Mailing List Archive: nsp: ipv6

teredo traffic on 6to4 relay ?

Index | Next | Previous | View Threaded

MarkPace.Balzan at melitaplc

May 3, 2012, 4:02 AM

Post #1 of 7 (611 views)
Permalink

teredo traffic on 6to4 relay ?

Hi list,

I recently setup a private 6to4 relay (well aware that 6to4 is on the way out...). it seem to work fine for 6to4 traffic, but am totally stumped as to why im also seeing what looks like teredo traffic also on this box.

Below is a sample from v6 netflow taken from the box (there are many such flows in 2001:0::/32 both src and dst)

2001:0:5EF5:79FB:1C10:3591:A734:9CCF Tu64 2001:0:5EF5:79FD:402:263A:BBD9:CCD9 Fa2/0 0x06 0xC5E6 0xC314 1

Any insight would be nice, if any of you have seen this before :)

Box is running Cisco ios 12.4, Tu64 is the 6to4 tunnel with anycast ip 192.88.99.1 used for 6to4. F2/0 leads out to the v6 native internet.

Cheers

Mark

md at Linux

May 3, 2012, 4:22 AM

Post #2 of 7 (580 views)
Permalink

Re: teredo traffic on 6to4 relay ? [In reply to]

On May 03, Mark Pace Balzan <MarkPace.Balzan [at] melitaplc> wrote:

> I recently setup a private 6to4 relay (well aware that 6to4 is on the way out...). it seem to work fine for 6to4 traffic, but am totally stumped as to why im also seeing what looks like teredo traffic also on this box.
Bittorrent.

--
ciao,
Marco

jeroen at unfix

May 3, 2012, 4:27 AM

Post #3 of 7 (575 views)
Permalink

Re: teredo traffic on 6to4 relay ? [In reply to]

On 2012-05-03 13:22 , Marco d'Itri wrote:
> On May 03, Mark Pace Balzan <MarkPace.Balzan [at] melitaplc> wrote:
>
>> I recently setup a private 6to4 relay (well aware that 6to4 is on the way out...). it seem to work fine for 6to4 traffic, but am totally stumped as to why im also seeing what looks like teredo traffic also on this box.
> Bittorrent.

While the assumption of BT is generally correct, the source and the dest
is both Teredo, as such it should not go over his box in the first place.

But, as we do not know if he has a default route or anything else on it
it is hard to tell why his box is even forwarding these packets.

I do hope that proper RPF checks are in place...

Greets,
Jeroen

MarkPace.Balzan at melitaplc

May 4, 2012, 6:19 AM

Post #4 of 7 (573 views)
Permalink

Re: teredo traffic on 6to4 relay ? [In reply to]

Marco- thanks, its possibly bit torrent, but as Jeroen points out both src and dst are 2001:0 (teredo)

Jeroen - yes RPF is of course critical, but im also interested in why this is happening at all...

> But, as we do not know if he has a default route or anything else on it
> it is hard to tell why his box is even forwarding these packets.

v6 default on the relay points out to the v6 internet and purpose in life of this box is just 6to4 :)

Performing a packet trace on packets (v4 and v6) incoming into the relay box, shows that said teredo packets (ie 2001:0 in both src and dst) have v4 source address belonging to v4 unicast users on my network and v4 destination being 192.88.99.1 which is the 6to4 anycast ip.

Therefore IPv4 routing is working fine and v4 packets are being delivered to their correct destination, I suspect that the client originating the packet is somehow sending teredo encapsulated traffic to 192.88.99.1 - a bug on the client stack perhaps ? note i dont have access to the client platform

Additionally, the 6to4 relay seems to be decpasulating the packet and forwarding it on its way to the v6 internet even if its totally teredo inside and not 6to4 !

Cheers

Mark

MarkPace.Balzan at melitaplc

May 4, 2012, 6:22 AM

Post #5 of 7 (574 views)
Permalink

RE: teredo traffic on 6to4 relay ? [In reply to]

Apologies if this started separate thread.... must unsubscribe from the digest and get live traffic

-----Original Message-----
From: Mark Pace Balzan
Sent: 04 May 2012 15:19
To: ipv6-ops [at] lists
Subject: Re: teredo traffic on 6to4 relay ?

Marco- thanks, its possibly bit torrent, but as Jeroen points out both src and dst are 2001:0 (teredo)

Jeroen - yes RPF is of course critical, but im also interested in why this is happening at all...

> But, as we do not know if he has a default route or anything else on
> it it is hard to tell why his box is even forwarding these packets.

v6 default on the relay points out to the v6 internet and purpose in life of this box is just 6to4 :)

Performing a packet trace on packets (v4 and v6) incoming into the relay box, shows that said teredo packets (ie 2001:0 in both src and dst) have v4 source address belonging to v4 unicast users on my network and v4 destination being 192.88.99.1 which is the 6to4 anycast ip.

Therefore IPv4 routing is working fine and v4 packets are being delivered to their correct destination, I suspect that the client originating the packet is somehow sending teredo encapsulated traffic to 192.88.99.1 - a bug on the client stack perhaps ? note i dont have access to the client platform

Additionally, the 6to4 relay seems to be decpasulating the packet and forwarding it on its way to the v6 internet even if its totally teredo inside and not 6to4 !

Cheers

Mark

jeroen at unfix

May 4, 2012, 7:11 AM

Post #6 of 7 (571 views)
Permalink

Re: teredo traffic on 6to4 relay ? [In reply to]

On 2012-05-04 15:19 , Mark Pace Balzan wrote:
>
> Marco- thanks, its possibly bit torrent, but as Jeroen points out
> both src and dst are 2001:0 (teredo)
>
> Jeroen - yes RPF is of course critical, but im also interested in why
> this is happening at all...

Obviously you are not applying proper RPF for your traffic otherwise...

>
>> But, as we do not know if he has a default route or anything else
>> on it it is hard to tell why his box is even forwarding these
>> packets.
>
> v6 default on the relay points out to the v6 internet and purpose in
> life of this box is just 6to4 :)
>
> Performing a packet trace on packets (v4 and v6) incoming into the
> relay box, shows that said teredo packets (ie 2001:0 in both src and
> dst) have v4 source address belonging to v4 unicast users on my
> network and v4 destination being 192.88.99.1 which is the 6to4
> anycast ip.

6to4 tunnels are just proto-41 tunnels, with one difference, they should
only handle packets where a source address on the tunnel side is 6to4
(thus 2002::/16). Clearly you are accepting proto-41 traffic with any
kind of source address, otherwise this could not be happening.

Greets,
Jeroen

MarkPace.Balzan at melitaplc

May 4, 2012, 11:43 AM

Post #7 of 7 (579 views)
Permalink

RE: teredo traffic on 6to4 relay ? [In reply to]

> 6to4 tunnels are just proto-41 tunnels, with one difference, they should only handle packets where a source address on the tunnel side is 6to4 (thus 2002::/16). Clearly
> you are accepting proto-41 traffic with any kind of source address, otherwise this could not be happening.

Indeed, but the point im raising here is not about the correct use of RPF or other security/filtering mechanisms, but to see if anyone has seen this type of behaviour before to understand out of interest what is happening.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads