summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4380.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4380.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4380.txt')
-rw-r--r--doc/rfc/rfc4380.txt2971
1 files changed, 2971 insertions, 0 deletions
diff --git a/doc/rfc/rfc4380.txt b/doc/rfc/rfc4380.txt
new file mode 100644
index 0000000..b494a72
--- /dev/null
+++ b/doc/rfc/rfc4380.txt
@@ -0,0 +1,2971 @@
+
+
+
+
+
+
+Network Working Group C. Huitema
+Request for Comments: 4380 Microsoft
+Category: Standards Track February 2006
+
+
+ Teredo: Tunneling IPv6 over UDP
+ through Network Address Translations (NATs)
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ We propose here a service that enables nodes located behind one or
+ more IPv4 Network Address Translations (NATs) to obtain IPv6
+ connectivity by tunneling packets over UDP; we call this the Teredo
+ service. Running the service requires the help of "Teredo servers"
+ and "Teredo relays". The Teredo servers are stateless, and only have
+ to manage a small fraction of the traffic between Teredo clients; the
+ Teredo relays act as IPv6 routers between the Teredo service and the
+ "native" IPv6 Internet. The relays can also provide interoperability
+ with hosts using other transition mechanisms such as "6to4".
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Definitions .....................................................4
+ 2.1. Teredo Service .............................................4
+ 2.2. Teredo Client ..............................................4
+ 2.3. Teredo Server ..............................................4
+ 2.4. Teredo Relay ...............................................4
+ 2.5. Teredo IPv6 Service Prefix .................................4
+ 2.6. Global Teredo IPv6 Service Prefix ..........................4
+ 2.7. Teredo UDP Port ............................................4
+ 2.8. Teredo Bubble ..............................................4
+ 2.9. Teredo Service Port ........................................5
+ 2.10. Teredo Server Address .....................................5
+ 2.11. Teredo Mapped Address and Teredo Mapped Port ..............5
+ 2.12. Teredo IPv6 Client Prefix .................................5
+
+
+
+Huitema Standards Track [Page 1]
+
+RFC 4380 Teredo February 2006
+
+
+ 2.13. Teredo Node Identifier ....................................5
+ 2.14. Teredo IPv6 Address .......................................5
+ 2.15. Teredo Refresh Interval ...................................5
+ 2.16. Teredo Secondary Port .....................................6
+ 2.17. Teredo IPv4 Discovery Address .............................6
+ 3. Design Goals, Requirements, and Model of Operation ..............6
+ 3.1. Hypotheses about NAT Behavior ..............................6
+ 3.2. IPv6 Provider of Last Resort ...............................8
+ 3.3. Operational Requirements ...................................9
+ 3.4. Model of Operation ........................................10
+ 4. Teredo Addresses ...............................................11
+ 5. Specification of Clients, Servers, and Relays ..................13
+ 5.1. Message Formats ...........................................13
+ 5.2. Teredo Client Specification ...............................16
+ 5.3. Teredo Server Specification ...............................31
+ 5.4. Teredo Relay Specification ................................33
+ 5.5. Implementation of Automatic Sunset ........................36
+ 6. Further Study, Use of Teredo to Implement a Tunnel Service .....37
+ 7. Security Considerations ........................................38
+ 7.1. Opening a Hole in the NAT .................................38
+ 7.2. Using the Teredo Service for a Man-in-the-Middle Attack ...39
+ 7.3. Denial of the Teredo service ..............................42
+ 7.4. Denial of Service against Non-Teredo Nodes ................43
+ 8. IAB Considerations .............................................46
+ 8.1. Problem Definition ........................................46
+ 8.2. Exit Strategy .............................................47
+ 8.3. Brittleness Introduced by Teredo ..........................48
+ 8.4. Requirements for a Long-Term Solution .....................50
+ 9. IANA Considerations ............................................50
+ 10. Acknowledgements ..............................................50
+ 11. References ....................................................51
+ 11.1. Normative References .....................................51
+ 11.2. Informative References ...................................52
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 2]
+
+RFC 4380 Teredo February 2006
+
+
+1. Introduction
+
+ Classic tunneling methods envisaged for IPv6 transition operate by
+ sending IPv6 packets as payload of IPv4 packets; the 6to4 proposal
+ [RFC3056] proposes automatic discovery in this context. A problem
+ with these methods is that they don't work when the IPv6 candidate
+ node is isolated behind a Network Address Translator (NAT) device:
+ NATs are typically not programmed to allow the transmission of
+ arbitrary payload types; even when they are, the local address cannot
+ be used in a 6to4 scheme. 6to4 will work with a NAT if the NAT and
+ 6to4 router functions are in the same box; we want to cover the
+ relatively frequent case when the NAT cannot be readily upgraded to
+ provide a 6to4 router function.
+
+ A possible way to solve the problem is to rely on a set of "tunnel
+ brokers". However, there are limits to any solution that is based on
+ such brokers: the quality of service may be limited, since the
+ traffic follows a dogleg route from the source to the broker and then
+ the destination; the broker has to provide sufficient transmission
+ capacity to relay all packets and thus suffers a high cost. For
+ these two reasons, it may be desirable to have solutions that allow
+ for "automatic tunneling", i.e., let the packets follow a direct path
+ to the destination.
+
+ The automatic tunneling requirement is indeed at odds with some of
+ the specificities of NATs. Establishing a direct path supposes that
+ the IPv6 candidate node can retrieve a "globally routable" address
+ that results from the translation of its local address by one or more
+ NATs; it also supposes that we can find a way to bypass the various
+ "per destination protections" that many NATs implement. In this
+ memo, we will explain how IPv6 candidates located behind NATs use
+ "Teredo servers" to learn their "global address" and to obtain
+ connectivity, how they exchange packets with native IPv6 hosts
+ through "Teredo relays", and how clients, servers, and relays can be
+ organized in Teredo networks.
+
+ The specification is organized as follows. Section 2 contains the
+ definition of the terms used in the memo. Section 3 presents the
+ hypotheses on NAT behavior used in the design, as well as the
+ operational requirements that the design should meet. Section 4
+ presents the IPv6 address format used by Teredo. Section 5 contains
+ the format of the messages and the specification of the protocol.
+ Section 6 presents guidelines for further work on configured tunnels
+ that would be complementary to the current approach. Section 7
+ contains a security discussion, section 8 contains a discussion of
+ the Unilateral Self Address Fixing (UNSAF) issues, and section 9
+ contains IANA considerations.
+
+
+
+
+Huitema Standards Track [Page 3]
+
+RFC 4380 Teredo February 2006
+
+
+2. Definitions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+ This specification uses the following definitions:
+
+2.1. Teredo Service
+
+ The transmission of IPv6 packets over UDP, as defined in this memo.
+
+2.2. Teredo Client
+
+ A node that has some access to the IPv4 Internet and wants to gain
+ access to the IPv6 Internet.
+
+2.3. Teredo Server
+
+ A node that has access to the IPv4 Internet through a globally
+ routable address, and is used as a helper to provide IPv6
+ connectivity to Teredo clients.
+
+2.4. Teredo Relay
+
+ An IPv6 router that can receive traffic destined to Teredo clients
+ and forward it using the Teredo service.
+
+2.5. Teredo IPv6 Service Prefix
+
+ An IPv6 addressing prefix that is used to construct the IPv6 address
+ of Teredo clients.
+
+2.6. Global Teredo IPv6 Service Prefix
+
+ An IPv6 addressing prefix whose value is 2001:0000:/32.
+
+2.7. Teredo UDP Port
+
+ The UDP port number at which Teredo servers are waiting for packets.
+ The value of this port is 3544.
+
+2.8. Teredo Bubble
+
+ A Teredo bubble is a minimal IPv6 packet, made of an IPv6 header and
+ a null payload. The payload type is set to 59, No Next Header, as
+ per [RFC2460]. The Teredo clients and relays may send bubbles in
+ order to create a mapping in a NAT.
+
+
+
+Huitema Standards Track [Page 4]
+
+RFC 4380 Teredo February 2006
+
+
+2.9. Teredo Service Port
+
+ The port from which the Teredo client sends Teredo packets. This
+ port is attached to one of the client's IPv4 addresses. The IPv4
+ address may or may not be globally routable, as the client may be
+ located behind one or more NAT.
+
+2.10. Teredo Server Address
+
+ The IPv4 address of the Teredo server selected by a particular
+ client.
+
+2.11. Teredo Mapped Address and Teredo Mapped Port
+
+ A global IPv4 address and a UDP port that results from the
+ translation of the IPv4 address and UDP port of a client's Teredo
+ service port by one or more NATs. The client learns these values
+ through the Teredo protocol described in this memo.
+
+2.12. Teredo IPv6 Client Prefix
+
+ A global scope IPv6 prefix composed of the Teredo IPv6 service prefix
+ and the Teredo server address.
+
+2.13. Teredo Node Identifier
+
+ A 64-bit identifier that contains the UDP port and IPv4 address at
+ which a client can be reached through the Teredo service, as well as
+ a flag indicating the type of NAT through which the client accesses
+ the IPv4 Internet.
+
+2.14. Teredo IPv6 Address
+
+ A Teredo IPv6 address obtained by combining a Teredo IPv6 client
+ prefix and a Teredo node identifier.
+
+2.15. Teredo Refresh Interval
+
+ The interval during which a Teredo IPv6 address is expected to remain
+ valid in the absence of "refresh" traffic. For a client located
+ behind a NAT, the interval depends on configuration parameters of the
+ local NAT, or the combination of NATs in the path to the Teredo
+ server. By default, clients assume an interval value of 30 seconds;
+ a longer value may be determined by local tests, as described in
+ section 5.
+
+
+
+
+
+
+Huitema Standards Track [Page 5]
+
+RFC 4380 Teredo February 2006
+
+
+2.16. Teredo Secondary Port
+
+ A UDP port used to send or receive packets in order to determine the
+ appropriate value of the refresh interval, but not used to carry any
+ Teredo traffic.
+
+2.17. Teredo IPv4 Discovery Address
+
+ An IPv4 multicast address used to discover other Teredo clients on
+ the same IPv4 subnet. The value of this address is 224.0.0.253.
+
+3. Design Goals, Requirements, and Model of Operation
+
+ The proposed solution transports IPv6 packets as the payload of UDP
+ packets. This is based on the observation that TCP and UDP are the
+ only protocols guaranteed to cross the majority of NAT devices.
+ Tunneling packets over TCP would be possible, but would result in a
+ poor quality of service; encapsulation over UDP is a better choice.
+
+ The design of our solution is based on a set of hypotheses and
+ observations on the behavior of NATs, our desire to provide an "IPv6
+ provider of last resort", and a list of operational requirements. It
+ results in a model of operation in which the Teredo service is
+ enabled by a set of servers and relays.
+
+3.1. Hypotheses about NAT Behavior
+
+ NAT devices typically incorporate some support for UDP, in order to
+ enable users in the natted domain to use UDP-based applications. The
+ NAT will typically allocate a "mapping" when it sees a UDP packet
+ coming through for which there is not yet an existing mapping. The
+ handling of UDP "sessions" by NAT devices differs by two important
+ parameters, the type and the duration of the mappings.
+
+ The type of mappings is analyzed in [RFC3489], which distinguishes
+ between "cone NAT", "restricted cone NAT", "port restricted cone NAT"
+ and "symmetric NAT". The Teredo solution ensures connectivity for
+ clients located behind cone NATs, restricted cone NATs, or port-
+ restricted cone NATs.
+
+ Transmission of regular IPv6 packets only takes place after an
+ exchange of "bubbles" between the parties. This exchange would often
+ fail for clients behind symmetric NAT, because their peer cannot
+ predict the UDP port number that the NAT expects.
+
+ Clients located behind a symmetric NAT will only be able to use
+ Teredo if they can somehow program the NAT and reserve a Teredo
+ service port for each client, for example, using the DMZ functions of
+
+
+
+Huitema Standards Track [Page 6]
+
+RFC 4380 Teredo February 2006
+
+
+ the NAT. This is obviously an onerous requirement, at odds with the
+ design goal of an automatic solution. However, measurement campaigns
+ and studies of documentations have shown that, at least in simple
+ "unmanaged" networks, symmetric NATs are a small minority; moreover,
+ it seems that new NAT models or firmware upgrades avoid the
+ "symmetric" design.
+
+ Investigations on the performance of [RFC3489] have shown the
+ relative frequency of a particular NAT design, which we might call
+ "port conserving". In this design, the NAT tries to keep the same
+ port number inside and outside, unless the "outside" port number is
+ already in use for another mapping with the same host. Port
+ conserving NAT appear as "cone" or "restricted cone NAT" most of the
+ time, but they will behave as "symmetric NAT" when multiple internal
+ hosts use the same port number to communicate to the same server.
+
+ The Teredo design minimizes the risk of encountering the "symmetric"
+ behavior by asking multiple hosts located behind the same NAT to use
+ different Teredo service ports.
+
+ Other investigation in the behavior of NAT also outlined the
+ "probabilistic rewrite" behavior. Some brands of NAT will examine
+ all packets for "embedded addresses", IP addresses, and port numbers
+ present in application payloads. They will systematically replace
+ 32-bit values that match a local address by the corresponding mapped
+ address. The Teredo specification includes an "obfuscation"
+ procedure in order to avoid this behavior.
+
+ Regardless of their types, UDP mappings are not kept forever. The
+ typical algorithm is to remove the mapping if no traffic is observed
+ on the specified port for a "lifetime" period. The Teredo client
+ that wants to maintain a mapping open in the NAT will have to send
+ some "keep alive" traffic before the lifetime expires. For that, it
+ needs an estimate of the "lifetime" parameter used in the NAT. We
+ observed that the implementation of lifetime control can vary in
+ several ways.
+
+ Most NATs implement a "minimum lifetime", which is set as a parameter
+ of the implementation. Our observations of various boxes showed that
+ this parameter can vary between about 45 seconds and several minutes.
+
+ In many NATs, mappings can be kept for a duration that exceeds this
+ minimum, even in the absence of traffic. We suspect that many
+ implementation perform "garbage collection" of unused mappings on
+ special events, e.g., when the overall number of mappings exceeds
+ some limit.
+
+
+
+
+
+Huitema Standards Track [Page 7]
+
+RFC 4380 Teredo February 2006
+
+
+ In some cases, e.g., NATs that manage Integrated Services Digital
+ Network (ISDN) or dial-up connections, the mappings will be released
+ when the connection is released, i.e., when no traffic is observed on
+ the connection for a period of a few minutes.
+
+ Any algorithm used to estimate the lifetime of mapping will have to
+ be robust against these variations.
+
+ In some cases, clients are located behind multiple NAT. The Teredo
+ procedures will ensure communications between clients between
+ multiple NATs and clients "on the other side" of these NATs. They
+ will also ensure communication when clients are located in a single
+ subnet behind the same NAT.
+
+ The procedures do not make any hypothesis about the type of IPv4
+ address used behind a NAT, and in particular do not assume that these
+ are private addresses defined in [RFC1918].
+
+3.2. IPv6 Provider of Last Resort
+
+ Teredo is designed to provide an "IPv6 access of last resort" to
+ nodes that need IPv6 connectivity but cannot use any of the other
+ IPv6 transition schemes. This design objective has several
+ consequences on when to use Teredo, how to program clients, and what
+ to expect of servers. Another consequence is that we expect to see a
+ point in time at which the Teredo technology ceases to be used.
+
+3.2.1. When to Use Teredo
+
+ Teredo is designed to robustly enable IPv6 traffic through NATs, and
+ the price of robustness is a reasonable amount of overhead, due to
+ UDP encapsulation and transmission of bubbles. Nodes that want to
+ connect to the IPv6 Internet SHOULD only use the Teredo service as a
+ "last resort" option: they SHOULD prefer using direct IPv6
+ connectivity if it is locally available, if it is provided by a 6to4
+ router co-located with the local NAT, or if it is provided by a
+ configured tunnel service; and they SHOULD prefer using the less
+ onerous 6to4 encapsulation if they can use a global IPv4 address.
+
+3.2.2. Autonomous Deployment
+
+ In an IPv6-enabled network, the IPv6 service is configured
+ automatically, by using mechanisms such as IPv6 Stateless Address
+ Autoconfiguration [RFC2462] and Neighbor Discovery [RFC2461]. A
+ design objective is to configure the Teredo service as automatically
+ as possible. In practice, however, it is required that the client
+ learn the IPv4 address of a server that is willing to serve the
+ client; some servers may also require some form of access control.
+
+
+
+Huitema Standards Track [Page 8]
+
+RFC 4380 Teredo February 2006
+
+
+3.2.3. Minimal Load on Servers
+
+ During the peak of the transition, there will be a requirement to
+ deploy Teredo servers supporting a large number of Teredo clients.
+ Minimizing the load on the server is a good way to facilitate this
+ deployment. To achieve this goal, servers should be as stateless as
+ possible, and they should also not be required to carry any more
+ traffic than necessary. To achieve this objective, we require only
+ that servers enable the packet exchange between clients, but we don't
+ require servers to carry the actual data packets: these packets will
+ have to be exchanged directly between the Teredo clients, or through
+ a destination-selected relay for exchanges between Teredo clients and
+ other IPv6 clients.
+
+3.2.4. Automatic Sunset
+
+ Teredo is meant as a short-term solution to the specific problem of
+ providing IPv6 service to nodes located behind a NAT. The problem is
+ expected to be resolved over time by transforming the "IPv4 NAT" into
+ an "IPv6 router". This can be done in one of two ways: upgrading
+ the NAT to provide 6to4 functions or upgrading the Internet
+ connection used by the NAT to a native IPv6 service, and then adding
+ IPv6 router functionality in the NAT. In either case, the former NAT
+ can present itself as an IPv6 router to the systems behind it. These
+ systems will start receiving the "router advertisements"; they will
+ notice that they have IPv6 connectivity and will stop using Teredo.
+
+3.3. Operational Requirements
+
+3.3.1. Robustness Requirement
+
+ The Teredo service is designed primarily for robustness: packets are
+ carried over UDP in order to cross as many NAT implementations as
+ possible. The servers are designed to be stateless, which means that
+ they can easily be replicated. We expect indeed to find many such
+ servers replicated at multiple Internet locations.
+
+3.3.2. Minimal Support Cost
+
+ The service requires the support of Teredo servers and Teredo relays.
+ In order to facilitate the deployment of these servers and relays,
+ the Teredo procedures are designed to minimize the amount of
+ coordination required between servers and relays.
+
+ Meeting this objective implies that the Teredo addresses will
+ incorporate the IPv4 address and UDP port through which a Teredo
+ client can be reached. This creates an implicit limit on the
+
+
+
+
+Huitema Standards Track [Page 9]
+
+RFC 4380 Teredo February 2006
+
+
+ stability of the Teredo addresses, which can only remain valid as
+ long as the underlying IPv4 address and UDP port remain valid.
+
+3.3.3. Protection against Denial of Service Attacks
+
+ The Teredo clients obtain mapped addresses and ports from the Teredo
+ servers. The service must be protected against denial of service
+ attacks in which a third party spoofs a Teredo server and sends
+ improper information to the client.
+
+3.3.4. Protection against Distributed Denial of Service Attacks
+
+ Teredo relays will act as a relay for IPv6 packets. Improperly
+ designed packet relays can be used by denial of service attackers to
+ hide their address, making the attack untraceable. The Teredo
+ service must include adequate protection against such misuse.
+
+3.3.5. Compatibility with Ingress Filtering
+
+ Routers may perform ingress filtering by checking that the source
+ address of the packets received on a given interface is "legitimate",
+ i.e., belongs to network prefixes from which traffic is expected at a
+ network interface. Ingress filtering is a recommended practice, as
+ it thwarts the use of forged source IP addresses by malfeasant
+ hackers, notably to cover their tracks during denial of service
+ attacks. The Teredo specification must not force networks to disable
+ ingress filtering.
+
+3.4. Model of Operation
+
+ The operation of Teredo involves four types of nodes: Teredo clients,
+ Teredo servers, Teredo relays, and "plain" IPv6 nodes.
+
+ Teredo clients start operation by interacting with a Teredo server,
+ performing a "qualification procedure". During this procedure, the
+ client will discover whether it is behind a cone, restricted cone, or
+ symmetric NAT. If the client is not located behind a symmetric NAT,
+ the procedure will be successful and the client will configure a
+ "Teredo address".
+
+ The Teredo IPv6 address embeds the "mapped address and port" through
+ which the client can receive IPv4/UDP packets encapsulating IPv6
+ packets. If the client is not located behind a cone NAT,
+ transmission of regular IPv6 packets must be preceded by an exchange
+ of "bubbles" that will install a mapping in the NAT. This document
+ specifies how the bubbles can be exchanged between Teredo clients in
+ order to enable transmission along a direct path.
+
+
+
+
+Huitema Standards Track [Page 10]
+
+RFC 4380 Teredo February 2006
+
+
+ Teredo clients can exchange IPv6 packets with plain IPv6 nodes (e.g.,
+ native nodes or 6to4 nodes) through Teredo relays. Teredo relays
+ advertise reachability of the Teredo prefix to a certain subset of
+ the IPv6 Internet: a relay set up by an ISP will typically serve only
+ the IPv6 customers of this ISP; a relay set-up for a site will only
+ serve the IPv6 hosts of this site. Dual-stack hosts may implement a
+ "local relay", allowing them to communicate directly with Teredo
+ hosts by sending IPv6 packets over UDP and IPv4 without having to
+ advertise a Teredo IPv6 address.
+
+ Teredo clients have to discover the relay that is closest to each
+ native IPv6 or 6to4 peer. They have to perform this discovery for
+ each native IPv6 or 6to4 peer with which they communicate. In order
+ to prevent spoofing, the Teredo clients perform a relay discovery
+ procedure by sending an ICMP echo request to the native host. This
+ message is a regularly formatted IPv6 ICMP packet, which is
+ encapsulated in UDP and sent by the client to its Teredo server; the
+ server decapsulates the IPv6 message and forwards it to the intended
+ IPv6 destination. The payload of the echo request contains a large
+ random number. The echo reply is sent by the peer to the IPv6
+ address of the client, and is forwarded through standard IPv6 routing
+ mechanisms. It will naturally reach the Teredo relay closest to the
+ native or 6to4 peer, and will be forwarded by this relay using the
+ Teredo mechanisms. The Teredo client will discover the IPv4 address
+ and UDP port used by the relay to send the echo reply, and will send
+ further IPv6 packets to the peer by encapsulating them in UDP packets
+ sent to this IPv4 address and port. In order to prevent spoofing,
+ the Teredo client verifies that the payload of the echo reply
+ contains the proper random number.
+
+ The procedures are designed so that the Teredo server only
+ participates in the qualification procedure and in the exchange of
+ bubbles and ICMP echo requests. The Teredo server never carries
+ actual data traffic. There are two rationales for this design:
+ reduce the load on the server in order to enable scaling, and avoid
+ privacy issues that could occur if a Teredo server kept copies of the
+ client's data packets.
+
+4. Teredo Addresses
+
+ The Teredo addresses are composed of 5 components:
+
+ +-------------+-------------+-------+------+-------------+
+ | Prefix | Server IPv4 | Flags | Port | Client IPv4 |
+ +-------------+-------------+-------+------+-------------+
+
+ - Prefix: the 32-bit Teredo service prefix.
+ - Server IPv4: the IPv4 address of a Teredo server.
+
+
+
+Huitema Standards Track [Page 11]
+
+RFC 4380 Teredo February 2006
+
+
+ - Flags: a set of 16 bits that document type of address and NAT.
+ - Port: the obfuscated "mapped UDP port" of the Teredo service at
+ the client.
+ - Client IPv4: the obfuscated "mapped IPv4 address" of the client.
+
+ In this format, both the "mapped UDP port" and "mapped IPv4 address"
+ of the client are obfuscated. Each bit in the address and port
+ number is reversed; this can be done by an exclusive OR of the 16-bit
+ port number with the hexadecimal value 0xFFFF, and an exclusive OR of
+ the 32-bit address with the hexadecimal value 0xFFFFFFFF.
+
+ The IPv6 addressing rules specify that "for all unicast addresses,
+ except those that start with binary value 000, Interface IDs are
+ required to be 64 bits long and to be constructed in Modified EUI-64
+ format". This dictates the encoding of the flags, 16 intermediate
+ bits that should correspond to valid values of the most significant
+ 16 bits of a Modified EUI-64 ID:
+
+ 0 0 0 1
+ |0 7 8 5
+ +----+----+----+----+
+ |Czzz|zzUG|zzzz|zzzz|
+ +----+----+----+----+
+
+ In this format:
+
+ - The bits "UG" should be set to the value "00", indicating a non-
+ global unicast identifier;
+ - The bit "C" (cone) should be set to 1 if the client believes it is
+ behind a cone NAT, to 0 otherwise; these values determine
+ different server behavior during the qualification procedure, as
+ specified in Section 5.2.1, as well as different bubble processing
+ by clients and relays.
+ - The bits indicated with "z" must be set to zero and ignored on
+ receipt.
+
+ Thus, there are two currently specified values of the Flags field:
+ "0x0000" (all null) if the cone bit is set to 0, and "0x8000" if the
+ cone bit is set to 1. (Further versions of this specification may
+ assign new values to the reserved bits.)
+
+ In some cases, Teredo nodes use link-local addresses. These
+ addresses contain a link-local prefix (FE80::/64) and a 64-bit
+ identifier, constructed using the same format as presented above. A
+ difference between link-local addresses and global addresses is that
+ the identifiers used in global addresses MUST include a global scope
+ unicast IPv4 address, while the identifiers used in link-local
+ addresses MAY include a private IPv4 address.
+
+
+
+Huitema Standards Track [Page 12]
+
+RFC 4380 Teredo February 2006
+
+
+5. Specification of Clients, Servers, and Relays
+
+ The Teredo service is realized by having clients interact with Teredo
+ servers through the Teredo service protocol. The clients will also
+ receive IPv6 packets through Teredo relays. The client behavior is
+ specified in Section 5.2.
+
+ The Teredo server is designed to be stateless. It waits for Teredo
+ requests and for IPv6 packets on the Teredo UDP port; it processes
+ the requests by sending a response to the appropriate address and
+ port; it forwards some Teredo IPv6 packets to the appropriate IPv4
+ address and UDP port, or to native IPv6 peers of Teredo clients. The
+ precise behavior of the server is specified in Section 5.3.
+
+ The Teredo relay advertises reachability of the Teredo service prefix
+ over IPv6. The scope of advertisement may be the entire Internet or
+ a smaller subset such as an ISP network or an IPv6 site; it may even
+ be as small as a single host in the case of "local relays". The
+ relay forwards Teredo IPv6 packets to the appropriate IPv4 address
+ and UDP port. The relay behavior is specified in Section 5.4.
+
+ Teredo clients, servers, and relays must implement the sunset
+ procedure defined in Section 5.5.
+
+5.1. Message Formats
+
+5.1.1. Teredo IPv6 Packet Encapsulation
+
+ Teredo IPv6 packets are transmitted as UDP packets [RFC768] within
+ IPv4 [RFC791]. The source and destination IP addresses and UDP ports
+ take values that are specified in this section. Packets can come in
+ one of two formats, simple encapsulation and encapsulation with
+ origin indication.
