■Restricted NATs A NAT in which the NAT translation table entry stores a mapping between an internal address and port number and an external address and port number, for either specific source addresses or a specific source address and port numbers. An inbound packet that matches the NAT translation table entry for the external destination address and port number from an unknown external address or port number is silently discarded.

■Symmetric NATs A NAT that maps the same internal address and port number to different external addresses and ports, depending on the external destination address (for outbound traffic).

Teredo works well over cone and restricted NATs. Teredo in Windows Server 2008 and Windows Vista can work between Teredo clients if only one Teredo client is behind one or more symmetric NATs. For example, Teredo in Windows Server 2008 and Windows Vista will work if one of the peers is behind a symmetric NAT and the other is behind a cone or restricted NAT.

Teredo in Windows XP SP2, Windows XP SP1 with the Advanced Networking Pack for Windows XP, and Windows Server 2003 Service Pack 1 cannot work over symmetric NATs.

Teredo Components

The Teredo infrastructure consists of the following components:

■Teredo clients

■Teredo servers

■Teredo relays

■Teredo host-specific relays

Figure 14-1 shows the components of a Teredo infrastructure.

The following sections describe these components in detail.

Teredo Client

A Teredo client is an IPv6/IPv4 node that supports a Teredo tunneling interface through which packets are tunneled to either other Teredo clients or nodes on the IPv6 Internet (via a Teredo relay or Teredo host-specific relay). A Teredo client communicates with a Teredo server to obtain an address prefix from which a Teredo-based IPv6 address is configured or to help initiate communication with other Teredo clients or hosts on the IPv6 Internet.

Windows Server 2008, Windows Vista, Windows XP SP2, Windows XP SP1 with the Advanced Networking Pack for Windows XP, and Windows Server 2003 with Service Pack 1 include a Teredo client.

Teredo Relay

A Teredo relay is an IPv6/IPv4 router that can forward packets between Teredo clients on the IPv4 Internet (using a Teredo tunneling interface) and IPv6-only hosts on the IPv6 Internet. In some cases, the Teredo relay interacts with a Teredo server to help it facilitate initial communication between Teredo clients and IPv6-only hosts. The Teredo relay listens on UDP port 3544 for Teredo traffic.

For more information about the role of the Teredo relay in facilitating initial and ongoing communication between Teredo clients and IPv6-only hosts, see the “Teredo Processes” section later in this chapter.

Windows Server 2008, Windows Vista, Windows XP SP2, Windows XP SP1 with the Advanced Networking Pack for Windows XP, and Windows Server 2003 with Service Pack 1 do not include Teredo relay functionality. Microsoft does not plan to deploy any Teredo relays on the IPv4 Internet. Individual Internet service providers (ISPs) could deploy their own Teredo relays. The Windows-based Teredo client will work with a Teredo relay when sending traffic to an IPv6-only host on the IPv6 Internet. Teredo relays are not needed to communicate between Teredo clients and with Teredo host-specific relays.

Teredo Host-Specific Relay

Communication between Teredo clients and IPv6 hosts that are configured with a global address must go through a Teredo relay. This is required for IPv6-only hosts connected to the IPv6 Internet. However, when the IPv6 host is IPv6-capable and IPv4-capable and connected to both the IPv4 Internet and IPv6 Internet, communication should occur between the Teredo client and the IPv6 host over the IPv4 Internet, rather than having to traverse the IPv6 Internet and go through a Teredo relay.

A Teredo host-specific relay is an IPv6/IPv4 node that has an interface and connectivity to both the IPv4 Internet and the IPv6 Internet and can communicate directly with Teredo clients over the IPv4 Internet, without the need for an intermediate Teredo relay. The connectivity to the IPv4 Internet can be through a public IPv4 address or through a private IPv4 address and a neighboring NAT. The connectivity to the IPv6 Internet can be through a direct connection to the IPv6 Internet or through an IPv6 transition technology such as 6to4, where IPv6 packets are tunneled across the IPv4 Internet. The Teredo host-specific relay listens on UDP port 3544 for Teredo traffic.

Windows Server 2008, Windows Vista, Windows XP SP2, Windows XP SP1 with the Advanced Networking Pack for Windows XP, and Windows Server 2003 with Service Pack 1 include Teredo host-specific relay functionality, which is automatically enabled if the computer has a global address assigned. A global address can be assigned from a received Router Advertisement message from a native IPv6 router, an ISATAP router, or a 6to4 router. A global address can also be assigned when the computer configures itself as a 6to4 host/router.

324 Understanding IPv6, Second Edition

Teredo host-specific relay functionality allows Teredo clients to efficiently communicate with Teredo-capable hosts that use 6to4, a non-6to4 global prefix, or ISATAP within organizations that use a global prefix for their addresses.

The Teredo Client and Host-Specific Relay in Windows

When enabled, the Teredo client in Windows Server 2008 and Windows Vista is in either a dormant or qualified state. In the dormant state, the Teredo client has an address, but this address is the previous Teredo address used by the Teredo client and might not be valid.

In the dormant state, the Teredo client does not communicate with a Teredo server to automatically configure a current address or send periodic packets to maintain the NAT mapping for incoming Teredo traffic and verify that the current address is valid. In the qualified state, the Teredo client initiates address configuration and sends periodic packets to a Teredo server. By default, the Teredo client sends a packet to a Teredo server every 30 seconds. You can specify the interval between periodic packets with the netsh interface teredo set state refreshinterval =Seconds command.

The Teredo client is normally in the dormant state. When an IPv6-capable application uses the Teredo tunneling interface for sending or receiving traffic, the Teredo client switches to the qualified state. If the Teredo tunneling interface is not used after one hour and there are no applications listening on the Teredo interface, the Teredo client switches back to the dormant state. The Teredo client uses dormant and qualified states to reduce unnecessary network traffic. The Teredo client performs Teredo address configuration and sends periodic packets to a Teredo server only when an IPv6 application is using the Teredo tunneling interface.

Table 14-1 lists whether the Teredo client and Teredo host-specific relay are enabled or disabled for the dormant and qualified states based on the IPv4 and IPv6 address configuration of the computer.

Table 14-1 Teredo Client and Host-Specific Relay