In the previous two parts I talked about Teredo in general and also about NAT & Teredo. In this post I hope to talk more about how Teredo works.
Teredo Clients
Microsoft has made available Teredo servers on the Internet. These are reachable at win8.ipv6.microsoft.com
and teredo.ipv6.microsoft.com
and Windows clients have this address already set as their Teredo server.
If the Teredo server address is not reachable, the client is in an offline state:
1 2 3 4 5 6 7 8 9 |
C:\>netsh interface teredo show state Teredo Parameters --------------------------------------------- Type : client Server Name : teredo.ipv6.microsoft.com. Client Refresh Interval : 30 seconds Client Port : unspecified State : offline Error : failed to resolve server name |
If the Teredo server address is reachable, the client is in a dormant state. As the name indicates this is a state in which the Teredo client is not active, but when required it can contact the server and auto-configure an IPv6 address and send/ receive packets.
1 2 3 4 5 6 7 8 |
C:\>netsh interface teredo show state Teredo Parameters --------------------------------------------- Type : client Server Name : teredo.ipv6.microsoft.com. Client Refresh Interval : 30 seconds Client Port : unspecified State : dormant |
Send some IPv6 traffic and the state automatically changes to qualified. (Note how the first ping reply took a lot more time than the rest as the Teredo interface was being configured. Sometimes the first reply can timeout too).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
C:\>ping -6 gw01.rakhesh.com Pinging gw01.rakhesh.com [2dcc:7c4e:3651:52::254] with 32 bytes of data: Reply from 2dcc:7c4e:3651:52::254: time=2146ms Reply from 2dcc:7c4e:3651:52::254: time=1ms Reply from 2dcc:7c4e:3651:52::254: time=3ms Reply from 2dcc:7c4e:3651:52::254: time=2ms Ping statistics for 2dcc:7c4e:3651:52::254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 2146ms, Average = 538ms C:\>netsh interface teredo show state Teredo Parameters --------------------------------------------- Type : client Server Name : teredo.ipv6.microsoft.com. Client Refresh Interval : 30 seconds Client Port : unspecified State : qualified Client Type : teredo client Network : unmanaged NAT : restricted NAT Special Behaviour : UPNP: No, PortPreserving: Yes Local Mapping : 192.168.20.200:52643 External NAT Mapping : 17.23.51.201:52643 |
Now the Teredo state also shows the type of NAT the client is behind and also the local and external mappings.
Another thing to note in the output above is the “Network” which is currently set to “unmanaged”. Since Teredo allows a client to be reached across a firewall/ NAT and this is something an organisation might not want for its managed machines, the Teredo client tries to accommodate that and before initializing itself it checks whether the computer is on a managed network. If the computer is domain joined and on a network where it’s domain controllers are reachable – i.e. within an organisation – the Teredo client detects that it’s on a managed network and disables itself.
1 2 3 4 5 6 7 8 9 |
C:\>netsh interface teredo show state Teredo Parameters --------------------------------------------- Type : client Server Name : win8.ipv6.microsoft.com. Client Refresh Interval : 30 seconds Client Port : unspecified State : offline Error : client is in a managed network |
This setting can be changed to set the Teredo client as qualified even in a managed network. This can be done via GPOs, PowerShell, or netsh
. The netsh
command for this is:
1 |
C:\>netsh interface teredo set state enterpriseclient |
This command must be run as an administrator. When a Teredo client is in a managed network and qualified, it is known as an Enterprise Client. Hence the name.
It is also possible to configure clients with a manually specified Teredo server. This can be done via PowerShell …
1 |
PS> Set-NetTeredoConfiguration -ServerName 17.23.52.250 |
… or netsh
…
1 |
C:\>netsh interface teredo set state servername=17.23.52.250 |
Teredo Servers
Setting up your own Windows Teredo Server is easy. Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012, and later can function as a Teredo server.