+
+ When simple encapsulation is used, the packet will have a simple
+ format, in which the IPv6 packet is carried as the payload of a UDP
+ datagram:
+
+ +------+-----+-------------+
+ | IPv4 | UDP | IPv6 packet |
+ +------+-----+-------------+
+
+ When relaying some packets received from third parties, the server
+ may insert an origin indication in the first bytes of the UDP
+ payload:
+
+
+
+
+
+
+Huitema Standards Track [Page 13]
+
+RFC 4380 Teredo February 2006
+
+
+ +------+-----+-------------------+-------------+
+ | IPv4 | UDP | Origin indication | IPv6 packet |
+ +------+-----+-------------------+-------------+
+
+ The origin indication encapsulation is an 8-octet element, with the
+ following content:
+
+ +--------+--------+-----------------+
+ | 0x00 | 0x00 | Origin port # |
+ +--------+--------+-----------------+
+ | Origin IPv4 address |
+ +-----------------------------------+
+
+ The first two octets of the origin indication are set to a null
+ value; this is used to discriminate between the simple encapsulation,
+ in which the first 4 bits of the packet contain the indication of the
+ IPv6 protocol, and the origin indication.
+
+ The following 16 bits contain the obfuscated value of the port number
+ from which the packet was received, in network byte order. The next
+ 32 bits contain the obfuscated IPv4 address from which the packet was
+ received, in network byte order. In this format, both the original
+ "IPv4 address" and "UDP port" of the client are obfuscated. Each bit
+ in the address and port number is reversed; this can be done by an
+ exclusive OR of the 16-bit port number with the hexadecimal value
+ 0xFFFF, and an exclusive OR of the 32-bit address with the
+ hexadecimal value 0xFFFFFFFF.
+
+ For example, if the original UDP port number was 337 (hexadecimal
+ 0151) and original IPv4 address was 1.2.3.4 (hexadecimal 01020304),
+ the origin indication would contain the value "0000FEAEFEFDFCFB".
+
+ When exchanging Router Solicitation (RS) and Router Advertisement
+ (RA) messages between a client and its server, the packets may
+ include an authentication parameter:
+
+ +------+-----+----------------+-------------+
+ | IPv4 | UDP | Authentication | IPv6 packet |
+ +------+-----+----------------+-------------+
+
+ The authentication encapsulation is a variable-length element,
+ containing a client identifier, an authentication value, a nonce
+ value, and a confirmation byte.
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 14]
+
+RFC 4380 Teredo February 2006
+
+
+ +--------+--------+--------+--------+
+ | 0x00 | 0x01 | ID-len | AU-len |
+ +--------+--------+--------+--------+
+ | Client identifier (ID-len |
+ +-----------------+-----------------+
+ | octets) | Authentication |
+ +-----------------+--------+--------+
+ | value (AU-len octets) | Nonce |
+ +--------------------------+--------+
+ | value (8 octets) |
+ +--------------------------+--------+
+ | | Conf. |
+ +--------------------------+--------+
+
+ The first octet of the authentication encapsulation is set to a null
+ value, and the second octet is set to the value 1; this enables
+ differentiation from IPv6 packets and from origin information
+ indication encapsulation. The third octet indicates the length in
+ bytes of the client identifier; the fourth octet indicates the length
+ in bytes of the authentication value. The computation of the
+ authentication value is specified in Section 5.2.2. The
+ authentication value is followed by an 8-octet nonce, and by a
+ confirmation byte.
+
+ Both ID-len and AU-len can be set to null values if the server does
+ not require an explicit authentication of the client.
+
+ Authentication and origin indication encapsulations may sometimes be
+ combined, for example, in the RA responses sent by the server. In
+ this case, the authentication encapsulation MUST be the first element
+ in the UDP payload:
+
+ +------+-----+----------------+--------+-------------+
+ | IPv4 | UDP | Authentication | Origin | IPv6 packet |
+ +------+-----+----------------+--------+-------------+
+
+5.1.2. Maximum Transmission Unit
+
+ Since Teredo uses UDP as an underlying transport, a Teredo Maximum
+ Transmission Unit (MTU) could potentially be as large as the payload
+ of the largest valid UDP datagram (65507 bytes). However, since
+ Teredo packets can travel on unpredictable paths over the Internet,
+ it is best to contain this MTU to a small size, in order to minimize
+ the effect of IPv4 packet fragmentation and reassembly. The default
+ link MTU assumed by a host, and the link MTU supplied by a Teredo
+ server during router advertisement SHOULD normally be set to the
+ minimum IPv6 MTU size of 1280 bytes [RFC2460].
+
+
+
+
+Huitema Standards Track [Page 15]
+
+RFC 4380 Teredo February 2006
+
+
+ Teredo implementations SHOULD NOT set the Don't Fragment (DF) bit of
+ the encapsulating IPv4 header.
+
+5.2. Teredo Client Specification
+
+ Before using the Teredo service, the client must be configured with:
+
+ - the IPv4 address of a server.
+ - a secondary IPv4 address of that server.
+
+ If secure discovery is required, the client must also be configured
+ with:
+
+ - a client identifier,
+ - a secret value, shared with the server,
+ - an authentication algorithm, shared with the server.
+
+ A Teredo client expects to exchange IPv6 packets through a UDP port,
+ the Teredo service port. To avoid problems when operating behind a
+ "port conserving" NAT, different clients operating behind the same
+ NAT should use different service port numbers. This can be achieved
+ through explicit configuration or, in the absence of configuration,
+ by picking the service port number at random.
+
+ The client will maintain the following variables that reflect the
+ state of the Teredo service:
+
+ - Teredo connectivity status,
+ - Mapped address and port number associated with the Teredo service
+ port,
+ - Teredo IPv6 prefix associated with the Teredo service port,
+ - Teredo IPv6 address or addresses derived from the prefix,
+ - Link local address,
+ - Date and time of the last interaction with the Teredo server,
+ - Teredo Refresh Interval,
+ - Randomized Refresh Interval,
+ - List of recent Teredo peers.
+
+ Before sending any packets, the client must perform the Teredo
+ qualification procedure, which determines the Teredo connectivity
+ status, the mapped address and port number, and the Teredo IPv6
+ prefix. It should then perform the cone NAT determination procedure,
+ which determines the cone NAT status and may alter the value of the
+ prefix. If the qualification is successful, the client may use the
+ Teredo service port to transmit and receive IPv6 packets, according
+ to the transmission and reception procedures. These procedures use
+ the "list of recent peers". For each peer, the list contains:
+
+
+
+
+Huitema Standards Track [Page 16]
+
+RFC 4380 Teredo February 2006
+
+
+ - The IPv6 address of the peer,
+ - The mapped IPv4 address and mapped UDP port of the peer,
+ - The status of the mapped address, i.e., trusted or not,
+ - The value of the last nonce sent to the peer,
+ - The date and time of the last reception from the peer,
+ - The date and time of the last transmission to the peer,
+ - The number of bubbles transmitted to the peer.
+
+ The list of peers is used to enable the transmission of IPv6 packets
+ by using a "direct path" for the IPv6 packets. The list of peers
+ could grow over time. Clients should implement a list management
+ strategy, for example, deleting the least recently used entries.
+ Clients should make sure that the list has a sufficient size, to
+ avoid unnecessary exchanges of bubbles.
+
+ The client must regularly perform the maintenance procedure in order
+ to guarantee that the Teredo service port remains usable. The need
+ to use this procedure or not depends on the delay since the last
+ interaction with the Teredo server. The refresh procedure takes as a
+ parameter the "Teredo refresh interval". This parameter is initially
+ set to 30 seconds; it can be updated as a result of the optional
+ "interval determination procedure". The randomized refresh interval
+ is set to a value randomly chosen between 75% and 100% of the refresh
+ interval.
+
+ In order to avoid triangle routing for stations that are located
+ behind the same NAT, the Teredo clients MAY use the optional local
+ client discovery procedure defined in Section 5.2.8. Using this
+ procedure will also enhance connectivity when the NAT cannot do
+ "hairpin" routing, i.e., cannot redirect a packet sent from one
+ internal host to the mapped address and port of another internal
+ host.
+
+5.2.1. Qualification Procedure
+
+ The purposes of the qualification procedure are to establish the
+ status of the local IPv4 connection and to determine the Teredo IPv6
+ client prefix of the local Teredo interface. The procedure starts
+ when the service is in the "initial" state, and it results in a
+ "qualified" state if successful, and in an "off-line" state if
+ unsuccessful.
+
+
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 17]
+
+RFC 4380 Teredo February 2006
+
+
+ /---------\
+ | Initial |
+ \---------/
+ |
+ +----+----------+
+ | Set ConeBit=1 |
+ +----+----------+
+ |
+ +<-------------------------------------------+
+ | |
+ +----+----+ |
+ | Start |<------+ |
+ +----+----+ | +----------+----+
+ | | | Set ConeBit=0 |
+ v | +----------+----+
+ /---------\ Timer | N ^
+ |Starting |-------+ attempts /----------------\Yes|
+ \---------/----------------->| ConeBit == 1 ? |---+
+ | Response \----------------/
+ | | No
+ V V
+ /---------------\ Yes /----------\
+ | ConeBit == 1? |-----+ | Off line |
+ \---------------/ | \----------/
+ No | v
+ | /----------\
+ | | Cone NAT |
+ +-----+-----+ \----------/
+ | New Server|
+ +-----+-----+
+ |
+ +----+----+
+ | Start |<------+
+ +----+----+ |
+ | |
+ v |
+ /---------\ Timer |
+ |Starting |-------+ N attempts /----------\
+ \---------/------------------->| Off line |
+ | Response \----------/
+ |
+ V
+
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 18]
+
+RFC 4380 Teredo February 2006
+
+
+ /------------\ No /---------------\
+ | Same port? |-------->| Symmetric NAT |
+ \------------/ \---------------/
+ | Yes
+ V
+ /----------------------\
+ | Restricted Cone NAT |
+ \----------------------/
+
+ Initially, the Teredo connectivity status is set to "Initial".
+
+ When the interface is initialized, the system first performs the
+ "start action" by sending a Router Solicitation message, as defined
+ in [RFC2461]. The client picks a link-local address and uses it as
+ the IPv6 source of the message; the cone bit in the address is set to
+ 1 (see Section 4 for the address format); the IPv6 destination of the
+ RS is the all-routers multicast address; the packet will be sent over
+ UDP from the service port to the Teredo server's IPv4 address and
+ Teredo UDP port. The connectivity status moves then to "Starting".
+
+ In the starting state, the client waits for a router advertisement
+ from the Teredo server. If no response comes within a time-out T,
+ the client should repeat the start action, by resending the Router
+ Solicitation message. If no response has arrived after N
+ repetitions, the client concludes that it is not behind a cone NAT.
+ It sets the cone bit to 0, and repeats the procedure. If after N
+ other timer expirations and retransmissions there is still no
+ response, the client concludes that it cannot use UDP, and that the
+ Teredo service is not available; the status is set to "Off-line". In
+ accordance with [RFC2461], the default time-out value is set to T=4
+ seconds, and the maximum number of repetitions is set to N=3.
+
+ If a response arrives, the client checks that the response contains
+ an origin indication and a valid router advertisement as defined in
+ [RFC2461], that the IPv6 destination address is equal to the link-
+ local address used in the router solicitation, and that the router
+ advertisement contains exactly one advertised Prefix Information
+ option. This prefix should be a valid Teredo IPv6 server prefix: the
+ first 32 bits should contain the global Teredo IPv6 service prefix,
+ and the next 32 bits should contain the server's IPv4 address. If
+ this is the case, the client learns the Teredo mapped address and
+ Teredo mapped port from the origin indication. The IPv6 source
+ address of the Router Advertisement is a link-local server address of
+ the Teredo server. (Responses that are not valid advertisements are
+ simply discarded.)
+
+
+
+
+
+
+Huitema Standards Track [Page 19]
+
+RFC 4380 Teredo February 2006
+
+
+ If the client has received an RA with the cone bit in the IPv6
+ destination address set to 1, it is behind a cone NAT and is fully
+ qualified. If the RA is received with the cone bit set to 0, the
+ client does not know whether the local NAT is restricted or
+ symmetric. The client selects the secondary IPv4 server address, and
+ repeats the procedure, the cone bit remaining to the value zero. If
+ the client does not receive a response, it detects that the service
+ is not usable. If the client receives a response, it compares the
+ mapped address and mapped port in this second response to the first
+ received values. If the values are different, the client detects a
+ symmetric NAT: it cannot use the Teredo service. If the values are
+ the same, the client detects a port-restricted or restricted cone
+ NAT: the client is qualified to use the service. (Teredo operates
+ the same way for restricted and port-restricted NAT.)
+
+ If the client is qualified, it builds a Teredo IPv6 address using the
+ Teredo IPv6 server prefix learned from the RA and the obfuscated
+ values of the UDP port and IPv4 address learned from the origin
+ indication. The cone bit should be set to the value used to receive
+ the RA, i.e., 1 if the client is behind a cone NAT, 0 otherwise. The
+ client can start using the Teredo service.
+
+5.2.2. Secure Qualification
+
+ The client may be required to perform secured qualification. The
+ client will perform exactly the algorithm described in Section 5.2.1,
+ but it will incorporate an authentication encapsulation in the UDP
+ packet carrying the router solicitation message, and it will verify
+ the presence of a valid authentication parameter in the UDP message
+ that carries the router advertisement provided by the sender.
+
+ In these packets, the nonce value is chosen by the client, and is
+ repeated in the response from the server; the client identifier is a
+ value with which the client was configured.
+
+ A first level of protection is provided by just checking that the
+ value of the nonce in the response matches the value initially sent
+ by the client. If they don't match, the packet MUST be discarded.
+ If no other protection is used, the authentication payload does not
+ contain any identifier or authentication field; the ID-len and AU-len
+ fields are set to a null value. When stronger protection is
+ required, the authentication payload contains the identifier and
+ location fields, as explained in the following paragraphs.
+
+ The confirmation byte is set to 0 by the client. A null value
+ returned by the server indicates that the client's key is still
+ valid; a non-null value indicates that the client should obtain a new
+ key.
+
+
+
+Huitema Standards Track [Page 20]
+
+RFC 4380 Teredo February 2006
+
+
+ When stronger authentication is provided, the client and the server
+ are provisioned with a client identifier, a shared secret, and the
+ identification of an authentication algorithm. Before transmission,
+ the authentication value is computed according to the specified
+ algorithm; on reception, the same algorithm is used to compute a
+ target value from the content of the receive packet. The receiver
+ deems the authentication successful if the two values match. If they
+ don't, the packet MUST be discarded.
