an IPv4 network (this includesNAT traversal)
4. Routes traffic between Teredo hosts and native (or otherwise non-Teredo) IPv6 hosts

Teredo defines several different kinds of nodes:^[1]

Teredo client

A host that has IPv4 connectivity to the Internet from behind a NAT and uses the Teredo tunneling protocol to access the IPv6 Internet. Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (2001::/32).^[2]

Teredo server

A well-known host used for initial configuration of a Teredo tunnel. A Teredo server never forwards any traffic for the client (apart from IPv6 pings), and has therefore modest bandwidth requirements (a few hundred bits per second per client at most),^{[citation needed]}which means a single server can support many clients. Additionally, a Teredo server can be implemented in a fullystatelessmanner, thus using the same amount of memory regardless of how many clients it supports.

Teredo relay

The remote end of a Teredo tunnel. A Teredo relay must forward all of the data on behalf of the Teredo clients it serves, with the exception of direct Teredo client to Teredo client exchanges. Therefore, a relay requires a lot of bandwidth and can only support a limited number of simultaneous clients. Each Teredo relay serves a range of IPv6 hosts (e.g. a single campus or company, anISPor a whole operator network, or even the wholeIPv6 Internet); it forwards traffic between any Teredo clients and any host within said range.

Teredo host-specific relay

A Teredo relay whose range of service is limited to the very host it runs on. As such, it has no particular bandwidth or routing requirements. A computer with a host-specific relay uses Teredo to communicate with Teredo clients, but sticks to its main IPv6 connectivity provider to reach the rest of the IPv6 Internet.

Each Teredo client is assigned a publicIPv6 address,which is constructed as follows (the higher order bit is numbered 0):

• Bits 0 to 31 hold the Teredo prefix (2001::/32).
• Bits 32 to 63 embed the primary IPv4 address of the Teredo server that is used.
• Bits 64 to 79 hold some flags and other bits; the format for these 16 bits, MSB first, is "CRAAAAUG AAAAAAAA". The "C" bit was set to 1 if the Teredo client is located behind acone NAT,0 otherwise, but RFC 5991 changed it to always be 0 to avoid revealing this fact to strangers. The "R" bit is currently unassigned and should be sent as 0. The "U" and "G" bits are set to 0 to emulate the "Universal/local" and "Group/individual" bits inMAC addresses.The 12 "A" bits were 0 in the original RFC 4380 specification, but were changed to random bits chosen by the Teredo client in RFC 5991 to provide the Teredo node with additional protection against IPv6-based scanning attacks.
• Bits 80 to 95 contain theobfuscatedUDP port number. This is the port number that the NAT maps to the Teredo client, with all bits inverted.
• Bits 96 to 127 contain theobfuscatedIPv4 address. This is the public IPv4 address of the NAT with all bits inverted.

Bits	0 - 31	32 - 63	64 - 79	80 - 95	96 - 127
Length	32 bits	32 bits	16 bits	16 bits	32 bits
Description	Prefix	Teredo server IPv4	Flags	Obfuscated UDP port	Obfuscated Client public IPv4

As an example, the IPv6 address 2001:0000:4136:e378:8000:63bf:3fff:fdd2 refers to a Teredo client that:

• Uses Teredo server at address 65.54.227.120 (4136e378 inhexadecimal)
• Is behind a cone NAT and client is not fully compliant with RFC 5991 (bit 64 is set)
• Is probably (99.98%) not compliant with RFC 5991 (the 12 random bits are all 0, which happens less than 0.025% of the time)
• Uses UDP mapped port 40000 on its NAT (in hexadecimalnot63bf equals 9c40, or decimal number 40000)
• Has a NAT public IPv4 address of 192.0.2.45 (not 3ffffdd2 equals c000022d, which is to say, 192.0.2.45)

Bits	0 - 31	32 - 63	64 - 79	80 - 95	96 - 127
Length	32 bits	32 bits	16 bits	16 bits	32 bits
Description	Prefix	Teredo server IPv4	Flags	Obfuscated UDP port	Obfuscated Client public IPv4
Part	2001:0000	4136:e378	8000	63bf	3fff:fdd2
Decoded		65.54.227.120	cone NAT	40000	192.0.2.45

Teredo clients use Teredo servers to autodetect the kind of NAT they are behind (if any), through a simplified STUN-likequalification procedure.Teredo clients also maintain a binding on their NAT toward their Teredo server by sending a UDP packet at regular intervals. That ensures that the server can always contact any of its clients—which is required forNAT hole punchingto work properly.

If a Teredo relay (or another Teredo client) must send an IPv6 packet to a Teredo client, it first sends aTeredo bubblepacket to the client's Teredo server, whose IP address it infers from the Teredo IPv6 address of the Teredo client. The server then forwards thebubbleto the client, so the Teredo client software knows it must do hole punching toward the Teredo relay.

Teredo servers can also transmit ICMPv6 packet from Teredo clients toward the IPv6 Internet. In practice, when a Teredo client wants to contact a native IPv6 node, it must locate the corresponding Teredo relay,i.e.,to which public IPv4 and UDP port number to send encapsulated IPv6 packets. To do that, the client crafts an ICMPv6 Echo Request (ping) toward the IPv6 node, and sends it through its configured Teredo server. The Teredo server de-capsulates the ping onto the IPv6 Internet, so that the ping should eventually reach the IPv6 node. The IPv6 node should then reply with an ICMPv6 Echo Reply, as mandated by RFC 2460. This reply packet is routed to theclosestTeredo relay, which — finally — tries to contact the Teredo client.

Maintaining a Teredo server requires little bandwidth, because they are not involved in actual transmission and reception of IPv6 traffic packets. Also, it does not involve any access to the Internet routing protocols. The only requirements for a Teredo server are:

• The ability to emit ICMPv6 packets with a source address belonging to the Teredo prefix
• Two distinct public IPv4 addresses. Though not written down in the official specification, Microsoft Windows clients expect both addresses to be consecutive — the second IPv4 address is for NAT detection

Public Teredo servers:

• teredo.trex.fi (Finland)

Former public Teredo servers:

• teredo.remlab.net / teredo-debian.remlab.net (Germany), now redirects to teredo.trex.fi^[3]

A Teredo relay potentially requires much network bandwidth. Also, it must export (advertise) a route toward the Teredo IPv6 prefix (2001::/32) to other IPv6 hosts. That way, the Teredo relay receives traffic from the IPv6 hosts addressed to any Teredo client, and forwards it over UDP/IPv4. Symmetrically, it receives packets from Teredo clients addressed to native IPv6 hosts over UDP/IPv4 and injects those into the native IPv6 network.

In practice, network administrators can set up a private Teredo relay for their company or campus. This provides a short path between their IPv6 network and any Teredo client. However, setting up a Teredo relay on a scale beyond that of a single network requires the ability to exportBGPIPv6 routes to the otherautonomous systems(AS's).

Unlike6to4,where the two halves of a connection can use different relays, traffic between a native IPv6 host and a Teredo client uses the same Teredo relay, namely the one closest to the native IPv6 host network-wise. The Teredo client cannot localize a relay by itself (since it cannot send IPv6 packets by itself). If it needs to initiate a connection to a native IPv6 host, it sends the first packet through the Teredo server, which sends a packet to the native IPv6 host using the client's Teredo IPv6 address. The native IPv6 host then responds as usual to the client's Teredo IPv6 address, which eventually causes the packet to find a Teredo relay, which initiates a connection to the client (possibly using the Teredo server forNAT piercing). The Teredo Client and native IPv6 host then use the relay for communication as long as they need to. This design means that neither the Teredo server nor client needs to know the IPv4 address of any Teredo relays. They find a suitable one automatically via the global IPv6 routing table, since all Teredo relays advertise the network 2001::/32.

On March 30, 2006, Italian ISP ITGate^[4]was the first AS to start advertising a route toward 2001::/32 on the IPv6 Internet, so that RFC 4380-compliant Teredo implementations would be fully usable. As of 16 February 2007, it is no longer functional.

In Q1 2009, IPv6 backboneHurricane Electricenabled 14 Teredo relays^[5]in ananycastimplementation and advertising 2001::/32 globally. The relays were located inSeattle,Fremont,Los Angeles,Chicago,Dallas,Toronto,New York,Ashburn,Miami,London,Paris,Amsterdam,Frankfurt,andHong Kong.

It is expected that large network operators will maintain Teredo relays. As with 6to4, it remains unclear how well the Teredo service will scale up if a large proportion of Internet hosts start using IPv6 through Teredo in addition to IPv4. While Microsoft has operated a set of Teredo servers since they released the first Teredo pseudo-tunnel for Windows XP, they have never provided a Teredo relay service for the IPv6 Internet as a whole.

Teredo is not compatible with all NAT devices. Using the terminology of RFC 3489, it supports full cone, restricted, and port-restrictedNATdevices, but does not supportsymmetric NATs.The Shipworm specification^[6]original that led to the final Teredo protocol also supported symmetric NATs, but dropped that due to security concerns.

People at theNational Chiao Tung Universityin Taiwan later proposed SymTeredo,^[7]which enhanced the original Teredo protocol to support symmetric NATs, and the Microsoft and Miredo implementations implement certain unspecified non-standard extensions to improve support for symmetric NATs. However, connectivity between a Teredo client behind a symmetric NAT, and a Teredo client behind a port-restricted or symmetric NAT remains seemingly impossible.^{[citation needed]}

Indeed, Teredo assumes that when two clients exchange encapsulated IPv6 packets, the mapped/external UDP port numbers used will be the same as those that were used to contact the Teredo server (and building the Teredo IPv6 address). Without this assumption, it would not be possible to establish a direct communication between the two clients, and a costly relay would have to be used to performtriangle routing.A Teredo implementation tries to detect the type of NAT at startup, and will refuse to operate if the NAT appears to be symmetric. (This limitation can sometimes be worked around by manually configuring a port forwarding rule on the NAT box, which requires administrative access to the device).

