- Resource Center
- General security
- Teredo tunneling
General security
In this article we will learn about a transition technology in networking known as Teredo tunneling. There are various transition technologies already in place such as 6to4, but because of some shortcoming of the existing technologies, Teredo was developed. Teredo has some security considerations which will be covered later in this document.
What is Teredo tunneling?
There are various tunneling methods that have been developed before Teredo such as 6to4 for IPv6 (Internet Protocol version 6) packets as payload of IPv4, but with tunneling methods like 6to4 there is a limitation that it won't work for the IPv6 devices sitting behind a NAT. To overcome this shortcoming, the Teredo tunneling method was developed, which is used to give full IPv6 connectivity to IPv6 hosts even from behind a NAT device. Teredo operates using a platform independent tunneling protocol designed to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. These datagrams can be routed on the IPv4 Internet and through NAT devices. Other Teredo nodes elsewhere called Teredo relays that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on.
FREE role-guided training plans Get 12 cybersecurity training plans — one for each of the most common roles requested by employers. Download Now
Also, 6to4, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, and in such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons. Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don't have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.
Teredo node types
Teredo defines various kinds of node types. The below list specifies them:
- Teredo Client: Teredo client is host which has IPv4 connectivity to Internet behind a NAT device and uses Teredo tunneling to use an IPv6 segment.
- Teredo Server: Teredo Server is used for initial configuration of a Teredo tunnel. It is a node which has IPv4 connectivity and can be used to provide IPv6 connectivity to Teredo clients.
- Teredo Relay: Teredo Relay is an IPv6 router which is used to forward all of the data on behalf of Teredo client it serves.
- Teredo Service Port: Teredo service port determines the port from which a Teredo client sends Teredo packets. The port is attached to one or more client IPv4 addresses.
- Teredo Refresh Interval: This period states the time interval during which a Teredo IPv6 address is expected to remain valid in the absence of "refresh" traffic. For a client located behind a NAT, the interval depends on configuration parameters of the local NAT, or the combination of NATs in the path to the Teredo server.
- Teredo Node Identifier: It is a 64 bit identifier comprising of a port and IPv4 address at which a client can be reached through the Teredo service, as well as a flag indicating the type of NAT through which the client accesses the IPv4 Internet.
- Teredo Mapped Address and Mapped Port: A global IPv4 address and a UDP port that results from the translation of the IPv4 address and UDP port of a client's Teredo service port by one or more NATs.
How does Teredo work?
The below section describes the way in which Teredo along with its various functions together.
- Teredo tunneling starts with Teredo clients communicating with a Yeredo server. In this initial phase, client location is determined, i.e. whether it is behind a symmetric NAT, cone or a restricted cone.
- After the position of the client is determined, the Teredo IPv6 address embeds the address and port through which the client can receive IPv4/UDP packets encapsulating IPv6 packets.
- After this, Teredo clients can exchange the IPv6 packets with other compatible IPv6 nodes through Teredo relays. Teredo relays advertise reachability of the Teredo prefix to a certain subset of the IPv6 Internet.
- Then Teredo clients have to discover Teredo clients that are closed to the native IPv6 node. Here a spoofing attack is possible where a malicious node can act as a legitimate IPv6 compatible node. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.
- Message is encapsulated in UDP and sent by the client to its Teredo serve, then the server decapsulates the IPv6 message and forwards it to the intended IPv6 destination. The payload of the echo request contains a large random number. The echo reply is sent by the peer to the IPv6 address of the client, and is forwarded through standard IPv6 routing mechanisms.
- Thus the packet will reach the relay which is closest to the TIPv6 node. For future requests, the Teredo client will discover the IPv4 address and UDP port used by the relay to send the echo reply, and will send further IPv6 packets to the peer by encapsulating them in a UDP packet sent to this IPv4 address and port. In order to prevent spoofing, the Teredo client verifies that the payload of the echo reply contains the proper random number. The Teredo server never carries actual data traffic.
Security considerations
Teredo Tunneling comes with various security issues that should be kept in mind before it is deployed in the network.
Attack Surface
Teredo Tunneling increases the attack surface as it assigns routable IPv6 address to otherwise non-routable devices which are sitting behind a NAT device. Thus Teredo increases exposure of complete IPv6 stack and tunneling software to attacks.
UDP on Firewall
Since Teredo embeds the IPv6 inside UDP packets and then transmits them within IPv4 packets, UDP traffic must be allowed on the firewall to allow Teredo to work.
DoS on Teredo clients
Since Teredo clients use mapped address and ports from Teredo servers, this service must be protected from malicious 3rd party servers which act as Teredo servers and send crafted malicious inputs to Teredo clients. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.
What should you learn next? From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now. Get Your Plan
DDoS on Teredo relay
Since Teredo Relay acts asa relay for IPv6 packets, this service must be protected against crafted packets that can be used by attackers to hide their address and conduct a Denial of Service attack.
Sources
Posted: January 12, 2019
Get your free cybersecurity talent development ebook and start upskilling your team.
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
Download Now
In this Series
- Teredo tunneling
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Related Bootcamps
- CompTIA CASP+ Training Boot Camp
- ISC2 CISSP® Training Boot Camp
- ISC2 CCSP® Training Boot Camp
- ISACA CISA Training Boot Camp
- ISACA CISM Training Boot Camp
- ISC2 CSSLP® Training Boot Camp
- CompTIA Cybersecurity Analyst (CySA+) Certification Course
- CompTIA Network+ Training Boot Camp
- CompTIA Security+ Training Boot Camp
- Certified Ethical Hacking Course: CEH Certification Boot Camp
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
View Certifications
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
How to design effective cybersecurity policies
General security
What is attack surface management and how it makes the enterprise more secure
General security
Is a cybersecurity boot camp worth it?