+
+ To maximize interoperability, this specification defines a default
+ algorithm in which the authentication value is computed according the
+ HMAC specification [RFC2104] and the SHA1 function [FIPS-180].
+ Clients and servers may agree to use HMAC combined with a different
+ function, or to use a different algorithm altogether, such as for
+ example AES-XCBC-MAC-96 [RFC3566].
+
+ The default authentication algorithm is based on the HMAC algorithm
+ according to the following specifications:
+
+ - the hash function shall be the SHA1 function [FIPS-180].
+ - the secret value shall be the shared secret with which the client
+ was configured.
+
+ The clear text to be protected includes:
+
+ - the nonce value,
+ - the confirmation byte,
+ - the origin indication encapsulation, if it is present,
+ - the IPv6 packet.
+
+ The HMAC procedure is applied to the concatenation of these four
+ components, without any additional padding.
+
+5.2.3. Packet Reception
+
+ The Teredo client receives packets over the Teredo interface. The
+ role of the packet reception procedure, besides receiving packets, is
+ to maintain the date and time of the last interaction with the Teredo
+ server and the "list of recent peers".
+
+ When a UDP packet is received over the Teredo service port, the
+ Teredo client checks that it is encoded according to the packet
+ encoding rules defined in Section 5.1.1, and that it contains either
+ a valid IPv6 packet or the combination of a valid origin indication
+ encapsulation and a valid IPv6 packet, possibly protected by a valid
+ authentication encapsulation. If this is not the case, the packet is
+ silently discarded.
+
+
+
+
+Huitema Standards Track [Page 21]
+
+RFC 4380 Teredo February 2006
+
+
+ An IPv6 packet is deemed valid if it conforms to [RFC2460]: the
+ protocol identifier should indicate an IPv6 packet and the payload
+ length should be consistent with the length of the UDP datagram in
+ which the packet is encapsulated. In addition, the client should
+ check that the IPv6 destination address correspond to its own Teredo
+ address.
+
+ Then, the Teredo client examines the IPv4 source address and UDP port
+ number from which the packet is received. If these values match the
+ IPv4 address of the server and the Teredo port, the client updates
+ the "date and time of the last interaction with the Teredo server" to
+ the current date and time; if an origin indication is present, the
+ client should perform the "direct IPv6 connectivity test" described
+ in Section 5.2.9.
+
+ If the IPv4 source address and UDP port number are different from the
+ IPv4 address of the server and the Teredo port, the client examines
+ the IPv6 source address of the packet:
+
+ 1) If there is an entry for the source IPv6 address in the list of
+ peers whose status is trusted, the client compares the mapped IPv4
+ address and mapped port in the entry with the source IPv4 address and
+ source port of the packet. If the values match, the packet is
+ accepted; the date and time of the last reception from the peer is
+ updated.
+
+ 2) If there is an entry for the source IPv6 address in the list of
+ peers whose status is not trusted, the client checks whether the
+ packet is an ICMPv6 echo reply. If this is the case, and if the
+ ICMPv6 data of the reply matches the nonce stored in the peer entry,
+ the packet should be accepted; the status of the entry should be
+ changed to "trusted", the mapped IPv4 and mapped port in the entry
+ should be set to the source IPv4 address and source port from which
+ the packet was received, and the date and time of the last reception
+ from the peer should be updated. Any packet queued for this IPv6
+ peer (as specified in Section 5.2.4) should be de-queued and
+ forwarded to the newly learned IPv4 address and UDP port.
+
+ 3) If the source IPv6 address is a Teredo address, the client
+ compares the mapped IPv4 address and mapped port in the source
+ address with the source IPv4 address and source port of the packet.
+ If the values match, the client MUST create a peer entry for the IPv6
+ source address in the list of peers; it should update the entry if
+ one already existed; the mapped IPv4 address and mapped port in the
+ entry should be set to the value from which the packet was received,
+ and the status should be set to "trusted". If a new entry is
+ created, the last transmission date is set to 30 seconds before the
+ current date, and the number of bubbles to zero. If the packet is a
+
+
+
+Huitema Standards Track [Page 22]
+
+RFC 4380 Teredo February 2006
+
+
+ bubble, it should be discarded after this processing; otherwise, the
+ packet should be accepted. In all cases, the client must de-queue
+ and forward any packet queued for that destination.
+
+ 4) If the IPv4 destination address through which the packet was
+ received is the Teredo IPv4 Discovery Address, the source address is
+ a valid Teredo address, and the destination address is the "all nodes
+ on link" multicast address, the packet should be treated as a local
+ discovery bubble. If no local entry already existed for the source
+ address, a new one is created, but its status is set to "not
+ trusted". The client SHOULD reply with a unicast Teredo bubble, sent
+ to the source IPv4 address and source port of the local discovery
+ bubble; the IPv6 source address of the bubble will be set to local
+ Teredo IPv6 address; the IPv6 destination address of the bubble
+ should be set to the IPv6 source address of the local discovery
+ bubble. (Clients that do not implement the optional local discovery
+ procedure will not process local discovery bubbles.)
+
+ 5) If the source IPv6 address is a Teredo address, and the mapped
+ IPv4 address and mapped port in the source address do not match the
+ source IPv4 address and source port of the packet, the client checks
+ whether there is an existing "local" entry for that IPv6 address. If
+ there is such an entry, and if the local IPv4 address and local port
+ indicated in that entry match the source IPv4 address and source
+
+ port of the packet, the client updates the "local" entry, whose
+ status should be set to "trusted". If the packet is a bubble, it
+ should be discarded after this processing; otherwise, the packet
+ should be accepted. In all cases, the client must de-queue and
+ forward any packet queued for that destination.
+
+ 6) In the other cases, the packet may be accepted, but the client
+ should be conscious that the source address may be spoofed; before
+ processing the packet, the client should perform the "direct IPv6
+ connectivity test" described in Section 5.2.9.
+
+ Whatever the IPv4 source address and UDP source port, the client that
+ receives an IPv6 packet MAY send a Teredo bubble towards that target,
+ as specified in Section 5.2.6.
+
+5.2.4. Packet Transmission
+
+ When a Teredo client has to transmit a packet over a Teredo
+ interface, it examines the destination IPv6 address. The client
+ checks first if there is an entry for this IPv6 address in the list
+ of recent Teredo peers, and if the entry is still valid: an entry
+ associated with a local peer is valid if the last reception date and
+ time associated with that list entry is less that 30 seconds from the
+
+
+
+Huitema Standards Track [Page 23]
+
+RFC 4380 Teredo February 2006
+
+
+ current time; an entry associated with a non-local peer is valid if
+ the last reception date and time associated with that list entry is
+ less that 30 seconds from the current time. (Local peer entries can
+ only be present if the client uses the local discovery procedure
+ discussed in Section 5.2.8.)
+
+ The client then performs the following:
+
+ 1) If there is an entry for that IPv6 address in the list of peers,
+ and if the status of the entry is set to "trusted", the IPv6 packet
+ should be sent over UDP to the IPv4 address and UDP port specified in
+ the entry. The client updates the date of last transmission in the
+ peer entry.
+
+ 2) If the destination is not a Teredo IPv6 address, the packet is
+ queued, and the client performs the "direct IPv6 connectivity test"
+ described in Section 5.2.9. The packet will be de-queued and
+ forwarded if this procedure completes successfully. If the direct
+ IPv6 connectivity test fails to complete within a 2-second time-out,
+ it should be repeated up to 3 times.
+
+ 3) If the destination is the Teredo IPv6 address of a local peer
+ (i.e., a Teredo address from which a local discovery bubble has been
+ received in the last 600 seconds), the packet is queued. The client
+ sends a unicast Teredo bubble to the local IPv4 address and local
+ port specified in the entry, and a local Teredo bubble to the Teredo
+ IPv4 discovery address.
+
+ 4) If the destination is a Teredo IPv6 address in which the cone bit
+ is set to 1, the packet is sent over UDP to the mapped IPv4 address
+ and mapped UDP port extracted from that IPv6 address.
+
+ 5) If the destination is a Teredo IPv6 address in which the cone bit
+ is set to 0, the packet is queued. If the client is not located
+ behind a cone NAT, it sends a direct bubble to the Teredo
+ destination, i.e., to the mapped IP address and mapped port of the
+ destination. In all cases, the client sends an indirect bubble to
+ the Teredo destination, sending it over UDP to the server address and
+ to the Teredo port. The packet will be de-queued and forwarded when
+ the client receives a bubble or another packet directly from this
+ Teredo peer. If no bubble is received within a 2-second time-out,
+ the bubble transmission should be repeated up to 3 times.
+
+ In cases 4 and 5, before sending a packet over UDP, the client MUST
+ check that the IPv4 destination address is in the format of a global
+ unicast address; if this is not the case, the packet MUST be silently
+
+
+
+
+
+Huitema Standards Track [Page 24]
+
+RFC 4380 Teredo February 2006
+
+
+ discarded. (Note that a packet can legitimately be sent to a non-
+ global unicast address in case 1, as a result of the local discovery
+ procedure.)
+
+ The global unicast address check is designed to thwart a number of
+ possible attacks in which an attacker tries to use a Teredo host to
+ attack either a single local IPv4 target or a set of such targets.
+ For the purpose of this specification, and IPv4 address is deemed to
+ be a global unicast address if it does not belong to or match:
+
+ - the "local" subnet 0.0.0.0/8,
+ - the "loopback" subnet 127.0.0.0/8,
+ - the local addressing ranges 10.0.0.0/8,
+ - the local addressing ranges 172.16.0.0/12,
+ - the local addressing ranges 192.168.0.0/16,
+ - the link local block 169.254.0.0/16,
+ - the block reserved for 6to4 anycast addresses 192.88.99.0/24,
+ - the multicast address block 224.0.0.0/4,
+ - the "limited broadcast" destination address 255.255.255.255,
+ - the directed broadcast addresses corresponding to the subnets to
+ which the host is attached.
+
+ A list of special-use IPv4 addresses is provided in [RFC3330].
+
+ For reliability reasons, clients MAY decide to ignore the value of
+ the cone bit in the flag, skip the "case 4" test and always perform
+ the "case 5", i.e., treat all Teredo peers as if they were located
+ behind non-cone NAT. This will result in some increase in traffic,
+ but may avoid reliability issues if the determination of the NAT
+ status was for some reason erroneous. For the same reason, clients
+ MAY also decide to always send a direct bubble in case 5, even if
+ they do not believe that they are located behind a non-cone NAT.
+
+5.2.5. Maintenance
+
+ The Teredo client must ensure that the mappings that it uses remain
+ valid. It does so by checking that packets are regularly received
+ from the Teredo server.
+
+ At regular intervals, the client MUST check the "date and time of the
+ last interaction with the Teredo server" to ensure that at least one
+ packet has been received in the last Randomized Teredo Refresh
+ Interval. If this is not the case, the client SHOULD send a router
+ solicitation message to the server, as specified in Section 5.2.1;
+ the client should use the same value of the cone bit that resulted in
+ the reception of an RA during the qualification procedure.
+
+
+
+
+
+Huitema Standards Track [Page 25]
+
+RFC 4380 Teredo February 2006
+
+
+ When the router advertisement is received, the client SHOULD check
+ its validity as specified in Section 5.2.1; invalid advertisements
+ are silently discarded. If the advertisement is valid, the client
+ MUST check that the mapped address and port correspond to the current
+ Teredo address. If this is not the case, the mapping has changed;
+ the client must mark the old address as invalid and start using the
+ new address.
+
+5.2.6. Sending Teredo Bubbles
+
+ The Teredo client may have to send a bubble towards another Teredo
+ client, either after a packet reception or after a transmission
+ attempt, as explained in Sections 5.2.3 and 5.2.4. There are two
+ kinds of bubbles: direct bubbles, which are sent directly to the
+ mapped IPv4 address and mapped UDP port of the peer, and indirect
+ bubbles, which are sent through the Teredo server of the peer.
+
+ When a Teredo client attempts to send a direct bubble, it extracts
+ the mapped IPv4 address and mapped UDP port from the Teredo IPv6
+ address of the target. It then checks whether there is already an
+ entry for this IPv6 address in the current list of peers. If there
+ is no entry, the client MUST create a new list entry for the address,
+ setting the last reception date and the last transmission date to 30
+ seconds before the current date, and the number of bubbles to zero.
+
+ When a Teredo client attempts to send an indirect bubble, it extracts
+ the Teredo server IPv4 address from the Teredo prefix of the IPv6
+ address of the target (different clients may be using different
+ servers); the bubble will be sent to that IPv4 address and the Teredo
+ UDP port.
+
+ Bubbles may be lost in transit, and it is reasonable to enhance the
+ reliability of the Teredo service by allowing multiple transmissions;
+ however, bubbles will also be lost systematically in certain NAT
+ configurations. In order to strike a balance between reliability and
+ unnecessary retransmissions, we specify the following:
+
+ - The client MUST NOT send a bubble if the last transmission date
+ and time is less than 2 seconds before the current date and time;
+
+ - The client MUST NOT send a bubble if it has already sent 4 bubbles
+ to the peer in the last 300 seconds without receiving a direct
+ response.
+
+ In the other cases, the client MAY proceed with the transmission of
+ the bubble. When transmitting the bubble, the client MUST update the
+ last transmission date and time to that peer, and must also increment
+ the number of transmitted bubbles.
+
+
+
+Huitema Standards Track [Page 26]
+
+RFC 4380 Teredo February 2006
+
+
+5.2.7. Optional Refresh Interval Determination Procedure
+
+ In addition to the regular client resources described in the
+ beginning of this section, the refresh interval determination
+ procedure uses an additional UDP port, the Teredo secondary port, and
+ the following variables:
+
+ - Teredo secondary connectivity status,
+ - Mapped address and port number of the Teredo secondary port,
+ - Teredo secondary IPv6 prefix associated with the secondary port,
+ - Teredo secondary IPv6 address derived from this prefix,
+ - Date and time of the last interaction on the secondary port,
+ - Maximum Teredo Refresh Interval.
+ - Candidate Teredo Refresh Interval.
+
+ The secondary connectivity status, mapped address and prefix are
+ determined by running the qualification procedure on the secondary
+ port. When the client uses the interval determination procedure, the
+ qualification procedure MUST be run for the secondary port
+ immediately after running it on the service port. If the secondary
+ qualification fails, the interval determination procedure will not be
+ used, and the interval value will remain to the default value, 30
+ seconds. If the secondary qualification succeeds, the maximum
+ refresh interval is set to 120 seconds, and the candidate Teredo
+ refresh interval is set to 60 seconds, i.e., twice the Teredo refresh
+ interval. The procedure is then performed at regular intervals,
+ until it concludes:
+
+ 1) wait until the candidate refresh interval is elapsed after the
+ last interaction on the secondary port.
+
+ 2) send a Teredo bubble to the Teredo secondary IPv6 address, through
+ the service port.
+
+ 3) wait for reception of the bubble on the secondary port. If a
+ timer of 2 seconds elapses without reception, repeat step 2 at
+ most three times. If there is still no reception, the candidate
+ has failed; if there is a reception, the candidate has succeeded.
+
+ 4) if the candidate has succeeded, set the Teredo refresh interval to
+ the candidate value, and set a new candidate value to the minimum
+ of twice the new refresh interval, or the average of the refresh
+ interval and the maximum refresh interval.
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 27]
+
+RFC 4380 Teredo February 2006
+
+
+ 5) if the candidate has failed, set the maximum refresh interval to
+ the candidate value. If the current refresh interval is larger
+ than or equal to 75% of the maximum, the determination procedure
+ has concluded; otherwise, set a new candidate value to the average
+ of the refresh interval and the maximum refresh interval.
+
+ 6) if the procedure has not concluded, perform the maintenance
+ procedure on the secondary port, which will reset the date and
+ time of the last interaction on the secondary port, and may result
+ in the allocation of a new Teredo secondary IPv6 address; this
+ would not affect the values of the refresh interval, candidate
+ interval, or maximum refresh interval.
+
+ The secondary port MUST NOT be used for any other purpose than the
+ interval determination procedure. It should be closed when the
+ procedure ends.
+
+5.2.8. Optional Local Client Discovery Procedure
+
+ It is desirable to enable direct communication between Teredo clients
+ that are located behind the same NAT, without forcing a systematic
+ relay through a Teredo server. It is hard to design a general
+ solution to this problem, but we can design a partial solution when
+ the Teredo clients are connected through IPv4 to the same link.
+
+ A Teredo client who wishes to enable local discovery SHOULD join the
+ IPv4 multicast group identified by Teredo IPv4 Discovery Address.
+ The client SHOULD wait for discovery bubbles to be received on the
+ Teredo IPv4 Discovery Address. The client SHOULD send local
+ discovery bubbles to the Teredo IPv4 Discovery Address at random
+ intervals, uniformly distributed between 200 and 300 seconds. A
+ local Teredo bubble has the following characteristics:
+
+ - IPv4 source address: the IPv4 address of the sender
+
+ - IPv4 destination address: the Teredo IPv4 Discovery Address
+
+ - IPv4 ttl: 1
+
+ - UDP source port: the Teredo service port of the sender
+
+ - UDP destination port: the Teredo UDP port
+
+ - UDP payload: a minimal IPv6 packet, as follows
+
+ - IPv6 source: the global Teredo IPv6 address of the sender
+
+ - IPv6 destination: the all-nodes on-link multicast address
+
+
+
+Huitema Standards Track [Page 28]
+
+RFC 4380 Teredo February 2006
+
+
+ - IPv6 payload type: 59 (No Next Header, as per [RFC2460])
+
+ - IPv6 payload length: 0
+
+ - IPv6 hop limit: 1
+
+ The local discovery procedure carries a denial of service risk, as
+ malevolent nodes could send fake bubbles to unsuspecting parties, and
+ thus capture the traffic originating from these parties. The risk is
+ mitigated by the filtering rules described in Section 5.2.5, and also
+ by "link only" multicast scope of the Teredo IPv4 Discovery Address,
+ which implies that packets sent to this address will not be forwarded
+ across routers.
+
+ To benefit from the "link only multicast" protection, the clients
+ should silently discard all local discovery bubbles that are received
+ over a unicast address. To further mitigate the denial of service
+ risk, the client MUST silently discard all local discovery bubbles
+ whose IPv6 source address is not a well-formed Teredo IPv6 address,
+ or whose IPv4 source address does not belong to the local IPv4
+ subnet; the client MAY decide to silently discard all local discovery
+ bubbles whose Teredo IPv6 address do not include the same mapped IPv4
+ address as its own.
+
+ If the bubble is accepted, the client checks whether there is an
+ entry in the list of recent peers that correspond to the mapped IPv4
+ address and mapped UDP port associated with the source IPv6 address
+ of the bubble. If there is such an entry, the client MUST update the
+ local peer address and local peer port parameters to reflect the IPv4
+ source address and UDP source port of the bubble. If there is no
+ entry, the client MUST create one, setting the local peer address and
+ local peer port parameters to reflect the IPv4 source address and UDP
+ source port of the bubble, the last reception date to the current
+ date and time, the last transmission date to 30 seconds before the
+ current date, and the number of bubbles to zero. The state of the
+ entry is set to "not trusted".
+
+ Upon reception of a discovery bubble, clients reply with a unicast
+ bubble as specified in Section 5.2.3.
+
+5.2.9. Direct IPv6 Connectivity Test
+
+ The Teredo procedures are designed to enable direct connections
+ between a Teredo host and a Teredo relay. Teredo hosts located
+ behind a cone NAT will receive packets directly from relays; other
+ Teredo hosts will learn the original addresses and UDP ports of third
+ parties through the local Teredo server. In all of these cases,
+ there is a risk that the IPv6 address of the source will be spoofed
+
+
+
+Huitema Standards Track [Page 29]
+
+RFC 4380 Teredo February 2006
+
+
+ by a malevolent party. Teredo hosts must make two decisions, whether
+ to accept the packet for local processing and whether to transmit
+ further packets to the IPv6 address through the newly
+
+ learned IPv4 address and UDP port. The basic rule is that the hosts
+ should be generous in what they accept and careful in what they send.
+ Refusing to accept packets due to spoofing concerns would compromise
+ connectivity and should only be done when there is a near certainty
+ that the source address is spoofed. On the other hand, sending
+ packets to the wrong address should be avoided.
+
+ When the client wants to send a packet to a native IPv6 node or a
+ 6to4 node, it should check whether a valid peer entry already exists
+ for the IPv6 address of the destination. If this is not the case,
+ the client will pick a random number (a nonce) and format an ICMPv6
+ Echo Request message whose source is the local Teredo address, whose
+ destination is the address of the IPv6 node, and whose Data field is
+ set to the nonce. (It is recommended to use a random number at least
+ 64 bits long.) The nonce value and the date at which the packet was
+ sent will be documented in a provisional peer entry for the IPV6
+ destination. The ICMPv6 packet will then be sent encapsulated in a
+ UDP packet destined to the Teredo server IPv4 address and to the
+ Teredo port. The rules of Section 5.2.3 specify how the reply to
+ this packet will be processed.
+
+5.2.10. Working around symmetric NAT
+
+ The client procedures are designed to enable IPv6 connectivity
+ through the most common types of NAT, which are commonly called "cone
+ NAT" and "restricted cone NAT" [RFC3489]. Some NATs employ a
+ different design; they are often called "symmetric NAT". The
+ qualification algorithm in Section 5.2.1 will not succeed when the
+ local NAT is a symmetric NAT.
+
+ In many cases, it is possible to work around the limitations of these
+ NATs by explicitly reserving a UDP port for Teredo service on a
+ client, using a function often called "DMZ" in the NAT's manual.
+ This port will become the "service port" used by the Teredo hosts.
+ The implementers of Teredo functions in hosts must make sure that the
+ value of the service port can be explicitly provisioned, so that the
+ user can provision the same value in the host and in the NAT.
+
+ The reservation procedure guarantees that the port mapping will
+ remain the same for all destinations. After the explicit
+ reservation, the qualification algorithm in Section 5.2.1 will
+ succeed, and the Teredo client will behave as if behind a "cone NAT".
+
+
+
+
+
+Huitema Standards Track [Page 30]
+
+RFC 4380 Teredo February 2006
+
+
+ When different clients use Teredo behind a single symmetric NAT, each
+ of these clients must reserve and use a different service port.
+
+5.3. Teredo Server Specification
+
+ The Teredo server is designed to be stateless. The Teredo server
+ waits for incoming UDP packets at the Teredo Port, using the IPv4
+ address that has been selected for the service. In addition, the
+ server is able to receive and transmit some packets using a different
+ IPv4 address and a different port number.
+
+ The Teredo server acts as an IPv6 router. As such, it will receive
+ Router Solicitation messages, to which it will respond with Router
+ Advertisement messages as explained in Section 5.3.2. It may also
+ receive other packets, for example, ICMPv6 messages and Teredo
+ bubbles, which are processed according to the IPv6 specification.
+
+ By default, the routing functions of the Teredo server are limited.
+ Teredo servers are expected to relay Teredo bubbles, ICMPv6 Echo
+ requests, and ICMPv6 Echo replies, but they are not expected to relay
+ other types of IPv6 packets. Operators may, however, decide to
+ combine the functions of "Teredo server" and "Teredo relay", as
+ explained in Section 5.4.
+
+5.3.1. Processing of Teredo IPv6 Packets
+
+ Before processing the packet, the Teredo server MUST check the
+ validity of the encapsulated IPv6 source address, the IPv4 source
+ address, and the UDP source port:
+
+ 1) If the UDP content is not a well-formed Teredo IPv6 packet, as
+ defined in Section 5.1.1, the packet MUST be silently discarded.
+
+ 2) If the UDP packet is not a Teredo bubble or an ICMPv6 message, it
+ SHOULD be discarded. (The packet may be processed if the Teredo
+ server also operates as a Teredo relay, as explained in Section 5.4.)
+
+ 3) If the IPv4 source address is not in the format of a global
+ unicast address, the packet MUST be silently discarded (see Section
+ 5.2.4 for a definition of global unicast addresses).
+
+ 4) If the IPv6 source address is an IPv6 link-local address, the
+ IPv6 destination address is the link-local scope all routers
+ multicast address (FF02::2), and the packet contains an ICMPv6 Router
+ Solicitation message, the packet MUST be accepted. It MUST be
+ discarded if the server requires secure qualification and the
+ authentication encapsulation is absent or verification fails.
+
+
+
+
+Huitema Standards Track [Page 31]
+
+RFC 4380 Teredo February 2006
+
+
+ 5) If the IPv6 source address is a Teredo IPv6 address, and if the
+ IPv4 address and UDP port embedded in that address match the IPv4
+ source address and UDP source port, the packet SHOULD be accepted.
+
+ 6) If the IPv6 source address is not a Teredo IPv6 address, and if
+ the IPv6 destination address is a Teredo address allocated through
+ this server, the packet SHOULD be accepted.
+
+ 7) In all other cases, the packet MUST be silently discarded.
+
+ The Teredo server will then check the IPv6 destination address of the
+ encapsulated IPv6 packet:
+
+ If the IPv6 destination address is the link-local scope all routers
+ multicast address (FF02::2), or the link-local address of the server,
+ the Teredo server processes the packet; it may have to process Router
+ Solicitation messages and ICMPv6 Echo Request messages.
+
+ If the destination IPv6 address is not a global scope IPv6 address,
+ the packet MUST NOT be forwarded.
+
+ If the destination address is not a Teredo IPv6 address, the packet
+ should be relayed to the IPv6 Internet using regular IPv6 routing.
+
+ If the IPv6 destination address is a valid Teredo IPv6 address as
+ defined in Section 2.13, the Teredo Server MUST check that the IPv4
+ address derived from this IPv6 address is in the format of a global
+ unicast address; if this is not the case, the packet MUST be silently
+ discarded.
+
+ If the address is valid, the Teredo server encapsulates the IPv6
+ packet in a new UDP datagram, in which the following parameters are
+ set:
+
+ - The destination IPv4 address is derived from the IPv6 destination.
+
+ - The source IPv4 address is the Teredo server IPv4 address.
+
+ - The destination UDP port is derived from the IPv6 destination.
+
+ - The source UDP port is set to the Teredo UDP Port.
+
+ If the destination IPv6 address is a Teredo client whose address is
+ serviced by this specific server, the server should insert an origin
+ indication in the first bytes of the UDP payload, as specified in
+ Section 5.1.1. (To verify that the client is served by this server,
+ the server compares bits 32-63 of the client's Teredo IPv6 address to
+ the server's IPv4 address.)
+
+
+
+Huitema Standards Track [Page 32]
+
+RFC 4380 Teredo February 2006
+
+
+5.3.2. Processing of Router Solicitations
+
+ When the Teredo server receives a Router Solicitation message (RS,
+ [RFC2461]), it retains the IPv4 address and UDP port from which the
+ solicitation was received; these become the Teredo mapped address and
+ Teredo mapped port of the client. The router uses these values to
+ compose the origin indication encapsulation that will be sent with
+ the response to the solicitation.
+
+ The Teredo server responds to the router solicitation by sending a
+ Router Advertisement message [RFC2461]. The router advertisement
+ MUST advertise the Teredo IPv6 prefix composed from the service
+
+ prefix and the server's IPv4 address. The IPv6 source address should
+ be set to a Teredo link-local server address associated to the local
+ interface; this address is derived from the IPv4 address of the
+ server and from the Teredo port, as specified in Section 4; the cone
+ bit is set to 1. The IPv6 destination address is set to the IPv6
+ source address of the RS. The Router Advertisement message must be
+ sent over UDP to the Teredo mapped address and Teredo mapped port of
+ the client; the IPv4 source address and UDP source port should be set
+ to the server's IPv4 address and Teredo Port. If the cone bit of the
+ client's IPv6 address is set to 1, the RA must be sent from a
+ different IPv4 source address than the server address over which the
+ RS was received; if the cone bit is set to zero, the response must be
+ sent back from the same address.
