Teredo Tunneling Pseudo-Interface - what is it? The Teredo Tunneling pseudo-interface allows data exchange over the Internet. This makes it possible to access IPv6 on your computer, even if the hardware only supports IPv4. If the service is running, it can communicate continuously with Microsoft Teredo servers. However, this message does not slow down your Internet connection or your computer. On some Windows PCs, the service starts by default.
Deactivating a Teredo Tunneling Pseudo-Interface Device
Although the pseudo-interface is not used by most users, it does not interfere with the regular operation of the PC, therefore, deactivating this mode is not mandatory.
The function shutdown algorithm looks like this:
- Open the control panel and select the "Network and Sharing Center" section in the "Network and Internet" section.
- Click “Change adapter settings” on the left and open “Properties” by right-clicking the LAN adapter.
- Disable the option “Internet Protocol 6 (TCP / IPV6)” and close the window using the “OK” button.
Teredo Tunneling Pseudo-Interface - what is it? Definition
The interface provides a logical path connecting the software to a physical network port, such as Ethernet or Wi-Fi.
"Pseudo-interface" - what is it? The Teredo Tunneling Pseudo Interface provides a similar logical path, but encapsulates traffic within another packet structure prior to port delivery. This method is called tunneling. The technology is owned by Microsoft.
Teredo Tunneling Pseudo Interface - what is it? The interface that the software uses to access the tunnel to connect to IPv6 on the network with IPv4 only.
Security questions
Teredo increases the possibility of a hacker attack by assigning globally routable IPv6 addresses to network nodes behind NAT devices that would otherwise be unavailable on the Internet. In doing so, Teredo potentially provides any IPv6-enabled open-port application. Encapsulating Teredo tunnels can also cause IPv6 data traffic content to become invisible to packet inspection software, which will facilitate the spread of malware. Finally, Teredo provides an IPv6 stack and tunneling software for attacks if they have any remotely accessible vulnerability.
To reduce the likelihood of an attack, the Microsoft IPv6 stack has a “security level” socket option. This allows applications to indicate from which sources they are ready to accept IPv6 traffic: from the tunnel, from anywhere except Teredo (by default), or only from the local intranet.
The protocol also encapsulates detailed tunnel endpoint information in its data packets. This information can help a potential attacking threat, increasing the possibility of an attack or reducing the required effort.
Firewall, filtering and blocking
In order to install the Teredo Tunneling Pseudo Interface, and for the protocol to work correctly, outgoing UDP packets must be unfiltered. This corresponds to a typical NAT setup and its functionality. Tunneling software detects a fatal Teredo Tunneling Pseudo-Interface error and stops if outgoing IPv4 UDP traffic is blocked. In addition, blocking outgoing traffic to UDP port 3544 can affect protocol activity.
DoS through routing loops
In 2010, new methods were discovered for creating denial of service attacks using route loops that use the Teredo Tunneling Pseudo Interface tunnels, which are easy to update for optimal performance.
Current versions of Microsoft Windows allow the use of transitional IPv6 technologies, including Teredo with IPv6 support by default. If this is not required, the protocol can be disabled using the CLI command, editing the registry, or using Group Policy.
Implementations
Currently, several Teredo implementations are available:
- Windows XP Service Pack 2 (SP2) includes relaying the client and a specific host (also in the extended network package for Service Pack 1).
- Windows Server 2003 has relays and a server provided as part of the Microsoft Beta program.
- Windows Vista and Windows 7 have native support with undefined extensions for symmetric NAT traversal. If only local links and address are present, these operating systems do not try to resolve IPAA DNS AAAA records, if there is a DNS A record, then they use IPv4. Thus, only literal IPv6 URLs typically use Teredo. This behavior can be changed in the registry.
- Miredo is a client, relay, and server for Linux, BSD, and Mac OS X.
- Ng_teredo is a relay and server based on Netgraph for FreeBSD from LIP6 and 6WIND.
- NICI-Teredo is a repeater for the Linux kernel and a Teredo user server developed at Chiao Tung National University.
Limitations
Teredo is not compatible with all NAT devices. Using RFC 3489 terminology, it supports all coded and port-limited NAT devices, but not symmetrical. Shipwor's original specification also supported symmetric NATs, but stopped deploying them in devices due to security concerns.
Scientists from Chiao Tung National University in Taiwan later proposed SymTeredo technology, which improved the original protocol to support NAT, while Microsoft and Miredo implementations produce some custom extensions to improve support for symmetric ones. However, communication between the Teredo client behind symmetric NAT and the Teredo user over the limited port is still not possible.
Alternatives
6to4 requires a public IPv4 address, but it provides a large 48-bit IPv6 prefix for each endpoint of the tunnel and has lower encapsulation overhead. Point tunnels can be more reliable and accountable than Teredo, they usually provide constant IPv6 addresses that are independent of the IPv4 address of the tunnel endpoint. Some tunnel brokers also support UDP encapsulation for NAT (for example, the AYIYA protocol can do this). Point-to-point tunnels, on the other hand, usually require registration. Automated tools (such as AICCU) simplify their use.