General security

Teredo tunneling

Security Ninja
January 12, 2019 by
Security Ninja

In this article we will learn about a transition technology in networking known as Teredo tunneling. There are various transition technologies already in place such as 6to4, but because of some shortcoming of the existing technologies, Teredo was developed. Teredo has some security considerations which will be covered later in this document.

What is Teredo tunneling?

There are various tunneling methods that have been developed before Teredo such as 6to4 for IPv6 (Internet Protocol version 6) packets as payload of IPv4, but with tunneling methods like 6to4 there is a limitation that it won't work for the IPv6 devices sitting behind a NAT. To overcome this shortcoming, the Teredo tunneling method was developed, which is used to give full IPv6 connectivity to IPv6 hosts even from behind a NAT device. Teredo operates using a platform independent tunneling protocol designed to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. These datagrams can be routed on the IPv4 Internet and through NAT devices. Other Teredo nodes elsewhere called Teredo relays that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Also, 6to4, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, and in such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons. Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don't have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.

Teredo node types

Teredo defines various kinds of node types. The below list specifies them:

  • Teredo Client: Teredo client is host which has IPv4 connectivity to Internet behind a NAT device and uses Teredo tunneling to use an IPv6 segment.
  • Teredo Server: Teredo Server is used for initial configuration of a Teredo tunnel. It is a node which has IPv4 connectivity and can be used to provide IPv6 connectivity to Teredo clients.
  • Teredo Relay: Teredo Relay is an IPv6 router which is used to forward all of the data on behalf of Teredo client it serves.
  • Teredo Service Port: Teredo service port determines the port from which a Teredo client sends Teredo packets. The port is attached to one or more client IPv4 addresses.
  • Teredo Refresh Interval: This period states the time interval during which a Teredo IPv6 address is expected to remain valid in the absence of "refresh" traffic. For a client located behind a NAT, the interval depends on configuration parameters of the local NAT, or the combination of NATs in the path to the Teredo server.
  • Teredo Node Identifier: It is a 64 bit identifier comprising of a port and IPv4 address at which a client can be reached through the Teredo service, as well as a flag indicating the type of NAT through which the client accesses the IPv4 Internet.
  • Teredo Mapped Address and Mapped Port: A global IPv4 address and a UDP port that results from the translation of the IPv4 address and UDP port of a client's Teredo service port by one or more NATs.

How does Teredo work?

The below section describes the way in which Teredo along with its various functions together.

  • Teredo tunneling starts with Teredo clients communicating with a Yeredo server. In this initial phase, client location is determined, i.e. whether it is behind a symmetric NAT, cone or a restricted cone.
  • After the position of the client is determined, the Teredo IPv6 address embeds the address and port through which the client can receive IPv4/UDP packets encapsulating IPv6 packets.
  • After this, Teredo clients can exchange the IPv6 packets with other compatible IPv6 nodes through Teredo relays. Teredo relays advertise reachability of the Teredo prefix to a certain subset of the IPv6 Internet.
  • Then Teredo clients have to discover Teredo clients that are closed to the native IPv6 node. Here a spoofing attack is possible where a malicious node can act as a legitimate IPv6 compatible node. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.
  • Message is encapsulated in UDP and sent by the client to its Teredo serve, then the server decapsulates the IPv6 message and forwards it to the intended IPv6 destination. The payload of the echo request contains a large random number. The echo reply is sent by the peer to the IPv6 address of the client, and is forwarded through standard IPv6 routing mechanisms.
  • Thus the packet will reach the relay which is closest to the TIPv6 node. For future requests, the Teredo client will discover the IPv4 address and UDP port used by the relay to send the echo reply, and will send further IPv6 packets to the peer by encapsulating them in a UDP packet sent to this IPv4 address and port. In order to prevent spoofing, the Teredo client verifies that the payload of the echo reply contains the proper random number. The Teredo server never carries actual data traffic.

Security considerations

Teredo Tunneling comes with various security issues that should be kept in mind before it is deployed in the network.

Attack Surface

Teredo Tunneling increases the attack surface as it assigns routable IPv6 address to otherwise non-routable devices which are sitting behind a NAT device. Thus Teredo increases exposure of complete IPv6 stack and tunneling software to attacks.

UDP on Firewall

Since Teredo embeds the IPv6 inside UDP packets and then transmits them within IPv4 packets, UDP traffic must be allowed on the firewall to allow Teredo to work.

DoS on Teredo clients

Since Teredo clients use mapped address and ports from Teredo servers, this service must be protected from malicious 3rd party servers which act as Teredo servers and send crafted malicious inputs to Teredo clients. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.

DDoS on Teredo relay

Since Teredo Relay acts asa relay for IPv6 packets, this service must be protected against crafted packets that can be used by attackers to hide their address and conduct a Denial of Service attack.

Sources

Security Ninja
Security Ninja