+
+ Before sending the packet, the Teredo server MUST check that the IPv4
+ destination address is in the format of a global unicast address; if
+ this is not the case, the packet MUST be silently discarded (see
+ Section 5.2.4 for a definition of global unicast addresses).
+
+ If secure qualification is required, the server MUST insert a valid
+ authentication parameter in the UDP packet carrying the router
+ advertisement. The client identifier and the nonce value used in the
+ authentication parameter MUST be the same identifier and nonce as
+ received in the router solicitation. The confirmation byte MUST be
+ set to zero if the client identifier is still valid, and a non-null
+ value otherwise; the authentication value SHOULD be computed using
+ the secret that corresponds to the client identifier.
+
+5.4. Teredo Relay Specification
+
+ Teredo relays are IPv6 routers that advertise reachability of the
+ Teredo service IPv6 prefix through the IPv6 routing protocols. (A
+ minimal Teredo relay may serve just a local host, and would not
+ advertise the prefix beyond this host.) Teredo relays will receive
+ IPv6 packets bound to Teredo clients. Teredo relays should be able
+
+
+
+Huitema Standards Track [Page 33]
+
+RFC 4380 Teredo February 2006
+
+
+ to receive packets sent over IPv4 and UDP by Teredo clients; they may
+ apply filtering rules, e.g., only accept packets from Teredo clients
+ if they have previously sent traffic to these Teredo clients.
+
+ The receiving and sending rules used by Teredo relays are very
+ similar to those of Teredo clients. Teredo relays must use a Teredo
+ service port to transmit packets to Teredo clients; they must
+ maintain a "list of peers", identical to the list of peers maintained
+ by Teredo clients.
+
+5.4.1. Transmission by Relays to Teredo Clients
+
+ When a Teredo relay has to transmit a packet to a Teredo client, it
+ examines the destination IPv6 address. By definition, the Teredo
+ relays will only send over UDP IPv6 packets whose IPv6 destination
+ address is a valid Teredo IPv6 address.
+
+ Before processing these packets, the Teredo Relay MUST check that the
+ IPv4 destination address embedded in the Teredo IPv6 address is in
+ the format of a global unicast address; if this is not the case, the
+ packet MUST be silently discarded (see Section 5.2.4 for a definition
+ of global unicast addresses).
+
+ The relay then checks if there is an entry for this IPv6 address in
+ the list of recent Teredo peers, and if the entry is still valid.
+ The relay then performs the following:
+
+ 1) If there is an entry for that IPv6 address in the list of peers,
+ and if the status of the entry is set to "trusted", the IPv6 packet
+ should be sent over UDP to the mapped IPv4 address and mapped UDP
+ port of the entry. The relay updates the date of last transmission
+ in the peer entry.
+
+ 2) If there is no trusted entry in the list of peers, and if the
+ destination is a Teredo IPv6 address in which the cone bit is set to
+ 1, the packet is sent over UDP to the mapped IPv4 address and mapped
+ UDP port extracted from that IPv6 address.
+
+ 3) If there is no trusted entry in the list of peers, and if the
+ destination is a Teredo IPv6 address in which the cone bit is set to
+ 0, the Teredo relay creates a bubble whose source address is set to a
+ local IPv6 address, and whose destination address is set to the
+ Teredo IPv6 address of the packet's destination. The bubble is sent
+ to the server address corresponding to the Teredo destination. The
+ entry becomes trusted when a bubble or another packet is received
+ from this IPv6 address; if no such packet is received before a time-
+ out of 2 seconds, the Teredo relay may repeat the bubble, up to three
+ times. If the relay fails to receive a bubble after these
+
+
+
+Huitema Standards Track [Page 34]
+
+RFC 4380 Teredo February 2006
+
+
+ repetitions, the entry is removed from the list of peers. The relay
+ MAY queue packets bound to untrusted entries; the queued packets
+ SHOULD be de-queued and forwarded when the entry becomes trusted;
+ they SHOULD be deleted if the entry is deleted. To avoid denial of
+ service attacks, the relays SHOULD limit the number of packets in
+ such queues.
+
+ In cases 2 and 3, the Teredo relay should create a peer entry for the
+ IPv6 address; the entry status is marked as trusted in case 2 (cone
+ NAT) and not trusted in case 3. In case 3, if the Teredo relay
+ happens to be located behind a non-cone NAT, it should also send a
+ bubble directly to the mapped IPv4 address and mapped port number of
+ the Teredo destination. This will "open the path" for the return
+ bubble from the Teredo client.
+
+ For reliability reasons, relays MAY decide to ignore the value of the
+ cone bit in the flag, and always perform the "case 3", i.e., treat
+ all Teredo peers as if they were located behind a non-cone NAT. This
+ will result in some increase in traffic, but may avoid
+
+ reliability issues if the determination of the NAT status was for
+ some reason erroneous. For the same reason, relays MAY also decide
+ to always send a direct bubble to the mapped IPv4 address and mapped
+ port number of the Teredo destination, even if they do not believe
+ that they are located behind a non-cone NAT.
+
+5.4.2. Reception from Teredo Clients
+
+ The Teredo relay may receive packets from Teredo clients; the packets
+ should normally only be sent by clients to which the relay previously
+ transmitted packets, i.e., clients whose IPv6 address is present in
+ the list of peers. Relays, like clients, use the packet reception
+ procedure to maintain the date and time of the last interaction with
+ the Teredo server and the "list of recent peers".
+
+ When a UDP packet is received over the Teredo service port, the
+ Teredo relay checks that it contains a valid IPv6 packet as specified
+ in [RFC2460]. If this is not the case, the packet is silently
+ discarded.
+
+ Then, the Teredo relay examines whether the IPv6 source address is a
+ valid Teredo address, and if the mapped IPv4 address and mapped port
+ match the IPv4 source address and port number from which the packet
+ is received. If this is not the case, the packet is silently
+ discarded.
+
+ The Teredo relay then examines whether there is an entry for the IPv6
+ source address in the list of recent peers. If this is not the case,
+
+
+
+Huitema Standards Track [Page 35]
+
+RFC 4380 Teredo February 2006
+
+
+ the packet may be silently discarded. If this is the case, the entry
+ status is set to "trusted"; the relay updates the "date and time of
+ the last interaction" to the current date and time.
+
+ Finally, the relay examines the destination IPv6 address. If the
+ destination belongs to a range of IPv6 addresses served by the relay,
+ the packet SHOULD be accepted and forwarded to the destination. In
+ the other cases, the packet SHOULD be silently discarded.
+
+5.4.3. Difference between Teredo Relays and Teredo Servers
+
+ Because Teredo servers can relay Teredo packets over IPv6, all Teredo
+ servers must be capable of behaving as Teredo relays. There is,
+ however, no requirement that Teredo relays behave as Teredo servers.
+
+ The dual role of server and relays implies an additional complexity
+ for the programming of servers: the processing of incoming packets
+ should be a combination of the server processing rules defined in
+ Section 5.3.1, and the relay processing rules defined in Section
+ 5.4.2. (Section 5.3 only specifies the rules implemented by a pure
+ server, not a combination relay+server.)
+
+5.5. Implementation of Automatic Sunset
+
+ Teredo is designed as an interim transition mechanism, and it is
+ important that it should not be used any longer than necessary. The
+ "sunset" procedure will be implemented by Teredo clients, servers,
+ and relays, as specified in this section.
+
+ The Teredo-capable nodes MUST NOT behave as Teredo clients if they
+ already have IPv6 connectivity through any other means, such as
+ native IPv6 connectivity. In particular, nodes that have a global
+ IPv4 address SHOULD obtain connectivity through the 6to4 service
+ rather than through the Teredo service. The classic reason why a
+ node that does not need connectivity would still enable the Teredo
+ service is to guarantee good performance when interacting with Teredo
+ clients; however, a Teredo-capable node that has IPv4 connectivity
+ and that has obtained IPv6 connectivity outside the Teredo service
+ MAY decide to behave as a Teredo relay, and still obtain good
+ performance when interacting with Teredo clients.
+
+ The Teredo servers are expected to participate in the sunset
+ procedure by announcing a date at which they will stop providing the
+ service. This date depends on the availability of alternative
+ solutions to their clients, such as "dual-mode" gateways that behave
+ simultaneously as IPv4 NATs and IPv6 routers. Most Teredo servers
+ will not be expected to operate more than a few years. Teredo relays
+ are expected to have the same life span as Teredo servers.
+
+
+
+Huitema Standards Track [Page 36]
+
+RFC 4380 Teredo February 2006
+
+
+6. Further Study, Use of Teredo to Implement a Tunnel Service
+
+ Teredo defines a NAT traversal solution that can be provided using
+ very little resource at the server. Ongoing IETF discussions have
+ outlined the need for both a solution like Teredo and a more
+ controlled NAT traversal solution, using configured tunnels to a
+ service provider [RFC3904]. This section provides a tentative
+ analysis of how Teredo could be extended to also support a configured
+ tunnel service.
+
+ It may be possible to design a tunnel server protocol that is
+ compatible with Teredo, in the sense that the same client could be
+ used either in the Teredo service or with a tunnel service. In fact,
+ this could be done by configuring the client with:
+
+ - The IPv4 address of a Teredo server that acts as a tunnel broker
+ - A client identifier
+ - A shared secret with that server
+ - An agreed-upon authentication algorithm.
+
+ The Teredo client would use the secure qualification procedure, as
+ specified in Section 5.2.2. Instead of returning a Teredo prefix in
+ the router advertisement, the server would return a globally routable
+ IPv6 prefix; this prefix could be permanently assigned to the client,
+ which would provide the client with a stable address. The server
+ would have to keep state, i.e., memorize the association between the
+ prefix assigned to the client and the mapped IPv4 address and mapped
+ UDP port of the client.
+
+ The Teredo server would advertise reachability of the client prefix
+ to the IPv6 Internet. Any packet bound to that prefix would be
+ transmitted to the mapped IPv4 address and mapped UDP port of the
+ client.
+
+ The Teredo client, when it receives the prefix, would notice that
+ this prefix is a global IPv6 prefix, not in the form of a Teredo
+ prefix. The client would at that point recognize that it should
+ operate in tunnel mode. A client that operates in tunnel mode would
+ execute a much simpler transmission procedure: it would forward any
+ packet sent to the Teredo interface to the IPv4 address and Teredo
+ UDP port of the server.
+
+ The Teredo client would have to perform the maintenance procedure
+ described in Section 5.2.5. The server would receive the router
+ solicitation, and could notice a possible change of mapped IPv4
+ address and mapped UDP port that could result from the
+ reconfiguration of the mappings inside the NAT. The server should
+ continue advertising the same IPv6 prefix to the client, and should
+
+
+
+Huitema Standards Track [Page 37]
+
+RFC 4380 Teredo February 2006
+
+
+ update the mapped IPv4 address and mapped UDP port associated to this
+ prefix, if necessary.
+
+ There is as yet no consensus that a tunnel-mode extension to Teredo
+ should be developed. This section is only intended to provide
+ suggestions to the future developers of such services. Many details
+ would probably have to be worked out before a tunnel-mode extension
+ would be agreed upon.
+
+7. Security Considerations
+
+ The main objective of Teredo is to provide nodes located behind a NAT
+ with a globally routable IPv6 address. The Teredo nodes can use IP
+ security (IPsec) services such as Internet Key Exchange (IKE),
+ Authentication Header (AH), or Encapsulation Security Payload (ESP)
+ [RFC4306, RFC4302, RFC4303], without the configuration restrictions
+ still present in "Negotiation of NAT-Traversal in the IKE" [RFC3947].
+ As such, we can argue that the service has a positive effect on
+ network security. However, the security analysis must also envisage
+ the negative effects of the Teredo services, which we can group in
+ four categories: security risks of directly connecting a node to the
+ IPv6 Internet, spoofing of Teredo servers to enable a man-in-the-
+ middle attack, potential attacks aimed at denying the Teredo service
+ to a Teredo client, and denial of service attacks against non-Teredo
+ participating nodes that would be enabled by the Teredo service.
+
+ In the following, we review in detail these four types of issues, and
+ we present mitigating strategies for each of them.
+
+7.1. Opening a Hole in the NAT
+
+ The very purpose of the Teredo service is to make a machine reachable
+ through IPv6. By definition, the machine using the service will give
+ up whatever firewall service was available in the NAT box, however
+ limited this service may be [RFC2993]. The services that listen to
+ the Teredo IPv6 address will become the potential target of attacks
+ from the entire IPv6 Internet. This may sound scary, but there are
+ three mitigating factors.
+
+ The first mitigating factor is the possibility to restrict some
+ services to only accept traffic from local neighbors, e.g., using
+ link-local addresses. Teredo does not support communication using
+ link-local addresses. This implies that link-local services will not
+ be accessed through Teredo, and will be restricted to whatever other
+ IPv6 connectivity may be available, e.g., direct traffic with
+ neighbors on the local link, behind the NAT.
+
+
+
+
+
+Huitema Standards Track [Page 38]
+
+RFC 4380 Teredo February 2006
+
+
+ The second mitigating factor is the possible use of a "local
+ firewall" solution, i.e., a piece of software that performs locally
+ the kind of inspection and filtering that is otherwise performed in a
+ perimeter firewall. Using such software is recommended.
+
+ The third mitigating factor is the availability of IP security
+ (IPsec) services such as IKE, AH, or ESP [RFC4306, RFC4302, RFC4303].
+ Using these services in conjunction with Teredo is a good policy, as
+ it will protect the client from possible attacks in intermediate
+ servers such as the NAT, the Teredo server, or the Teredo relay.
+ (However, these services can be used only if the parties in the
+ communication can negotiate a key, which requires agreeing on some
+ credentials; this is known to be a hard problem.)
