RE: Xbox Live and Teredo
Small clarification: "- Teredo prefers UDP port 3074 vs. UDP port 3544" On Xbox One, the Teredo client is bound to UDP 3074 as the default and communicates to the Teredo servers on the standard Teredo port, UDP 3544. If UPnP is in play and an Xbox console attempts to port map UDP 3074 and receives a mapping conflict error from the gateway, the console will fall back to a pseudo-random port in the ephemeral range. We also introduced an update last year where customers could also manually configure the console to use a non-3074 port in case UPnP wasn't enabled on the local network and multiple consoles are present. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Joe Klein Sent: Tuesday, January 2, 2018 4:13 PM To: Mark Andrews Cc: NANOG list Subject: Re: Xbox Live and Teredo Are you aware: - Microsofts justification for Teredo is to support P2P during the transition to IPv6 dominant networks. - Xbox 360: Console - IPv4 preferred and requires the Microsoft 'custom STUN and security implementation." - Xbox One: Console - IPv6 preferred - Native IPv6+IPSec - Requires unsolicited inbound IPSec and IKEv2 - "Disables firewall capabilities if one exists" - UPNP+... - IPv4 preferred or no IPv6 = [IPv6+IPSec]+Teredo - Teredo is only necessary for Xbox Live party chat and multiplayer - Within the tunnel, it requires unsolicited inbound IPSec and IKEv2 - UDP long port mapping refresh intervals (60 seconds+) to avoid losing connections to xbox peers - Uses UPNP to "Disables firewall capabilities if one exists" - If NAT exists, here is the most successful strategy, left to right: - Open to the Internet > Address Restricted > Port Restricted > Symmetric > UDP Block - Teredo prefers UDP port 3074 vs. UDP port 3544 - XBOX - Windows 10 - Teredo is only necessary for Xbox Live party chat and multiplayer - Most common error: “Teredo is unable to qualify” https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.xbox.com%2Fen-US%2Fxbox-on-windows%2Fsocial%2Ftroubleshoot-party-chat&data=02%7C01%7Cdveit%40microsoft.com%7C65a1a83fad664db4ea6308d5523ef9e9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636505352789854753&sdata=ArbsmYbrIPFlVG2ydBCw0jBa8m6WHyZirDT2Rgz7a1A%3D&reserved=0 - If a third party firewall is installed, good chance it is blocking teredo outbound ports or the Windows10 teredo is disabled. Hope this helps... And don't ask about the security --- It's "good enough for home users" :( Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8 On Tue, Jan 2, 2018 at 6:19 PM, Mark Andrews wrote: > Time to buy a Xbox for the NOC so you can trouble shoot. All puns > intended. > > Mark > > > On 3 Jan 2018, at 10:15 am, Justin Wilson wrote: > > > > These are all Xbox one clients. We don’t hand out IPv6 on this > > network > yet, so I made sure to disable any sort of IPV6 on the interfaces just > to be sure because I figured Teredo is tied to v6. The only thing we > have not done yet is disable any IPV6 stuff on the customer routers. > Everyone has > been getting link local addresses for the longest time. We just disabled > ipv6 totally on the interfaces just to be safe. > > > > > > Justin Wilson > > j...@mtin.net > > > > https://na01.safelinks.protection.outlook.com/?url=www.mtin.net&data > > =02%7C01%7Cdveit%40microsoft.com%7C65a1a83fad664db4ea6308d5523ef9e9% > > 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636505352789854753&sdat > > a=P6GoT4YSwbQ%2FT9guweaTf25wy7J77UkoZqqGBiFXkVo%3D&reserved=0 > > https://na01.safelinks.protection.outlook.com/?url=www.midwest-ix.co > > m&data=02%7C01%7Cdveit%40microsoft.com%7C65a1a83fad664db4ea6308d5523 > > ef9e9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63650535278985475 > > 3&sdata=uCDl6dWK8vXzCOKkui0LV3RHwhEa8GRzj31xOGSKfXs%3D&reserved=0 > > > >> On Jan 2, 2018, at 6:06 PM, Chris Adams wrote: > >> > >> Once upon a time, Mark Andrews said: > >>> Given that you have IPv6 I would be looking at why the XBOXs are > attempting Teredo at all. I would expect them to use the IPv6 > addresses that you are assigning your customers. > >> > >> The OP didn't say what type of Xbox. IIRC the Xbox 360 does not > >> support IPv6, while the Xbox One does (but neither would explain the > >> Teredo). > >> -- > >> Chris Adams > >> > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > >
Re: Xbox Live and Teredo
* Martin List-Petersen > Your best bet: set up a Terredo gateway and facilitate these Xboxes as > long as you don't give them native IPv6. This is unlikely to help, as the XB1 doesn't use Teredo relays at all. The XB1 uses Teredo to facilitate direct p2p communication between IPv4 consoles only. Essentially it is used an IPv4 NAT traversal mechanism. Its Teredo implementation does not allow communication between IPv4 and IPv6 peers. This is the only communication pattern which would normally require a third-party Teredo relay. This unfortunately also means that provisioning IPv6 is also unlikely to help, unless you're in a position to provision it to both peers. See: https://www.ietf.org/proceedings/88/slides/slides-88-v6ops-0.pdf Personally I'd start out by verifying the connectivity to and functionality of Microsoft's Teredo servers, which are used for NAT address discovery and port mapping during tunnel setup (unlike Teredo relays, Teredo servers aren't part of the Teredo «forwarding plane»). Tore
Re: Xbox Live and Teredo
While you are at it, you might want to configure a STUN and ICE server, to address streaming UDP. Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8 On Tue, Jan 2, 2018 at 10:19 PM, Martin List-Petersen wrote: > On 02/01/18 23:15, Justin Wilson wrote: > >> These are all Xbox one clients. We don’t hand out IPv6 on this network >> yet, so I made sure to disable any sort of IPV6 on the interfaces just to >> be sure because I figured Teredo is tied to v6. The only thing we have not >> done yet is disable any IPV6 stuff on the customer routers. Everyone has >> been getting link local addresses for the longest time. We just disabled >> ipv6 totally on the interfaces just to be safe. >> > > > Disabling anything IPv6 is counter productive. The way things are going is > IPv6 and has been for many years. > > Now ... what could happen is that you've got a missconfigured torredo > gateway upstream. > > Disabling IPv6 on customer routers etc won't solve your problem. IPv6 is > here to stay. > > Your best bet: set up a Terredo gateway and facilitate these Xboxes as > long as you don't give them native IPv6. > > Just my 2c. > > Kind regards, > Martin List-Petersen > -- > Airwire Ltd. - Ag Nascadh Pobail an Iarthair > http://www.airwire.ie > Phone: 091-865 968 > Registered Office: Moy, Kinvara, Co. Galway, 091-865 968 - Registered in > Ireland No. 508961 >
Re: Xbox Live and Teredo
On 02/01/18 23:15, Justin Wilson wrote: These are all Xbox one clients. We don’t hand out IPv6 on this network yet, so I made sure to disable any sort of IPV6 on the interfaces just to be sure because I figured Teredo is tied to v6. The only thing we have not done yet is disable any IPV6 stuff on the customer routers. Everyone has been getting link local addresses for the longest time. We just disabled ipv6 totally on the interfaces just to be safe. Disabling anything IPv6 is counter productive. The way things are going is IPv6 and has been for many years. Now ... what could happen is that you've got a missconfigured torredo gateway upstream. Disabling IPv6 on customer routers etc won't solve your problem. IPv6 is here to stay. Your best bet: set up a Terredo gateway and facilitate these Xboxes as long as you don't give them native IPv6. Just my 2c. Kind regards, Martin List-Petersen -- Airwire Ltd. - Ag Nascadh Pobail an Iarthair http://www.airwire.ie Phone: 091-865 968 Registered Office: Moy, Kinvara, Co. Galway, 091-865 968 - Registered in Ireland No. 508961