Teredo can only provide a single IPv6 address per tunnel endpoint. As such, it is not possible to use a single Teredo tunnel to connect multiple hosts, unlike 6to4 and some point-to-point IPv6 tunnels. The bandwidth available to all Teredo clients toward the IPv6 Internet is limited by the availability of Teredo relays, which are no different than 6to4 relays in that respect.

6to4requires a public IPv4 address, but provides a large 48-bit IPv6 prefix for each tunnel endpoint, and has a lower encapsulationoverhead.Point-to-pointtunnels can be more reliable and are more accountable than Teredo, and typically provide permanent IPv6 addresses that do not depend on the IPv4 address of the tunnel endpoint. Some point-to-pointtunnel brokersalso support UDP encapsulation to traverse NATs (for instance, theAYIYAprotocol can do this). On the other hand, point-to-point tunnels normally require registration. Automated tools (for instanceAICCU) make it easy to use Point-to-Point tunnels.

Teredo increases theattack surfaceby assigning globally routable IPv6 addresses to network hosts behind NAT devices, which would otherwise be unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. Teredo tunnel encapsulation can also cause the contents of the IPv6 data traffic to become invisible to packet inspection software, facilitating the spread of malware.^[8]Finally, Teredo exposes the IPv6 stack and the tunneling software to attacks should they have any remotely exploitable vulnerability.

In order to reduce the attack surface, the Microsoft IPv6 stack has a "protection level"socketoption. This allows applications to specify from which sources they are willing to accept IPv6 traffic: from the Teredo tunnel, from anywhere except Teredo (the default), or only from the localintranet.

The Teredo protocol also encapsulates detailed information about the tunnel's endpoint in its data packets. This information can help potential attackers by increasing the feasibility of an attack, and/or by reducing the effort required.^[9]

For a Teredo pseudo-tunnel to operate properly, outgoing UDP packets to port 3544 must be unfiltered. Moreover, replies to these packets (i.e., "solicited traffic" ) must also be unfiltered. This corresponds to the typical setup of a NAT and its stateful firewall functionality. Teredo tunneling software reports a fatal error and stops if outgoing IPv4 UDP traffic is blocked.

In 2010, new methods to create denial of service attacks via routing loops that use Teredo tunnels were uncovered. They are relatively easy to prevent.^[10]

Microsoft Windowsas of Windows 10, version 1803 and later disable Teredo by default. If needed, this transitional technology can be enabled via aCLIcommand orGroup Policy.^[11]

Several implementations of Teredo are currently available:

• Windows XP SP2includes a client andhost-specificrelay (also in the Advanced Networking Pack for Service Pack 1).
• Windows Server 2003has a relay and server provided under theMicrosoftBeta program.
• Windows VistaandWindows 7have built-in support for Teredo with an unspecified extension for symmetric NAT traversal. However, if only a link-local and Teredo address are present, these operating systems don't try to resolve IPv6 DNS AAAA records if a DNS A record is present, in which case they use IPv4. Therefore, only literal IPv6 URLs typically use Teredo.^[12]This behavior can be modified in theregistry.
• Windows 10version 1803 and later disable Teredo by default. If needed, this transitional technology can be enabled via aCLIcommand orGroup Policy.^[11]
• Miredois a client, relay, and server forLinux,*BSD,andMac OS X,
• ng_teredo is a relay and server based onnetgraphforFreeBSDfrom theLIP6University and 6WIND.^{[13][citation needed]}
• NICI-Teredo is a relay for theLinux kerneland a userland Teredo server, developed at the National Chiao Tung University.^{[14][citation needed]}

The initial nickname of the Teredo tunneling protocol wasShipworm.The idea was that the protocol would pierce through NAT devices, much as theshipworm(a kind of marine wood-boring clam) bores tunnels through wood. Shipworms have been responsible for the loss of many wooden hulls. Christian Huitema, in the original draft, noted that the shipworm "only survives in relatively clean and unpolluted water; its recent comeback in several Northern American harbors is a testimony to their newly retrieved cleanliness. The Shipworm service should, in turn, contributes [sic] to a newly retrieved transparency of the Internet. "^[15]

To avoid confusion withcomputer worms,^[16]Huitema later changed the protocol's name fromShipwormtoTeredo,after thegenusname of the shipwormTeredo navalis.^[16]

• Teredo Overviewon Microsoft TechNet
• Current anycast Teredo BGP routes
• Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs).RFC 4380, C. Huitema. February 2006.
• JavaScript Teredo-IP address calculator