+
+7.2. Using the Teredo Service for a Man-in-the-Middle Attack
+
+ The goal of the Teredo service is to provide hosts located behind a
+ NAT with a globally reachable IPv6 address. There is a possible
+ class of attacks against this service in which an attacker somehow
+ intercepts the router solicitation, responds with a spoofed router
+ advertisement, and provides a Teredo client with an incorrect
+ address. The attacker may have one of two objectives: it may try to
+ deny service to the Teredo client by providing it with an address
+ that is in fact unreachable, or it may try to insert itself as a
+ relay for all client communications, effectively enabling a variety
+ of "man-in-the-middle" attack.
+
+7.2.1. Attacker Spoofing the Teredo Server
+
+ The simple nonce verification procedure described in Section 5.2.2
+ provides a first level of protection against attacks in which a third
+ party tries to spoof the server. In practice, the nonce procedure
+ can be defeated only if the attacker is "on path".
+
+ If client and server share a secret and agree on an authentication
+ algorithm, the secure qualification procedure described in Section
+ 5.2.2 provides further protection. To defeat this protection, the
+ attacker could try to obtain a copy of the secret shared between
+ client and server. The most likely way to obtain the shared secret
+ is to listen to the traffic and mount an offline dictionary attack;
+ to protect against this attack, the secret shared between client and
+ server should contain sufficient entropy. (This probably requires
+ some automated procedure for provisioning the shared secret and the
+ algorithm.)
+
+ If the shared secret contains sufficient entropy, the attacker would
+ have to defeat the one-way function used to compute the
+ authentication value. This specification suggests a default
+
+
+
+Huitema Standards Track [Page 39]
+
+RFC 4380 Teredo February 2006
+
+
+ algorithm combining HMAC and MD5. If the protection afforded by MD5
+ was not deemed sufficient, clients and servers can agree to use a
+ different algorithm, e.g., SHA1.
+
+ Another way to defeat the protection afforded by the authentication
+ procedure is to mount a complex attack, as follows:
+
+ 1) Client prepares router solicitation, including authentication
+ encapsulation.
+
+ 2) Attacker intercepts the solicitation, and somehow manages to
+ prevent it from reaching the server, for example, by mounting a
+ short-duration DoS attack against the server.
+
+ 3) Attacker replaces the source IPv4 address and source UDP port of
+ the request by one of its own addresses and port, and forwards the
+ modified request to the server.
+
+ 4) Server dutifully notes the IPv4 address from which the packet is
+ received, verifies that the Authentication encapsulation is correct,
+ prepares a router advertisement, signs it, and sends it back to the
+ incoming address, i.e., the attacker.
+
+ 5) Attacker receives the advertisement, takes note of the mapping,
+ replaces the IPv4 address and UDP port by the original values in the
+ intercepted message, and sends the response to the client.
+
+ 6) Client receives the advertisement, notes that the authentication
+ header is present and is correct, and uses the proposed prefix and
+ the mapped addresses in the origin indication encapsulation.
+
+ The root cause of the problem is that the NAT is, in itself, a man-
+ in-the-middle attack. The Authentication encapsulation covers the
+ encapsulated IPv6 packet, but does not cover the encapsulating IPv4
+ header and UDP header. It is very hard to devise an effective
+ authentication scheme, since the attacker does not do anything else
+ than what the NAT legally does!
+
+ However, there are several mitigating factors that lead us to avoid
+ worrying too much about this attack. In practice, the gain from the
+ attack is either to deny service to the client or to obtain a "man-
+ in-the-middle" position. However, in order to mount the attack, the
+ attacker must be able to suppress traffic originating from the
+ client, i.e., have denial of service capability; the attacker must
+ also be able to observe the traffic exchanged between client and
+ inject its own traffic in the mix, i.e., have man-in-the-middle
+ capacity. In summary, the attack is very hard to mount, and the gain
+ for the attacker in terms of "elevation of privilege" is minimal.
+
+
+
+Huitema Standards Track [Page 40]
+
+RFC 4380 Teredo February 2006
+
+
+ A similar attack is described in detail in the security section of
+ [RFC3489].
+
+7.2.2. Attacker Spoofing a Teredo Relay
+
+ An attacker may try to use Teredo either to pass itself for another
+ IPv6 host or to place itself as a man-in-the-middle between a Teredo
+ host and a native IPv6 host. The attacker will mount such attacks by
+ spoofing a Teredo relay, i.e., by convincing the Teredo host that
+ packets bound to the native IPv6 host should be relayed to the IPv4
+ address of the attacker.
+
+ The possibility of the attack derives from the lack of any
+ algorithmic relation between the IPv4 address of a relay and the
+ native IPv6 addresses served by these relay. A Teredo host cannot
+ decide just by looking at the encapsulating IPv4 and UDP header
+ whether or not a relay is legitimate. If a Teredo host decided to
+ simply trust the incoming traffic, it would easily fall prey to a
+ relay-spoofing attack.
+
+ The attack is mitigated by the "direct IPv6 connectivity test"
+ specified in Section 5.2.9. The test specifies a relay discovery
+ procedure secured by a nonce. The nonce is transmitted from the
+ Teredo host to the destination through Teredo server, which the
+ client normally trusts. The response arrives through the "natural"
+ relay, i.e., the relay closest to the IPv6 destination. Sending
+ traffic to this relay will place it out of reach of attackers that
+ are not on the direct path between the Teredo host and its IPv6 peer.
+
+ End-to-end security protections are required to defend against
+ spoofing attacks if the attacker is on the direct path between the
+ Teredo host and its peer.
+
+7.2.3. End-to-End Security
+
+ The most effective line of defense of a Teredo client is probably not
+ to try to secure the Teredo service itself: even if the mapping can
+ be securely obtained, the attacker would still be able to listen to
+ the traffic and send spoofed packets. Rather, the Teredo client
+ should realize that, because it is located behind a NAT, it is in a
+
+ situation of vulnerability; it should systematically try to encrypt
+ its IPv6 traffic, using IPsec. Even if the IPv4 and UDP headers are
+ vulnerable, the use of IPsec will effectively prevent spoofing and
+ listening of the IPv6 packets by third parties. By providing each
+ client with a global IPv6 address, Teredo enables the use of IPsec
+
+
+
+
+
+Huitema Standards Track [Page 41]
+
+RFC 4380 Teredo February 2006
+
+
+ without the configuration restrictions still present in "Negotiation
+ of NAT-Traversal in the IKE" [RFC3947] and ultimately enhances the
+ security of these clients.
+
+7.3. Denial of the Teredo service
+
+ Our analysis outlines five ways to attack the Teredo service. There
+ are countermeasures for each of these attacks.
+
+7.3.1. Denial of Service by a Rogue Relay
+
+ An attack can be mounted on the IPv6 side of the service by setting
+ up a rogue relay and letting that relay advertise a route to the
+ Teredo IPv6 prefix. This is an attack against IPv6 routing, which
+ can also be mitigated by the same kind of procedures used to
+ eliminate spurious route advertisements. Dual-stack nodes that
+ implement "host local" Teredo relays are impervious to this attack.
+
+7.3.2. Denial of Service by Server Spoofing
+
+ In Section 7.2, we discussed the use of spoofed router advertisements
+ to insert an attacker in the middle of a Teredo conversation. The
+ spoofed router advertisements can also be used to provision a client
+ with an incorrect address, pointing to either a non-existing IPv4
+ address or the IPv4 address of a third party.
+
+ The Teredo client will detect the attack when it fails to receive
+ traffic through the newly acquired IPv6 address. The attack can be
+ mitigated by using the authentication encapsulation.
+
+7.3.3. Denial of Service by Exceeding the Number of Peers
+
+ A Teredo client manages a cache of recently used peers, which makes
+ it stateful. It is possible to mount an attack against the client by
+ provoking it to respond to packets that appear to come from a large
+ number of Teredo peers, thus trashing the cache and effectively
+ denying the use of direct communication between peers. The effect
+ will last only as long as the attack is sustained.
+
+7.3.4. Attacks against the Local Discovery Procedure
+
+ There is a possible denial of service attack against the local peer
+ discovery procedure, if attackers can manage to send spoofed local
+ discovery bubbles to a Teredo client. The checks described in
+ Section 5.2.8 mitigate this attack. Clients who are more interested
+ in security than in performance could decide to disable the local
+ discovery procedure; however, if local discovery is disabled, traffic
+ between local nodes will end up being relayed through a server
+
+
+
+Huitema Standards Track [Page 42]
+
+RFC 4380 Teredo February 2006
+
+
+ external to the local network, which has questionable security
+ implications.
+
+7.3.5. Attacking the Teredo Servers and Relays
+
+ It is possible to mount a brute force denial of service attack
+ against the Teredo servers by sending them a very large number of
+ packets. This attack will have to be brute force, since the servers
+ are stateless, and can be designed to process all the packets that
+ are sent on their access line.
+
+ The brute force attack against the Teredo servers is mitigated if
+ clients are ready to "failover" to another server. Bringing down the
+ servers will, however, force the clients that change servers to
+ renumber their Teredo address.
+
+ It is also possible to mount a brute force attack against a Teredo
+ relay. This attack is mitigated if the relay under attack stops
+ announcing the reachability of the Teredo service prefix to the IPv6
+ network: the traffic will be picked up by the next relay.
+
+ An attack similar to that described in Section 7.3.2 can be mounted
+ against a relay. An IPv6 host can send IPv6 packets to a large
+ number of Teredo destinations, forcing the relay to establish state
+ for each of these destinations. Teredo relays can obtain some
+ protection by limiting the range of IPv6 clients that they serve, and
+ by limiting the amount of state used for "new" peers.
+
+7.4. Denial of Service against Non-Teredo Nodes
+
+ There is a widely expressed concern that transition mechanisms such
+ as Teredo can be used to mount denial of service attacks, by
+ injecting traffic at locations where it is not expected. These
+ attacks fall in three categories: using the Teredo servers as a
+ reflector in a denial of service attack, using the Teredo server to
+ carry a denial of service attack against IPv6 nodes, and using the
+ Teredo relays to carry a denial of service attack against IPv4 nodes.
+ The analysis of these attacks follows. A common mitigating factor in
+ all cases is the "regularity" of the Teredo traffic, which contains
+ highly specific patterns such as the Teredo UDP port, or the Teredo
+ IPv6 prefix. In case of attacks, these patterns can be used to
+ quickly install filters and remove the offending traffic.
+
+ We should also note that none of the listed possibilities offer any
+ noticeable amplification.
+
+
+
+
+
+
+Huitema Standards Track [Page 43]
+
+RFC 4380 Teredo February 2006
+
+
+7.4.1. Laundering DoS attacks from IPv4 to IPv4
+
+ An attacker can use the Teredo servers as reflectors in a denial of
+ service attack aimed at an IPv4 target. The attacker can do this in
+ one of two ways. The first way is to construct a Router Solicitation
+
+ message and post it to a Teredo server, using as IPv4 source address
+ the spoofed address of the target; the Teredo server will then send a
+ Router advertisement message to the target. The second way is to
+ construct a Teredo IPv6 address using the Teredo prefix, the address
+ of a selected server, the IPv4 of the target, and an arbitrary UDP
+ port, and to then send packets bound to that address to the selected
+ Teredo server.
+
+ Reflector attacks are discussed in [REFLECT], which outlines various
+ mitigating techniques against such attacks. One of these mitigations
+ is to observe that "the traffic generated by the reflectors [has]
+ sufficient regularity and semantics that it can be filtered out near
+ the victim without the filtering itself constituting a denial-of-
+ service to the victim ('collateral damage')". The traffic reflected
+ by the Teredo servers meets this condition: it is clearly
+ recognizable, since it originates from the Teredo UDP port; it can be
+ filtered out safely if the target itself is not a Teredo user. In
+ addition, the packets relayed by servers will carry an Origin
+ indication encapsulation, which will help determine the source of the
+ attack.
+
+7.4.2. DoS Attacks from IPv4 to IPv6
+
+ An attacker may use the Teredo servers to launch a denial of service
+ attack against an arbitrary IPv6 destination. The attacker will
+ build an IPv6 packet bound for the target and will send that packet
+ to the IPv4 address and UDP port of a Teredo server, to be relayed
+ from there to the target over IPv6.
+
+ The address checks specified in Section 5.3.1 provide some protection
+ against this attack, as they ensure that the IPv6 source address will
+ be consistent with the IPv4 source address and UDP source port used
+ by the attacker: if the attacker cannot spoof the IPv4 source
+ address, the target will be able to determine the origin of the
+ attack.
+
+ The address checks ensure that the IPv6 source address of packets
+ forwarded by servers will start with the IPv6 Teredo prefix. This is
+ a mitigating factor, as sites under attack could use this to filter
+ out all packets sourced from that prefix during an attack. This will
+ result in a partial loss of service, as the target will not be able
+ to communicate with legitimate Teredo hosts that use the same prefix.
+
+
+
+Huitema Standards Track [Page 44]
+
+RFC 4380 Teredo February 2006
+
+
+ However, the communication with other IPv6 hosts will remain
+ unaffected, and the communication with Teredo hosts will be able to
+ resume when the attack has ceased.
+
+7.4.3. DoS Attacks from IPv6 to IPv4
+
+ An attacker with IPv6 connectivity may use the Teredo relays to
+ launch a denial of service attack against an arbitrary IPv4
+ destination. The attacker will compose a Teredo IPv6 address using
+ the Teredo prefix, a "cone" flag set to 1, the IPv4 address of the
+ target, and an arbitrary UDP port.
+
+ In the simplest variation of this attack, the attacker sends IPv6
+ packets to the Teredo destination using regular IPv6 routing. The
+ packets are picked by the nearest relay, which will forward them to
+ the IPv4 address of the target. In a more elaborate variant, the
+ attacker tricks a Teredo into sending packets to the target, either
+ by sending a first packet with a spoofed IPv6 address and letting the
+ Teredo host reply or by publishing a spoofed IPv6 address in a name
+ service.
+
+ There are three types of IPv4 addresses that an attacker may embed in
+ the spoofed Teredo address. It may embed a multicast or broadcast
+ address, an local unicast address, or a global unicast address.
