Using IPv6 and Teredo
Published: December 27, 2005 | Updated: September 08, 2006
On This Page
Using IPv6 and Teredo
NATs and Packet Filtering
Requirement for Host-based Firewalls
Teredo and NATs
Summary
Using IPv6 and Teredo
Internet Protocol version 6 (IPv6) is the replacement for the Internet layer of the current TCP/IP protocol stack widely used on the Internet, known as IP version 4 (IPv4). IPv6 is the future of networking communication on the Internet, providing enhanced connectivity and security. IPv6 is supported in the following:
Microsoft® Windows® XP with Service Pack 1 (SP1) (disabled by default)
Windows XP with Service Pack 2 (SP2) (disabled by default)
Windows Server® 2003 (disabled by default)
Windows Vista™ (enabled by default)
Windows Server Code Name "Longhorn" (now in beta testing) (enabled by default)
For information about enabling IPv6 for computers running Windows XP with SP1, Windows XP with SP2, or Windows Server 2003, see IPv6 Protocol for the Windows Server 2003 Family: Frequently Asked Questions.
In Windows Vista and Windows Server "Longhorn," many operating system components now support IPv6. When both IPv4 and IPv6 are enabled, Windows prefers the use of IPv6 for applications that can use either IPv4 or IPv6.
For more information about IPv6, see the Microsoft IPv6 Web site.
Network address translators (NATs) are used to extend the life of public IPv4 addresses, sacrificing global addressing and end-to-end connectivity. Teredo is an IPv6 transition technology that allows IPv6 connectivity between IPv6/IPv4 nodes that are separated by one or more NATs, providing enhanced connectivity for all types of IPv6-enabled applications, even over today’s IPv4 networks. With Teredo, IPv6-enabled applications can successfully communicate more frequently over IPv4 networks than IPv4-only applications.
Teredo is supported in the following:
Windows XP with SP1 and the Advanced Networking Pack for Windows XP (enabled by default)
Windows XP with SP2 (enabled by default)
Windows Server 2003 with Service Pack 1 (disabled by default)
Windows Vista (enabled by default but inactive)
The Teredo component is enabled but inactive by default. In order to become active, a user must either install an application that needs to use Teredo, or configure the advanced settings on a Windows Firewall exception to use edge traversal.
Windows Server "Longhorn" (disabled by default)
The combination of IPv6 and Teredo provides enhanced connectivity for IPv6-enabled applications. When used in conjunction with a host-based, stateful, IPv6 firewall, IPv6 and Teredo does not make your computer more susceptible to attacks by malicious users or programs that use unsolicited traffic.
For more information about IPv6 and Teredo in Windows Vista and Windows Server “Longhorn,” see Changes to IPv6 in Windows Vista and Windows Server "Longhorn".
NATs and Packet Filtering
A NAT allows multiple computers that use private IPv4 addresses on a private network to share a single public IPv4 address. For more information about NATs and how they work, see the "Overview of Network Address Translators (NATs)" section of Teredo Overview. Typical home or small business broadband routers that assign IPv4 addresses to private network hosts that begin with "10", "192.168", or "172.16" through “172.31” are NATs.
A NAT provides simple packet filtering for private network hosts. A typical NAT will discard all incoming traffic from the Internet that is not locally destined and does not correspond to a NAT translation table entry. NAT translation table entries get created dynamically when private network hosts initiate traffic and eventually time out. You can also manually configure static NAT translation table entries to allow unsolicited incoming traffic (for example, when you want to allow traffic to a Web server that is located on the private network). Typical NATs only allow configuration based on opening a port, allowing all traffic addressed to that port to be forwarded to the private network. Static NAT translation table entries do not time out.
A NAT's function is similar to a simple stateful edge firewall, which will discard all traffic that is not locally destined and does not correspond to a firewall exception. Firewall exceptions are stored in an exceptions table and can be created dynamically based on traffic initiated by private hosts or you can manually add static exceptions.
For both NATs and edge firewalls, incoming traffic must match a static or dynamic table entry before it is forwarded to the private network destination. Incoming traffic can be classified as one of the following:
Solicited - Traffic that matches a dynamic table entry, which the NAT or edge firewall forwards. An example is the traffic for the contents of an Internet Web page that was requested by a private network computer user.
Wanted, unsolicited - Traffic matches a static table entry, which the NAT or edge firewall forwards. An example is the traffic to a Web server on the private network that is accessible from the Internet.
Unwanted, unsolicited - Traffic does not match a table entry, which the NAT or edge firewall discards. Examples are the traffic for network-level viruses and port scan attacks.
The main difference between NATs and stateful edge firewalls is that NATs must translate addresses and ports for the traffic that they forward. The reuse of the private address space and the address/port translation function of the NAT violate the original design of IPv4, which specified a globally unique address for each node connected to the Internet. Using globally unique addresses allows end-to-end connectivity regardless of whether the communicating node is a client, server, or peer. Although NATs reduce the stress on the public IPv4 address space, they introduce addressing issues for end-to-end traffic when a server or peer is located behind a NAT.
