First, Microsoft has some pretty good write ups on IPv6 and Teredo specifically and what they have implemented. As you can see on the Teredo page they specifically outline when IPv6 and Teredo are enabled by default and when they are not. The Teredo write up is quite extensive and goes over all the methods for NAT traversal. You can also find a good transitions document from Microsoft regarding all the IPv6 transition technologies. To clear up what is and is not on by default the document says the following:
"Teredo support is included and is disabled by default. Teredo support is included with Windows Server 2008, Windows Server 2003 Service Pack 1 and later, Windows XP with SP2 and later, and Windows XP with SP1 and the Advanced Networking Pack for Windows XP, and is disabled by default. Teredo support is also included with Windows Vista and is enabled but inactive by default. "
For those with Windows XP SP2 that are concerned about running Teredo the Windows Firewall does protect against unsolicited incoming IPv6 traffic just like for IPv4. To set up Teredo on Windows XP SP2 you need to install IPv6 with the netsh interface ipv6 install command and then enable Teredo with the netsh interface ipv6 set teredo client command. But by default Teredo is not enabled on XP.
For Windows Vista and 7 (and Windows Server 2008 and 2008R2) it is possible to disable IPv6 (not uninstall it) by using the instructions at this KB article.
If you are running Windows Vista, 7 or Server 2008 then switch to powershell commands. If you want to see what Teredo is doing you can issue under powershell netsh interface teredo show state which should have output something like:
PS C:\> netsh interface teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : offline
Error : client is in a managed network
You can also use the netsh interface ipv6 show teredo powershell command to see the same information.
If you want to set the state for Teredo you can do netsh interface teredo set state disabled to turn off Teredo. Sample command parameters are:
PS C:\> netsh interface teredo set state ?
Usage: set state [[type]=disabled|client|enterpriseclient|server|default]
[[servername=]
[[refreshinterval=]
[[clientport=]
[[servervirtualip=]
Parameters:
Tag Value
type - One of the following values:
disabled: Disable the Teredo service.
client: Enable the Teredo client.
enterpriseclient: Skip managed network detection.
server: Enable the Teredo server.
default: default state is client.
servername - Name or IPv4 address of the Teredo server.
refreshinterval - Client refresh interval (in seconds).
clientport - Client's UDP port (otherwise chosen by system).
servervirtualip - IPv4 address of the server virtual ip.
Not applicable if running as teredo client.
Remarks: Sets Teredo state.
A 'default' argument to a parameter sets it to the system default.
The 'type=server' option only works on server skus.
Examples:
set state disable
set state client teredo.ipv6.microsoft.com 60 34567
For a lot more details about the netsh commands check out this Technet Library entry.
It is true that the default Teredo servername parameter is set to teredo.ipv6.microsoft.com which is actually a CNAME which points to teredo.ipv6.microsoft.com.nsatc.net. which resolves to 65.55.158.80. If you are truly concerned about any hosts on your network building out Teredo services to Microsoft without your knowledge simply block traffic to that IP address. You can also optionally poison the DNS name in your local name servers.
For IT professionals running AD you can set up a GPO to disable Teredo though I believe by default Teredo will stay in a disabled state if it sees that your machine is domain joined.
Hope that helps clear up and provide some resources on Teredo. It was a great meeting and very interesting talking to everyone about IPv6 and what is happening with it.
- Ed
No comments:
Post a Comment