Re: Xbox Live and Teredo
Are you aware: - Microsofts justification for Teredo is to support P2P during the transition to IPv6 dominant networks. - Xbox 360: Console - IPv4 preferred and requires the Microsoft 'custom STUN and security implementation." - Xbox One: Console - IPv6 preferred - Native IPv6+IPSec - Requires unsolicited inbound IPSec and IKEv2 - "Disables firewall capabilities if one exists" - UPNP+... - IPv4 preferred or no IPv6 = [IPv6+IPSec]+Teredo - Teredo is only necessary for Xbox Live party chat and multiplayer - Within the tunnel, it requires unsolicited inbound IPSec and IKEv2 - UDP long port mapping refresh intervals (60 seconds+) to avoid losing connections to xbox peers - Uses UPNP to "Disables firewall capabilities if one exists" - If NAT exists, here is the most successful strategy, left to right: - Open to the Internet > Address Restricted > Port Restricted > Symmetric > UDP Block - Teredo prefers UDP port 3074 vs. UDP port 3544 - XBOX - Windows 10 - Teredo is only necessary for Xbox Live party chat and multiplayer - Most common error: “Teredo is unable to qualify” https://support.xbox.com/en-US/xbox-on-windows/social/troubleshoot-party-chat - If a third party firewall is installed, good chance it is blocking teredo outbound ports or the Windows10 teredo is disabled. Hope this helps... And don't ask about the security --- It's "good enough for home users" :( Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8 On Tue, Jan 2, 2018 at 6:19 PM, Mark Andrews wrote: > Time to buy a Xbox for the NOC so you can trouble shoot. All puns > intended. > > Mark > > > On 3 Jan 2018, at 10:15 am, Justin Wilson wrote: > > > > These are all Xbox one clients. We don’t hand out IPv6 on this network > yet, so I made sure to disable any sort of IPV6 on the interfaces just to > be sure because I figured Teredo is tied to v6. The only thing we have not > done yet is disable any IPV6 stuff on the customer routers. Everyone has > been getting link local addresses for the longest time. We just disabled > ipv6 totally on the interfaces just to be safe. > > > > > > Justin Wilson > > j...@mtin.net > > > > www.mtin.net > > www.midwest-ix.com > > > >> On Jan 2, 2018, at 6:06 PM, Chris Adams wrote: > >> > >> Once upon a time, Mark Andrews said: > >>> Given that you have IPv6 I would be looking at why the XBOXs are > attempting Teredo at all. I would expect them to use the IPv6 addresses > that you are assigning your customers. > >> > >> The OP didn't say what type of Xbox. IIRC the Xbox 360 does not support > >> IPv6, while the Xbox One does (but neither would explain the Teredo). > >> -- > >> Chris Adams > >> > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > >
RE: Xbox Live and Teredo
Hey, Justin. I'll ping you offline to take a closer look. For others on the list, Xbox One uses Teredo for IPv4 P2P NAT traversal for multiplayer and chat. If the consoles are unable to communicate with Teredo servers to generate a Teredo IPv6 address and detect the NAT type that is present, that can cause issues joining multiplayer games and Party Chat sessions. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Justin Wilson Sent: Tuesday, January 2, 2018 3:15 PM To: NANOG list Subject: Re: Xbox Live and Teredo These are all Xbox one clients. We don’t hand out IPv6 on this network yet, so I made sure to disable any sort of IPV6 on the interfaces just to be sure because I figured Teredo is tied to v6. The only thing we have not done yet is disable any IPV6 stuff on the customer routers. Everyone has been getting link local addresses for the longest time. We just disabled ipv6 totally on the interfaces just to be safe. Justin Wilson j...