Requirement for Host-based Firewalls
Regardless of whether you are using a NAT or an edge firewall, you need host-based firewalling on all of your private hosts to prevent the spread of viruses or worms on your private network. Creators of viruses and worms are very aware of the packet filtering capabilities of NATs and edge firewalls. A virus or worm that relies on unsolicited incoming traffic typically cannot penetrate a NAT or edge firewall to attack the hosts of a private network. Therefore, virus and worm creators package their malicious software (malware) in the form of Trojan horses that are transmitted through file downloads, email attachments, or Web pages. In all of these cases, the Trojan horse bypasses the edge device because it is solicited traffic.
After a private host is infected, the virus or worm will then attempt to infect the other computers on the private network. Therefore, you must enable host-based stateful firewalls on all of your private intranet hosts to protect them from unsolicited incoming traffic from both the Internet and private network hosts.
Windows XP with SP2, Windows Server 2003 with Service Pack 1, Windows Vista, and Windows Server "Longhorn" include Windows Firewall, a host-based stateful firewall that supports both IPv4 and IPv6 traffic. Windows Firewall is enabled by default for Windows XP with SP2, Windows Vista, and Windows Server "Longhorn." For more information about Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2 and Introduction to Windows Firewall with Advanced Security.
Teredo and NATs
Teredo provides enhanced connectivity for IPv6-enabled applications by providing globally unique IPv6 addressing and by allowing IPv6 traffic to traverse NATs. With Teredo, IPv6-enabled applications that require unsolicited incoming traffic and global addressing, such as peer-to-peer applications, will work over a NAT. These same types of applications, if they used IPv4 traffic, would either require manual configuration of the NAT or would not work at all without modifying the network application protocol. All types of IPv6-enabled applications can work with Teredo and require no additional modification for Teredo support. However, this article focuses on those types of applications that would not work by default with IPv4 traffic over a NAT. For detailed information about how Teredo works, see Teredo Overview.
Teredo works across NATs because Teredo clients create dynamic NAT translation table entries for their own Teredo traffic. Once these entries are created, the NAT forwards incoming Teredo traffic to the host that created the matching NAT translation table entry. The NAT will not forward Teredo traffic to computers on the private network that are not Teredo clients. Therefore, if only one computer on a private network is a Teredo client, the NAT will only forward Teredo traffic from the Internet that is for that Teredo client. Teredo does not change the behavior of NATs.
To restore end-to-end connectivity for IPv6 traffic, Teredo traffic treats the NAT as a simple IP router that is not providing a packet filtering function. To provide protection against unwanted, unsolicited, incoming, IPv6 traffic, private network hosts must use a host-based stateful firewall that supports IPv6 traffic, such as Windows Firewall, that drops all unwanted, unsolicited, incoming, IPv6 traffic.
The combination of IPv6, Teredo, and a host-based, stateful, IPv6 firewall does not affect the packet filtering function of the NAT for IPv4-based traffic and does not make your Windows-based computer more susceptible to attacks by malicious users and programs that use IPv6 traffic, rather than IPv4 traffic. When starting, a Windows-based computer using Teredo sends some Teredo traffic to automatically configure a global Teredo IPv6 address. However, no unsolicited, incoming, IPv6 traffic is allowed unless it matches a configured host-based firewall exception.
Treating the NAT as a simple IP router makes configuration of wanted, unsolicited, incoming, traffic easier. Without IPv6 and Teredo, you would have to configure the following:
An exception for the host-based firewall
A static NAT translation table entry
With IPv6 and Teredo, you no longer have to configure the static NAT translation table entry. If the IPv6-enabled application can create dynamic port or program exceptions with Windows Firewall, a user does not have to perform any configuration to allow their traffic to be forwarded by the NAT. Because most NATs only allow configuration of unsolicited incoming traffic for a port number (rather than configuring the incoming traffic for a specific port and IPv4 address), the combination of IPv6, Teredo, and Windows Firewall with program or port-based exceptions is more secure because it only allows traffic to a specific port and IPv6 address on the Teredo-enabled computer.
Summary
The combination of IPv6 and Teredo allows Windows-based hosts to use IPv6-enabled applications that require unsolicited, incoming, IPv6 traffic and global addressing over NATs. The combination of IPv6, Teredo, and a host-based, stateful, IPv6 firewall (such as Windows Firewall) simplifies the configuration of wanted, unsolicited, incoming, IPv6 traffic and protects the Teredo client from unwanted, unsolicited, incoming, IPv6 traffic. Computers running Windows Vista in which IPv6, Teredo, and Windows Firewall are all enabled by default are protected from unwanted, unsolicited, incoming, IPv6 traffic.
For more information about networking technologies in Windows Vista, see Windows Vista Networking.