To configure the initial state of the Teredo client, use the netsh interface teredo set state type=disabled|client|enterpriseclient|default command. The Teredo client state types are the following:

■disabled The Teredo client and host-specific relay are disabled.

■client The Teredo component will detect if the computer is connected to a managed network that contains Active Directory domain service domain controllers of the domain to which the computer belongs. If the computer is connected to a managed network, the Teredo client is disabled. This is to prevent the Teredo client from traversing organization network firewalls. If the computer is not connected to a managed network, the Teredo client is enabled.

■enterpriseclient The Teredo component will skip detection to determine if the computer is connected to a managed network and enable the Teredo client. This option will enable the Teredo client on a managed network and must be set by a user with administrator-level access to the computer.

■default Sets the client state to its default option (client).

By default, the Teredo client is disabled when the computer is on a managed network.

To enable the Teredo client on a managed network, use the netsh interface teredo set state type=enterpriseclient command.

By default, the Teredo client uses a dynamically assigned UDP port for incoming Teredo traffic. To configure the Teredo client to use a specific UDP port, use the netsh interface teredo set state clientport=PortNumber command.

Note For computers running Windows XP with SP2, Windows XP with Service Pack 1 with the Advanced Networking Pack for Windows XP, or Windows Server 2003 with Service Pack 1, you use netsh interface ipv6 set teredo commands to configure the Teredo client.

Teredo Addresses

Teredo addresses have the format shown in Figure 14-2.

Figure 14-2 Teredo address format

A Teredo address consists of the following:

■Teredo prefix The first 32 bits are for the Teredo prefix, which is the same for all Teredo addresses. The Teredo prefix defined in RFC 4380 is 2001::/32 and is the prefix used

326 Understanding IPv6, Second Edition

by Teredo in Windows Server 2008 and Windows Vista. Windows XP and Windows Server 2003 initially used the 3FFE:831F::/32 Teredo prefix. Computers running Windows XP or Windows Server 2003 will use the 2001::/32 Teredo prefix when updated with Microsoft Security Bulletin MS06-064.

■Teredo server IPv4 address The next 32 bits contain the IPv4 public address of the Teredo server that helped configure this Teredo address. For more information, see the “Initial Configuration for Teredo Clients” section later in this chapter.

■Flags The next 16 bits are reserved for Teredo flags. RFC 4380 defines the high-order bit as the Cone flag. The Cone flag is set when a Teredo client is behind a cone NAT. The determination of whether the NAT connected to the Internet is a cone NAT occurs during the Teredo client’s initial configuration. For more information, see the “Initial Configuration for Teredo Clients” section later in this chapter. RFC 4380 defines the entire Flags field as C00000UG 00000000. Because the Flags field is part of the Interface ID field, the U bit is for the Universal/Local flag (set to 0) and the G bit is Individual/ Group flag (set to 0). This is the use of the Flags field for Windows XP and Windows Server 2003–based Teredo clients.

Windows Server 2008 and Windows Vista–based Teredo clients always set the Cone flag to 1 and use unused bits within the Flags field to provide a level of protection from address scans by malicious users. For Windows Server 2008 and Windows Vista–based Teredo clients, the 16 bits within the Flags field consist of the following: CRAAAAUG AAAAAAAA. The R bit is reserved for future use (set to 0). The A bits are set to a 12-bit randomly generated number. By using a random number for the A bits, a malicious user who has determined the rest of the Teredo address by capturing the initial configuration

exchange of packets between the Teredo client and Teredo server will have to try up to 4096 (212) different addresses to determine a Teredo client’s address during an address

scan.

■Obscured external port The next 16 bits store an obscured version of the external UDP port corresponding to all Teredo traffic for this Teredo client. When the Teredo client sends its initial packet to a Teredo server, the source UDP port of the packet is mapped by the NAT to a different, external UDP port. The Teredo client maintains this port mapping so that it remains in the NAT’s translation table. Therefore, all Teredo traffic for the host uses the same external, mapped UDP port. The external UDP port is determined by the Teredo server from the source UDP port of the incoming initial packet sent by the Teredo client and sent back to the Teredo client.

The external port is obscured by XORing the external port with 0xFFFF. For example, the obscured version of the external port 5000 in hexadecimal format is EC77 (5000 = 0x1388, 0x1388 XOR 0xFFFF = 0xEC77). Some NATs attempt to translate the external port number to the internal port number when the external port number is within the payload. Obscuring the external port number prevents these types of NATs from translating the external port within the Teredo address.

328 Understanding IPv6, Second Edition

Teredo Client A uses the following to construct its Teredo address:

■Its Teredo server is at the public IPv4 address of 206.73.118.1.

■It is behind a cone NAT.

■The external address and port for its Teredo traffic are 157.60.0.1, UDP port 4096.

Therefore, using the Teredo address format of 2001::ServerAddr:Flags:ObscExtPort:ObscExtAddr, Teredo Client A derives the address 2001::CE49:7601:A866:EFFF:62C3:FFFE. This is based on the following:

■2001::/32 is the Teredo prefix.

■CE49:7601 is the colon hexadecimal version of 206.73.118.1.

■A866 is the Flags field in which the Cone flag is set to 1 (indicating that Teredo Client A is located behind a cone NAT); the R, U, and G flags are set to 0; and the remaining 12 bits are set to a random sequence (101001100110) to help prevent external address scans. For a Windows XP–based Teredo client without the Microsoft Security Bulletin MS06-064 installed, the Flags field would be set to 0x8000.

■EFFF is the obscured version of UDP port 4096.

■62C3:FFFE is the obscured version of the public IPv4 address 157.60.0.1.

Teredo Client B uses the following to construct its Teredo address:

■Its Teredo server is at the public IPv4 address of 206.73.118.1.

■It is behind a restricted NAT.

■The external address and port for its Teredo traffic are 131.107.0.1, UDP port 8192.

Therefore, Teredo Client B derives the address 2001::CE49:7601:2CAD:DFFF:7C94:FFFE. This is based on the following:

■2001::/32 is the Teredo prefix.

■CE49:7601 is the colon hexadecimal version of 206.73.118.1.

■2CAD is the Flags field in which the Cone flag is set to 0 (indicating that Teredo Client B is located behind a restricted NAT); the R, U, and G flags are set to 0; and the remaining 12 bits are set to a random sequence (101110101101) to help prevent external address scans. For a Windows XP–based Teredo client without the Microsoft Security Bulletin MS06-064 installed, the Flags field would be set to 0x0.

■DFFF is the obscured version of UDP port 8192.

■7C94:FFFE is the obscured version of the public IPv4 address 131.107.0.1.

Teredo addresses are assigned only to Teredo clients. Teredo servers, Teredo relays, and Teredo host-specific relays are not assigned a Teredo address.