+
+ With multicast or broadcast addresses, the attacker can use the
+ multiplying effect of multicast routing. By sending a single packet,
+ it can affect a large number of hosts, in a way reminiscent of the
+ "smurf" attack.
+
+ By using local addresses, the attacker can reach hosts that are not
+ normally reachable from the Internet, for example, hosts connected to
+ the a Teredo relay by a private subnet. This creates an exposure
+ for, at a minimum, a denial of service attack against these otherwise
+ protected hosts. This is similar to attack variants using source
+ routing to breach a perimeter.
+
+ The address checks specified in Section 5.2.4, 5.3.1, and 5.4.1
+ verify that packets are relayed only to a global IPv4 address. They
+ are designed to eliminate the possibility of using broadcast,
+ multicast or local addresses in denial of service or other attacks.
+ In what follows, we will only consider attacks targeting globally
+ reachable unicast addresses.
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 45]
+
+RFC 4380 Teredo February 2006
+
+
+ The attacks can be targeted at arbitrary UDP ports, such as, for
+ example, the DNS port of a server. The UDP payload must be a well-
+ formed IPv6 packet, and is thus unlikely to be accepted by any well-
+ written UDP service; in most case, the only effect of the attack will
+ be to overload the target with random traffic.
+
+ A special case occurs if the attack is directed to an echo service.
+ The service will echo the packets. Since the echo service sees the
+ request coming from the IPv4 address of the relay, the echo replies
+ will be sent back to the same relay. According to the rules
+ specified in Section 5.4, these packets will be discarded by the
+ Teredo relay. This is not a very efficient attack against the Teredo
+ relays -- establishing a legitimate session with an actual Teredo
+ host would create more traffic.
+
+ The IPv6 packets sent to the target contain the IPv6 address used by
+ the attacker. If ingress filtering is used in the IPv6 network, this
+
+ address will be hard to spoof. If ingress filtering is not used, the
+ attacker can be traced if the IPv6 routers use a mechanism similar to
+ ICMP Traceback. The ICMP messages will normally be collected by the
+ same relays that forward the traffic from the attacker; the relays
+ can use these messages to identify the source of an ongoing attack.
+ The details of this solution will have to be developed in further
+ research.
+
+8. IAB Considerations
+
+ The IAB has studied the problem of "Unilateral Self Address Fixing"
+ (UNSAF), which is the general process by which a client attempts to
+ determine its address in another realm on the other side of a NAT
+ through a collaborative protocol reflection mechanism [RFC3424].
+ Teredo is an example of a protocol that performs this type of
+ function. The IAB has mandated that any protocols developed for this
+ purpose document a specific set of considerations. This section
+ meets those requirements.
+
+8.1. Problem Definition
+
+ From [RFC3424], any UNSAF proposal must provide a precise definition
+ of a specific, limited-scope problem that is to be solved with the
+ UNSAF proposal. A short-term fix should not be generalized to solve
+ other problems; this is why "short term fixes usually aren't".
+
+ The specific problem being solved by Teredo is the provision of IPv6
+ connectivity for hosts that cannot obtain IPv6 connectivity natively
+ and cannot make use of 6to4 because of the presence of a NAT between
+ them and the 6to4 relays.
+
+
+
+Huitema Standards Track [Page 46]
+
+RFC 4380 Teredo February 2006
+
+
+8.2. Exit Strategy
+
+ From [RFC3424], any UNSAF proposal must provide the description of an
+ exit strategy/transition plan. The better short term fixes are the
+ ones that will naturally see less and less use as the appropriate
+ technology is deployed.
+
+ Teredo comes with its own built-in exit strategy: as soon as a client
+ obtains IPv6 connectivity by other means, either 6to4 or native IPv6,
+ it can cease using the Teredo service. In particular, we expect that
+ the next generation of home routers will provide an IPv6 service in
+ complement to the current IPv4 NAT service, e.g., by relaying
+ connectivity obtained from the ISP, or by using a configured or
+ automatic tunnel service.
+
+ As long as Teredo is used, there will be a need to support Teredo
+ relays so that the remaining Teredo hosts can communicate with native
+ IPv6 hosts. As Teredo usage declines, the traffic load on the relays
+ will decline. Over time, managers will observe a reduced traffic
+ load on their relays and will turn them off, effectively increasing
+ the pressure on the remaining Teredo hosts to upgrade to another form
+ of connectivity.
+
+ The exit strategy is facilitated by the nature of Teredo, which
+ provides an IP-level solution. IPv6-aware applications do not have
+ to be updated to use or not use Teredo. The absence of impact on the
+ applications makes it easier to migrate out of Teredo: network
+ connectivity suffices.
+
+ There would appear to be reasons why a Teredo implementation might
+ decide to continue usage of the Teredo service even if it already has
+ obtained connectivity by some other means, for example:
+
+ 1. When a client is dual homed, and it wishes to improve the service
+ when communicating with other Teredo hosts that are "nearby" on the
+ IPv4 network. If the client only used its native IPv6 service, the
+ Teredo hosts would be reached only through the relay. By maintaining
+ Teredo, the Teredo hosts can be reached by direct transmission over
+ IPv4.
+
+ 2. If, for some reason, the Teredo link is providing the client with
+ better service than the native IPv6 link, in terms of bandwidth,
+ packet loss, etc.
+
+ The design of Teredo mitigates the dual-homing reason. A host that
+ wishes to communicate with Teredo peers can implement a "host-based
+ relay", which is effectively an unnumbered Teredo interface. As
+ such, the dual-homed host will obtain Teredo connectivity with those
+
+
+
+Huitema Standards Track [Page 47]
+
+RFC 4380 Teredo February 2006
+
+
+ hosts that must use Teredo, but will not inadvertently encourage
+ other dual-homed hosts to keep using the Teredo service.
+
+ The bubbles and the UDP encapsulation used by Teredo introduce a
+ significant overhead. It would take exceptional circumstances for
+ native technologies to provide a lesser service than Teredo. These
+ exceptional circumstances, or other unforeseen reasons, may induce
+ hosts to keep using the Teredo service despite the availability of
+ native IPv6 connectivity. However, these circumstances are likely to
+ be rare and transient. Moreover, if the primary reason to use Teredo
+ fades away, one can expect that Teredo relays will be progressively
+ turned off and that the quality of the Teredo service will
+ progressively degrade, reducing the motivation to use the Teredo
+ service.
+
+8.3. Brittleness Introduced by Teredo
+
+ From [RFC3424], any UNSAF proposal must provide a discussion of
+ specific issues that may render systems more "brittle". For example,
+ approaches that involve using data at multiple network layers create
+ more dependencies, increase debugging challenges, and make it harder
+ to transition.
+
+ Teredo introduces brittleness into the system in several ways: the
+ discovery process assumes a certain classification of devices based
+ on their treatment of UDP; the mappings need to be continuously
+ refreshed; and addressing structure may cause some hosts located
+ behind a common NAT to be unreachable from each other.
+
+ There are many similarities between these points and those introduced
+ by Simple Traversal of the UDP Protocol through NAT (STUN) [RFC3489];
+ however, Teredo is probably somewhat less brittle than STUN. The
+ reason is that all Teredo packets are sent from the local IPv4 Teredo
+ service port, including discovery, bubbles, and actual encapsulated
+ packets. This is different from STUN, where NAT type detection and
+ binding allocation use different local ports (ephemeral, in both
+ cases).
+
+ Teredo assumes a certain classification of devices based on their
+ treatment of UDP (e.g., cone, protected cone and symmetric). There
+ could be devices that would not fit into one of these molds, and
+ hence would be improperly classified by Teredo.
+
+ The bindings allocated from the NAT need to be continuously
+ refreshed. Since the timeouts for these bindings are very
+ implementation specific, the refresh interval cannot easily be
+
+
+
+
+
+Huitema Standards Track [Page 48]
+
+RFC 4380 Teredo February 2006
+
+
+ determined. When the binding is not being actively used to receive
+ traffic, but to wait for an incoming message, the binding refresh
+ will needlessly consume network bandwidth.
+
+ The use of the Teredo server as an additional network element
+ introduces another point of potential security attack. These attacks
+ are largely prevented by the security measures provided by Teredo,
+ but not entirely.
+
+ The use of the Teredo server as an additional network element
+ introduces another point of failure. If the client cannot locate a
+ Teredo server, or if the server should be unavailable due to failure,
+ the Teredo client will not be able to obtain IPv6 connectivity.
+
+ The communication with non-Teredo hosts relies on the availability of
+ Teredo relays. The Teredo design assumes that there are multiple
+ Teredo relays; the Teredo service will discover the relay closest to
+ the non-Teredo peer. If that relay becomes unavailable, or is
+ misbehaving, communication between the Teredo hosts and the peers
+ close to that relay will fail. This reliability issue is somewhat
+ mitigated by the possibility to deploy many relays, arbitrarily close
+ from the native IPv6 hosts that require connectivity with Teredo
+ peers.
+
+ Teredo imposes some restrictions on the network topologies for proper
+ operation. In particular, if the same NAT is on the path between two
+ clients and the Teredo server, these clients will only be able to
+ interoperate if they are connected to the same link, or if the common
+ NAT is capable of "hairpinning", i.e., "looping" packets sent by one
+ client to another.
+
+ There are also additional points of brittleness that are worth
+ mentioning:
+
+ - Teredo service will not work through NATs of the symmetric variety.
+
+ - Teredo service depends on the Teredo server running on a network
+ that is a common ancestor to all Teredo clients; typically, this is
+ the public Internet. If the Teredo server is itself behind a NAT,
+ Teredo service will not work to certain peers.
+
+ - Teredo introduces jitter into the IPv6 service it provides, due to
+ the queuing of packets while bubble exchanges take place. This
+ jitter can negatively impact applications, particularly latency
+ sensitive ones, such as Voice over IP (VoIP).
+
+
+
+
+
+
+Huitema Standards Track [Page 49]
+
+RFC 4380 Teredo February 2006
+
+
+8.4. Requirements for a Long-Term Solution
+
+ From [RFC3424], any UNSAF proposal must identify requirements for
+ longer-term, sound technical solutions -- contribute to the process
+ of finding the right longer-term solution.
+
+ Our experience with Teredo has led to the following requirements for
+ a long-term solution to the NAT problem: the devices that implement
+ the IPv4 NAT services should in the future also become IPv6 routers.
+
+9. IANA Considerations
+
+ This memo documents a request to IANA to allocate a 32-bit Teredo
+ IPv6 service prefix, as specified in Section 2.6, and a Teredo IPv4
+ multicast address, as specified in Section 2.17.
+
+10. Acknowledgements
+
+ Many of the ideas in this memo are the result of discussions between
+ the author and Microsoft colleagues, notably Brian Zill, John Miller,
+ Mohit Talwar, Joseph Davies, and Rick Rashid. Several encapsulation
+ details are inspired from earlier work by Keith Moore. The example
+ in Section 5.1 and a number of security precautions were suggested by
+ Pekka Savola. The local discovery procedure was suggested by Richard
+ Draves and Dave Thaler. The document was reviewed by members of the
+ NGTRANS and V6OPS working groups, including Brian Carpenter, Cyndi
+ Jung, Keith Moore, Thomas Narten, Anssi Porttikivi, Pekka Savola, Eng
+ Soo Guan, and Eiffel Wu. Eric Klein, Karen Nielsen, Francis Dupont,
+ Markku Ala-Vannesluoma, Henrik Levkowetz, and Jonathan Rosenberg
+ provided detailed reviews during the IETF last call.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 50]
+
+RFC 4380 Teredo February 2006
+
+
+11. References
+
+11.1. Normative References
+
+ [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
+ August 1980.
+
+ [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, September
+ 1981.
+
+ [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
+ and E. Lear, "Address Allocation for Private Internets",
+ BCP 5, RFC 1918, February 1996.
+
+ [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+ Hashing for Message Authentication", RFC 2104, February
+ 1997.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
+ (IPv6) Specification", RFC 2460, December 1998.
+
+ [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
+ Discovery for IP Version 6 (IPv6)", RFC 2461, December
+ 1998.
+
+ [RFC2462] Thomson, S. and T. Narten, "IPv6 Stateless Address
+ Autoconfiguration", RFC 2462, December 1998.
+
+ [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
+ via IPv4 Clouds", RFC 3056, February 2001.
+
+ [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral
+ Self-Address Fixing (UNSAF) Across Network Address
+ Translation", RFC 3424, November 2002.
+
+ [RFC3566] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm
+ and Its Use With IPsec", RFC 3566, September 2003.
+
+ [FIPS-180] "Secure Hash Standard", Computer Systems Laboratory,
+ National Institute of Standards and Technology, U.S.
+ Department Of Commerce, May 1993.
+
+
+
+
+
+
+
+Huitema Standards Track [Page 51]
+
+RFC 4380 Teredo February 2006
+
+
+11.2. Informative References
+
+ [RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993,
+ November 2000.
+
+ [RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330, September
+ 2002.
+
+ [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy.
+ "STUN - Simple Traversal of User Datagram Protocol (UDP)
+ Through Network Address Translators (NATs)", RFC 3489,
+ March 2003.
+
+ [RFC3904] Huitema, C., Austein, R., Satapati, S., and R. van der
+ Pol, "Evaluation of IPv6 Transition Mechanisms for
+ Unmanaged Networks", RFC 3904, September 2004.
+
+ [RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe,
+ "Negotiation of NAT-Traversal in the IKE", RFC 3947,
+ January 2005.
+
+ [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December
+ 2005.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
+ 4303, December 2005.
+
+ [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
+ 4306, December 2005.
+
+ [REFLECT] V. Paxson, "An analysis of using reflectors for
+ distributed denial of service attacks", Computer
+ Communication Review, ACM SIGCOMM, Volume 31, Number 3,
+ July 2001, pp 38-47.
+
+Author's Address
+
+ Christian Huitema
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052-6399
+
+ EMail: huitema@microsoft.com
+
+
+
+
+
+
+
+
+Huitema Standards Track [Page 52]
+
+RFC 4380 Teredo February 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Huitema Standards Track [Page 53]
+