Grant Holliday

So you’ve installed Windows Vista and you’ve run ‘ipconfig /all’ from the command prompt. You might have noticed a few extra interfaces, but not really understand what they are. You trust Microsoft to be secure-by-default, so you forget about them.

If your brain works anything like mine, the word ‘Teredo’ will stand out as a keyword to search on and you’ll eventually get to these two articles:

• http://en.wikipedia.org/wiki/Teredo_tunneling
• http://www.microsoft.com/technet/network/ipv6/teredo.mspx

Teredo is a networking protocol designed by Microsoft that allows clients on an IPv4 network behind a NAT router to access the IPv6 Internet.

IPv4 Network Address Translation (NAT)

First an explanation of how most home users, small offices and increasingly more business access the Internet. Because the IPv4 address space is running out, NAT has taken off as a mechanism for multiple clients sharing the same Internet connection and public IP address.

In this diagram, the NAT router uses a single IPv4 public IP address and ‘translates’ it to a private IP address for the client. The way it does this is by watching all the traffic that the client is sending out to the Internet.

e.g. A web request to microsoft.com would look like this to the NAT router:

Source IP: 192.168.0.50

Source port: 1024

Destination IP: 207.46.192.254

Destination port: 80

But obviously, when microsoft.com receives this request and tries to send a response back - it won’t know how to connect to 192.168.0.50, because this is a private IP address.

What NAT does is changes the Source IP/Port before sending the request off and keeps the request in a ‘translation table’. So the request becomes:

Source IP: 203.219.21.70

Source port: 60101

Destination IP: 207.46.192.254

Destination port: 80

Then when microsoft.com receives this modified request, it sends a response back to the NAT router. The NAT router then looks in it’s translation table and sees that it IS expecting a response back. It modifies the destination IP and port and passes it back to the client:

Source IP: 207.46.192.254

Source port: 80

Destination IP: 192.168.0.50

Destination port: 1024

Teredo

Teredo is enabled by default in Windows Vista.

Teredo is an IPv6 transition technology that allows automatic IPv6 tunneling between hosts that are located across one or more IPv4 NATs. IPv6 traffic from Teredo hosts can flow across NATs because it is sent as an IPv4 UDP message. If the NAT supports UDP port translation, then the NAT supports Teredo. The exception is a symmetric NAT, which is described in “Types of NATs” in this article.

Teredo is designed as a last resort transition technology for IPv6 connectivity. If native IPv6, 6to4, or Intrasite Automatic Tunnel Addressing Protocol (ISATAP) connectivity is present, the host does not act as a Teredo client. As more IPv4 edge devices are upgraded to support 6to4 and IPv6 connectivity becomes ubiquitous, Teredo will be used less and less until finally it is not used at all.

The Teredo Tunneling Pseudo-Interface attempts to auto-configure itself. When it does, it gets assigned an IPv6 IP address. This address will look something like this:

2001:0:4136:e38e:14e4:2ca1:3424:eab9

This may look like just a random number, but there’s lots of extra information encoded in here.

Teredo IPv6 addresses

Teredo Prefix

The first 32bits of a Teredo address are always:

2001::/32

Teredo Server IPv4 Address

This indicates the currently configured Teredo Server.

A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6 Internet, supports a Teredo tunneling interface over which packets are received. The general role of the Teredo server is to assist in the address configuration of Teredo client and to facilitate the initial communication between Teredo clients and other Teredo clients or between Teredo clients and IPv6-only hosts. The Teredo server listens on UDP port 3544 for Teredo traffic.

By default in Windows Vista the Teredo server is configured as teredo.ipv6.microsoft.com

Resolving this address gives us 5 possible IP addresses.

Name: teredo.ipv6.microsoft.com

Addresses: 65.54.227.136, 65.54.227.138, 65.54.227.140, 65.54.227.142, 65.54.227.144

When we convert these IP addresses to their HEX equivalent, we end up with:

65.54.227.136 = 4136:e388

65.54.227.138 = 4136:e38a

65.54.227.140 = 4136:e38c

65.54.227.142 = 4136:e38e

65.54.227.144 = 4136:e390

If you need to change your Teredo server, you can do it by opening the command prompt as an administrator and running:

netsh interf7ace ipv6 set teredo servername=teredo.server.com

Teredo Flags

The next 16 bits for are reserved for Teredo flags.

The 16 bits within the Flags field for Windows Vista and Windows Server 2008-based Teredo clients consists of the following: CRAAAAUG AAAAAAAA.

• The C bit is for the Cone flag.
• The R bit is reserved for future use.
• The U bit is for the Universal/Local flag (set to 0).
• The G bit is Individual/Group flag (set to 0).
• The A bits are set to a 12-bit randomly generated number.

By using a random number for the A bits, a malicious user that has determined the rest of the Teredo address by capturing the initial configuration exchange of packets between the Teredo client and Teredo server will have to try up to 4,096 (212) different addresses to determine a Teredo client’s address during an address scan.

In my address, the Teredo flags are: 14e4

Converting 0×14e4 to binary, we get the following:

00010100 11100100
CRAAAAUG AAAAAAAA

Which means that the ‘Cone’, ‘Universal’ and ‘Group’ flags are not set. Yay!

Obscured External Port

The next 16 bits store an obscured version of the external UDP port corresponding to all Teredo traffic for this Teredo client.

Obscuring the external port prevents NATs from translating the external port within the payload of the packets that they are forwarding.

Obscured port: 2ca1

XOR with 0xFFFF = 0xD35E

0xD35E = UDP port 54110

Obscured External Address

The last 32 bits store an obscured version of the external IPv4 address corresponding to all Teredo traffic for this Teredo client. The unobscured IP address can be obtained by XORing with 0xFFFFFFFF and then converting the decimal result to dotted-decimal notation. This tool might help.

Obscured IP: 3424:eab9

XOR with 0xFFFFFFFF = 0xCBDB1546

0xCBDB15 46 = Decimal 3420132678

Converted to dotted-decimal notation: 203.219.21.70

But how do I access the IPv6 Internet with Teredo???

To actually access the IPv6 Internet with Teredo, you need a Teredo Relay. A Teredo Relay potentially requires a lot of network bandwidth.

While Microsoft has been operating a set of Teredo servers ever since the first Teredo pseudo-tunnel for Windows XP was released, it has never provided a Teredo relay service for the IPv6 Internet as a whole.

I have tried a few Teredo servers, but none of them seem to relay. This is something that I will continue exploring. I’m going to try and set up Miredo somewhere and see what I can learn.