TEREDO tunneling

[Guest]

[apache255]

anybody knows something about Teredo? for a couple of days I have a constant connection to the ip
65.54.227.120 (or 122...). This is a Microsoft ip and from what I found out
http://en.wikipedia.org/wiki/Teredo_tunneling
 it's related to Teredo Tuneling, some kind of new protocol from Microsoft, a new version of tcp/ip. Apparentlty my internet provider supports this protocol. I just don't understand why that would involve that my pc remains constantly connected to a Microsoft site. Since I've got that, comodo firewall shows me loads of connections between  svchost.exe and my router, + one with Microsoft.
there's also that dll listed in component monitor: 6to4svc.dll. It is described as beeing part of a service that offers ipv6 connectivity over ipv4 network. That seems to be related too to Teredo. According to what I read it should be deactivated by default on xpsp2. So I found the service, deactivated it, blocked the dll in Comodo Firewall, but that changes nothing, I still have these connections. I already posted a screen shot in the forum before, here it is:

http://img175.imageshack.us/my.php?image=connectionsac4.jpg

I'll try to upload it directly here again...I've read the issue  about "full upload folder" was resolved.

[freshhh]

Why Teredo blocking is important

All Windows Vista machines come with a service known as "Teredo" enabled by default. This enables you to access the IPv6 internet using IPv4. It also means that any IPv4 user can masquerade as being on IPv6 in attempt to evade IP blockers and firewalls.

PeerGuardian fully detects these types of IPv6 users and will check them against the regular blocklist.

[freshhh]

6to4, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, usually because of IPv4 address shortage. In such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons.

Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don't have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.

Teredo is a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. The Teredo protocol includes provisions for a sunset procedure: Teredo implementation should provide a way to stop using Teredo connectivity when IPv6 has matured and connectivity becomes available using a less brittle mechanism.

Source : http://en.wikipedia.org/wiki/Teredo_tunneling
(more to read)

[freshhh]

Teredo may render your firewall useless

You most certainly know IPV4. You may have heard about IPV6. Do you know what Teredo is? No? That's bad provided you run a firewall to seperate the Internet from your local network. Teredo is a mechanism that allows encapsulation of IPV6 packets into IPV4 UDP and uses relay servers to let IPV6 clients communicate by using relay servers. Symantec has a very thorough analysis of Teredo:

Currently hardly any firewalls or intrusion detection systems are able to recognise Teredo packets and they are therefore unable to filter IPv6 traffic. Rather they see UDP traffic via any ports. Teredo could become a problem, in particular because it circumvents the supposed protection offered by NAT. While, to date, private IPv4 addresses have not been routed via the internet, with IPv6 every computer is automatically assigned a unique IPv6 address, into which goes, for example, the MAC address of the network card and which is in principle accessible from the internet.

Source : http://web.luchs.at/article.php?cat=2&aid=298

[freshhh]

mm why the moving?    

i think this is linked to Comodo Firewall ability to handle or not IP6 traffic (new protocol used by Vista OS)

so, is Comodo Firewall vulnerable to IP6 masking ?  should we block all UDP requests?

[sded]

A NAT router blocks all input connections that are not responses to outgoing traffic or a selected exception.  So unless you have a program in your computer that has opened a port for Toredo traffic, should be blocked there.   With CFP3, you should either get the same block or get a popup asking you to allow or deny, depending on how you have set up stealth port wizard.  Most users have UDP in blocked, with allow only by exception.  And SPI takes care of the usual responses for DNS, DHCP, ... .  IPv6 is not new for Vista; it has been around for quite a while and even old firewalls like Kerio 2.1.5 worried about it and blocked it in XP and before (protocol 50).   NICs for Vista do routinely allow you to select or not select support to IPv6 as part of the connection setup, a feature missing in XP.  The other native support for IPV6 (routers, ISP links, ...) still seems pretty sparse.  Haven't used it myself though; haven't found a reason yet.  Maybe a security expert will show up and tell us more. 

[freshhh]

thanks for this long answer

well it seems that CF does not block IP's (in a specific rule) that PG RC1 (Peerguardian) can block so I thought IPv6 protocal not very well handled by CF was the reason...

[Tags:]