Teredo IPv6 traffic / vulnerability to IPv6 masking?

Why Teredo blocking is important

All Windows Vista machines come with a service known as “Teredo” enabled by default. This enables you to access the IPv6 internet using IPv4. It also means that any IPv4 user can masquerade as being on IPv6 in attempt to evade IP blockers and firewalls.

PeerGuardian fully detects these types of IPv6 users and will check them against the regular blocklist.

IPv6 protocol used by Vista

6to4, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, usually because of IPv4 address shortage. In such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons.

Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don’t have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.

Teredo is a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. The Teredo protocol includes provisions for a sunset procedure: Teredo implementation should provide a way to stop using Teredo connectivity when IPv6 has matured and connectivity becomes available using a less brittle mechanism.

Source : http://en.wikipedia.org/wiki/Teredo_tunneling
(follow the link to read more)

Teredo may render your firewall useless

You most certainly know IPV4. You may have heard about IPV6. Do you know what Teredo is? No? That’s bad provided you run a firewall to seperate the Internet from your local network. Teredo is a mechanism that allows encapsulation of IPV6 packets into IPV4 UDP and uses relay servers to let IPV6 clients communicate by using relay servers. Symantec has a very thorough analysis of Teredo:

Currently hardly any firewalls or intrusion detection systems are able to recognise Teredo packets and they are therefore unable to filter IPv6 traffic. Rather they see UDP traffic via any ports. Teredo could become a problem, in particular because it circumvents the supposed protection offered by NAT. While, to date, private IPv4 addresses have not been routed via the internet, with IPv6 every computer is automatically assigned a unique IPv6 address, into which goes, for example, the MAC address of the network card and which is in principle accessible from the internet.

Source : http://web.luchs.at/article.php?cat=2&aid=298

A serious problem. Almost a month ago… Hmmm… Comodo people are taking care about? Is CFP v3 able to “understand and see” the whole possibilities of Teredo? Do we still are in need of PG2?

I have faith that Egemen in all his wisdom will attend to the firewall proper.

Right now i see a lot of focus on Defense+, most people discussing D+, so i really don’t have a clue. It’s keylogger this, safe files that.

Still waiting for comments from Comodo team…

any news?

btw this is not only for vista… ive xp and ive enabled ipv6 protocol…

So, that appears to mean that if you have the Stealth ports wizard on stealth mode (block all IP inbound) it will block potential IPv6 packets as UDP IPv4 ones? If so, then there really is no issue yet.

Also, one could simply go to the network connection and uncheck IPv6 - could this be a good work around if my previous statement is false? Also, could you disable the “6TO4” and “Teredo” adapters in the device manager? Or simply unchecking IPv6 in the network connection properties should do it?

Comodo staff should respond to this,

How are you’re views on this? is Comodo in any way capable of filtering IPv6?
There are a lot of native IPv6 users in my country as more and more ISP’s are offering IPv6 connections to their subscribers.

Quote from Egemen:

Its coming… I guess the need has not been there yet… but its coming! :slight_smile: :slight_smile:

IPV6 is already supported in PCtools firewall plus. In fact, the PCTools firewall is much better than the firewall in CIS. I’m even thinking of running it alongside Defense+ while disabling the Comodo firewall. The “killer app” in CIS is the Defense+. No, No, Comodo fanboys can’t cover for the AV yet…

For example, Pctools will log every dropped packet, and the program will also log protocols I haven’t even heard of. On top of that, the “active connections” resolves all the IPs it can, and you can even look at the actual data being sent in the packets. But the HIPS functionality is very limited, and so the Defense+ wins there.

This thread was started almost ONE YEAR ago (10 months)…

And we are still waiting…


what’s up with this feature? ???

As mentioned elsewhere IPv6 support is coming, you will just have to be patient.

For now, if your concern regarding Teredo is great enough, the either create a simple Application to block the datagrams or disable Teredo entirely using netsh.

of course but i don’t think disabling teredo protocol is enough to be safe from ipv6 masking attack if the firewall is not able to manage it…

How to Disable TCP/IPv6 Teredo Tunneling in Vista

of course but i don't think disabling teredo protocol is enough to be safe from ipv6 masking attack if the firewall is not able to manage it...

CIS is perfectly capable of dealing with protocol 41, which is the 6to4 and SIT tunnelling protocol and as I said additional rules can be created to deal with teredo, assuming one hasen’t disabled it entirely.

Here’s a quote from an IPv6 security white paper.

An IPv4 firewall sees SIT and 6to4 simply as IP protocol 41 on IPv4. For an IPv6 firewall , SIT and 6to4 do not exist. Neither applies rules directly to these tunnels beyond switching protocol 41 on or off. Also, Teredo is nothing more than a UDP protocol on IPv4, and is not seen by the IPv6 stack and rule-set.

I doubt that’s verbatim, it’s just what I remember from reading it a while ago.

I’ve been blocking teredo for ages using CIS/CFP until I got tired and disabled/removed IPv6.

Internet works fine without IP6 and as such teredo service only offer unneeded attack exposure.

IMHO there is no point to leave it enabled only to have to block it using whatsoever firewall.

Those willing to test how teredo could be blocked they could add those servers to My blocked Networks Zones

teredo.remlab.net (France)
teredo.autotrans.consulintel.com (Spain)
teredo.ipv6.microsoft.com (USA, Redmon) (NCA, Korea)
debian-miredo.progsoc.org (Australia)

And additionally Edit Global Firewall rules and add a as first rule on top:

Block & LOG UDP OUT Source IP ANY Source Port Any Desination IP ANY Destination Port 3544

I am not sure what value to put in “DisabledComponents” to completely disable IPv6. The microsoft help article says to use “ffffffff” while some other places simply say to use “ff” for the hexadecimal entry.


edit: read message below - the above is unnecessary.

This thread I think is becoming a little ambiguous. I think there moderators should sticky this.

From what I have found out, even if you have IPV6 enabled, you need to be on an ISP or network that supports it. So the risk is simply not there, as far as I know. Disabling Teredo tunneling or doing registry edits is simply unnecessary because the Comodo firewall is already aware of protocol 41 packets (Teredo Tunneling) on a per application basis (like Avira uses).

So if you want to dial your ipv6 risk to zero, simply uncheck IPV6 support in your network card settings, and do nothing else because the firewall is aware of Teredo tunneling.

Hi :slight_smile:

I read about Comodo 3 problems with IPv6. what about Comodo 4?
Is it useful install it on Seven?

Thank in advance and sorry for my english.