Teredo and Protection from Unsolicited Incoming IPv6 Traffic
As described in Using IPv6 and Teredo
, IPv6 traffic that is tunneled with Teredo is not subject to the IPv4 packet filtering function of typical NATs. Although this might sound like Teredo is bypassing the NAT and allowing potentially malicious IPv6 traffic on private networks, consider the following:
- Teredo does not change the behavior of NATs. Teredo clients create dynamic NAT translation table entries for their own Teredo traffic. The NAT forwards incoming Teredo traffic to the host that created the matching NAT translation table entry. The NAT will not forward Teredo traffic to computers on the private network that are not Teredo clients.
- Teredo clients that use a host-based, stateful firewall that supports IPv6 traffic, such as Windows Firewall, are protected from unsolicited, unwanted, incoming IPv6 traffic. Windows Firewall is enabled by default for Windows XP with SP2, Windows Vista, and Windows Server "Longhorn."
The combination of IPv6, Teredo, and a host-based, stateful, IPv6 firewall does not affect the packet filtering function of the NAT for IPv4-based traffic and does not make your Windows-based computer more susceptible to attacks by malicious users and programs that use IPv6 traffic, rather than IPv4 traffic.
Currently Teredo only attempts to qualify an address when a listening application has the Edge Traversal flag set in the firewall rule, or if an application is attempting to connect out using Teredo. There is a registry setting, Default Qualified, which causes Teredo to always attempt address qualification regardless of the two prior conditions. The Edge Traversal flag in the firewall must still be set for a listening application to receive Teredo traffic, but even without this flag, Default Qualified will make the Teredo client still attempt to qualify an address. Again, because the firewall still has settings regarding allowing or denying Teredo traffic, this is not a security flaw.