Here’s how I enable one of these as a Teredo server:
1 |
PS> Set-NetTeredoConfiguration -Type Server |
And that’s it really! The computer is now working as a Teredo server.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
C:\>netsh interface teredo show state Teredo Parameters --------------------------------------------- Type : server Virtual Server Ip : 0.0.0.0 Client Refresh Interval : 30 seconds State : online Server Packets Received : 0 Success : 0 (Bubble 0, Echo 0, RS1 0 RS2 0) Failure : 0 (Hdr 0, Src 0, Dest 0, Auth 0) Relay Packets Received : 0 Success : 0 (Bubble 0, Data 0) Failure : 0 (Hdr 0, Src 0, Dest 0) Relay Packets Sent : 9 Success : 0 (Bubble 0, Data 0) Failure : 9 (Hdr 0, Src 9, Dest 0) Packets Received in the last 30 seconds: Bubble 0, Echo 0, RS1 0, RS2 0 6to4 source address 0, native IPv6 source address 0 6to4 destination address 0, native IPv6 destination address 0 Estimated Bandwidth consumed in the last 30 seconds (in BPS): Bubble 0, Echo 0, Primary 0, Secondary 0 6to4 source address 0, native IPv6 source address 0 6to4 destination address 0, native IPv6 destination address 0 |
Running the above command again shows updated stats.
One thing to keep in mind that even a computer functioning as a Teredo server must be setup with a Teredo server. If the pre-configured Teredo server (e.g. win8.ipv6.microsoft.com
) is unreachable, the Teredo interlace will be disabled and the computer will not work as a Teredo server. The Teredo state will show as offline even though this computer itself is a server.
1 2 3 4 5 6 7 8 9 |
C:\> netsh interface teredo show state Teredo Parameters --------------------------------------------- Type : server Virtual Server Ip : 0.0.0.0 Client Refresh Interval : 30 seconds State : offline Error : general system failure Error Code : 11002 |
To fix this, set this computer as its own Teredo server.
1 |
C:\>netsh interface teredo set state servername=17.23.52.250 |
Teredo Relays
Previously I wrote about how a Teredo relay sends packets to a Teredo client. How do clients know which Teredo relay to use though? So far we haven’t set a Teredo relay anywhere in our client and server configuration, so where does it enter the picture?
While Teredo servers are specific to a client – i.e. the client is assigned a Teredo server and each client uses only one Teredo server – Teredo relays are specific to the remote end and a particular client will use different relays for different destinations. Here’s how the process works:
- When a Teredo client needs to contact a remote IPv6 host, it first sends an ICMPv6 packet to the remote host.
- Since it doesn’t know how to contact this host, and this is an initial setup connection, the client sends this packet to the Teredo server as an UDP message in IPv4.
- The Teredo server receives this message, decapsulates the IPv6 packet, and sends it on the IPv6 network. Note: this IPv6 packet has the destination address set as the IPv6 address of the remote host, and source address set as the Teredo IPv6 address of the Teredo client.
- Now for the fun part! The IPv6 packet reaches the destination host, the host creates a reply IPv6 packet with itself as the source and the Teredo client IPv6 address as the destination. This packet is sent on the IPv6 network. On the IPv6 network are many Teredo relays, all of them advertising the
2001:0:/32
prefix. The packet will reach the relay nearest to the destination host who will then send it to the Teredo client. Once the Teredo client receives the ICMPv6 reply, it knows which relay was used and thus knows the IPv4 address of the relay closest to the destination. - The Teredo client then sends the actual IPv6 packet as a UDP message in an IPv4 packet to this Teredo relay. And since a hole punching is done for this relay address, further packets to and from this relay can travel through.
Similarly when an IPv6 host has a packet for a Teredo client, the packet makes its way to the relay closest to that host. The relay then checks whether it already has a communication set up with the client, in which case it sends the packet over via IPv4. If there’s no on-going communication, or it’s been a while, the relay goes through the hole punching process again and sends the packet.
Similar to the Teredo server, Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012, and later can function as a Teredo relay. Setting up one of these as a Teredo relay is quite straight-forward. All one has to do is:
- Ensure the Teredo interface is ready – i.e. the relay can reach a Teredo server and the interface is not offline.
- Enable forwarding on the Teredo interface. Enable forwarding on the interface(s) to the IPv6 network.
- Publish a route for the
2001::.32
prefix. - Enable IPv6 router advertisements on the IPv6 network so other routers pick up the published route.
And that’s it! Here are the commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
C:\>netsh interface teredo set state servername=17.23.52.250 Ok. C:\>netsh interface ipv6 set interface INET-52.23.1 forwarding=enabled Ok. C:\>netsh interface ipv6 set interface "Teredo Tunneling Pseudo-Interface" forwarding=enabled Ok. netsh interface ipv6 set route 2001::/32 "Teredo Tunneling Pseudo-Interface" publish=yes Ok. netsh interface ipv6 set interface INET-52.23.1 advertise=enabled Ok. |
That’s all for now!