Teredo Tunneling
Teredo is a transition technology that allows a computer or node located behind a IPv6-unaware network address translation (NAT) device to use IPv6 connectivity to communicate with other computers that use IPv6. Teredo tunneling technology defines a way of encapsulating IPv6 packets within IPv4 UDP datagrams that can be routed through NAT devices and on the IPv4 internet. IPv6 and Teredo is installed and enabled by default in Windows Vista, and users cannot uninstall them.
Users can turn off IPv6 support in Vista. Teredo client in Windows Vista is enabled but inactive by default, but it will activate automatically when required or firewall settings allow an application to use Toredo. When activated, the Teredo client must initially obtain information such as the type of NAT that the client is behind by connecting to one or more Teredo servers. To determine the IPv4 addresses of Teredo servers, the client may send a DNS query to resolve the name teredo.ipv6.microsoft.com. To prevent Teredo related DNS query, or for those who doesn’t use Teredo or IPv6, users can disable or control Teredo in Windows Vista by using the following methods. Microsoft confirms that it is usually workable to disable Teredo, because other technologies can be used instead, for example, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).
Security considerations
Exposure
Teredo increases the attack surface by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which are otherwise mostly unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. It also exposes the IPv6 stack and the Teredo tunneling software to attacks should they have any remotely exploitable vulnerability.
The Microsoft IPv6 stack has a "protection level" socket option. This allows applications to specify whether they are willing to handle traffic coming from the Teredo tunnel, from anywhere except Teredo (the default), or only from the local Intranet.
Firewalling
For a Teredo (pseudo-)tunnel to operate properly, outgoing UDP packets must not be filtered. Moreover, replies to these packets (i.e. "solicited traffic") must also not be filtered. This corresponds to the typical setup of a NAT and its stateful firewall functionality.
Blocking
Teredo tunneling software will detect a fatal error and stop if outgoing IPv4 UDP traffic is blocked.
Turn Off Teredo by Using the Netsh Command
1. Open elevated command prompt by clicking on Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as Administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. At the command prompt, type the following lines (press ENTER after each line):
netsh
interface
teredo
3. At the netsh interface teredo command prompt, type:
set state disabled
Note: The last 2 commands can be combined into the following single command to disable Teredo:
netsh interface teredo set state disabled
----------------------------------------------------------------------------
Turn Off Teredo by Specifying a Registry Setting
1. Run Registry Editor by typing the following text in Start Search and then press Enter:
regedit
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
3. Right-click “Parameters”, select “New” in the contextual menu, then select “DWORD Value”, and then type the following name for the new value (type the name exactly as shown, including capitalization):
DisabledComponents
4. Double-click “DisabledComponents”, select Hexadecimal, and then in Value data, type:
5. Click OK.
6. Restart the computer.
----------------------------------------------------------------------------
Turn Off Teredo by Using Graphical User Interface
1. Click Start, then Control Panel.
2. Click on “System and Maintenance” link.
3. Click on “Device Manager”.
Click Continue on UAC prompt.
4. In device manager, click the “View” menu and select (tick) “Show hidden devices”.
5. Expand the “Network Adapters” tree.
6. Right click on “Teredo Tunneling Pseudo-Interface” and select “Disable”.
7. Right click on “6to4 Adapter” and select “Disable”.
Hope you enjoy
References
wikipedia - Teredo Tunneling
My Digital Life - Turning Off Teredo Tunneling on Vista
Teredo is a transition technology that allows a computer or node located behind a IPv6-unaware network address translation (NAT) device to use IPv6 connectivity to communicate with other computers that use IPv6. Teredo tunneling technology defines a way of encapsulating IPv6 packets within IPv4 UDP datagrams that can be routed through NAT devices and on the IPv4 internet. IPv6 and Teredo is installed and enabled by default in Windows Vista, and users cannot uninstall them.
Users can turn off IPv6 support in Vista. Teredo client in Windows Vista is enabled but inactive by default, but it will activate automatically when required or firewall settings allow an application to use Toredo. When activated, the Teredo client must initially obtain information such as the type of NAT that the client is behind by connecting to one or more Teredo servers. To determine the IPv4 addresses of Teredo servers, the client may send a DNS query to resolve the name teredo.ipv6.microsoft.com. To prevent Teredo related DNS query, or for those who doesn’t use Teredo or IPv6, users can disable or control Teredo in Windows Vista by using the following methods. Microsoft confirms that it is usually workable to disable Teredo, because other technologies can be used instead, for example, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).
Security considerations
Exposure
Teredo increases the attack surface by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which are otherwise mostly unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. It also exposes the IPv6 stack and the Teredo tunneling software to attacks should they have any remotely exploitable vulnerability.
The Microsoft IPv6 stack has a "protection level" socket option. This allows applications to specify whether they are willing to handle traffic coming from the Teredo tunnel, from anywhere except Teredo (the default), or only from the local Intranet.
Firewalling
For a Teredo (pseudo-)tunnel to operate properly, outgoing UDP packets must not be filtered. Moreover, replies to these packets (i.e. "solicited traffic") must also not be filtered. This corresponds to the typical setup of a NAT and its stateful firewall functionality.
Blocking
Teredo tunneling software will detect a fatal error and stop if outgoing IPv4 UDP traffic is blocked.
Turn Off Teredo by Using the Netsh Command
1. Open elevated command prompt by clicking on Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as Administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. At the command prompt, type the following lines (press ENTER after each line):
netsh
interface
teredo
3. At the netsh interface teredo command prompt, type:
set state disabled
Note: The last 2 commands can be combined into the following single command to disable Teredo:
netsh interface teredo set state disabled
----------------------------------------------------------------------------
Turn Off Teredo by Specifying a Registry Setting
1. Run Registry Editor by typing the following text in Start Search and then press Enter:
regedit
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
3. Right-click “Parameters”, select “New” in the contextual menu, then select “DWORD Value”, and then type the following name for the new value (type the name exactly as shown, including capitalization):
DisabledComponents
4. Double-click “DisabledComponents”, select Hexadecimal, and then in Value data, type:
5. Click OK.
6. Restart the computer.
----------------------------------------------------------------------------
Turn Off Teredo by Using Graphical User Interface
1. Click Start, then Control Panel.
2. Click on “System and Maintenance” link.
3. Click on “Device Manager”.
Click Continue on UAC prompt.
4. In device manager, click the “View” menu and select (tick) “Show hidden devices”.
5. Expand the “Network Adapters” tree.
6. Right click on “Teredo Tunneling Pseudo-Interface” and select “Disable”.
7. Right click on “6to4 Adapter” and select “Disable”.
Hope you enjoy
References
wikipedia - Teredo Tunneling
My Digital Life - Turning Off Teredo Tunneling on Vista