@mtin.net https://na01.safelinks.protection.outlook.com/?url=www.mtin.net&data=02%7C01%7Cdveit%40microsoft.com%7C991c6b77eb124e576dd808d55236e511%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636505318085908776&sdata=q5nSKZiUbB0K5VvmN2bcOJ%2Fi9OuRVFFyL%2BaqX7uea24%3D&reserved=0 https://na01.safelinks.protection.outlook.com/?url=www.midwest-ix.com&data=02%7C01%7Cdveit%40microsoft.com%7C991c6b77eb124e576dd808d55236e511%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636505318085908776&sdata=leIx4fqr1OZfXXn1Z3wPWDigni6pLuV3h7JqwIA1%2Bxs%3D&reserved=0 > On Jan 2, 2018, at 6:06 PM, Chris Adams wrote: > > Once upon a time, Mark Andrews said: >> Given that you have IPv6 I would be looking at why the XBOXs are attempting >> Teredo at all. I would expect them to use the IPv6 addresses that you are >> assigning your customers. > > The OP didn't say what type of Xbox. IIRC the Xbox 360 does not > support IPv6, while the Xbox One does (but neither would explain the Teredo). > -- > Chris Adams >
Re: Xbox Live and Teredo
Time to buy a Xbox for the NOC so you can trouble shoot. All puns intended. Mark > On 3 Jan 2018, at 10:15 am, Justin Wilson wrote: > > These are all Xbox one clients. We don’t hand out IPv6 on this network yet, > so I made sure to disable any sort of IPV6 on the interfaces just to be sure > because I figured Teredo is tied to v6. The only thing we have not done yet > is disable any IPV6 stuff on the customer routers. Everyone has been getting > link local addresses for the longest time. We just disabled ipv6 totally on > the interfaces just to be safe. > > > Justin Wilson > j...@mtin.net > > www.mtin.net > www.midwest-ix.com > >> On Jan 2, 2018, at 6:06 PM, Chris Adams wrote: >> >> Once upon a time, Mark Andrews said: >>> Given that you have IPv6 I would be looking at why the XBOXs are attempting >>> Teredo at all. I would expect them to use the IPv6 addresses that you are >>> assigning your customers. >> >> The OP didn't say what type of Xbox. IIRC the Xbox 360 does not support >> IPv6, while the Xbox One does (but neither would explain the Teredo). >> -- >> Chris Adams >> > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Xbox Live and Teredo
These are all Xbox one clients. We don’t hand out IPv6 on this network yet, so I made sure to disable any sort of IPV6 on the interfaces just to be sure because I figured Teredo is tied to v6. The only thing we have not done yet is disable any IPV6 stuff on the customer routers. Everyone has been getting link local addresses for the longest time. We just disabled ipv6 totally on the interfaces just to be safe. Justin Wilson j...@mtin.net www.mtin.net www.midwest-ix.com > On Jan 2, 2018, at 6:06 PM, Chris Adams wrote: > > Once upon a time, Mark Andrews said: >> Given that you have IPv6 I would be looking at why the XBOXs are attempting >> Teredo at all. I would expect them to use the IPv6 addresses that you are >> assigning your customers. > > The OP didn't say what type of Xbox. IIRC the Xbox 360 does not support > IPv6, while the Xbox One does (but neither would explain the Teredo). > -- > Chris Adams >
Re: Xbox Live and Teredo
Once upon a time, Mark Andrews said: > Given that you have IPv6 I would be looking at why the XBOXs are attempting > Teredo at all. I would expect them to use the IPv6 addresses that you are > assigning your customers. The OP didn't say what type of Xbox. IIRC the Xbox 360 does not support IPv6, while the Xbox One does (but neither would explain the Teredo). -- Chris Adams
Re: Xbox Live and Teredo
Given that you have IPv6 I would be looking at why the XBOXs are attempting Teredo at all. I would expect them to use the IPv6 addresses that you are assigning your customers. Mark > On 3 Jan 2018, at 9:25 am, Justin Wilson wrote: > > Figured the collective here might have an answer. All of a sudden a network > I manage started getting complaints from XBOX live users are getting error > messages about “Can’t get Teredo IP address” on their consoles. Is anyone > else seeing this wide spread? The Microsoft support default answer is “Your > ISP is blocking ports” when I can do an nmap on each of these customers and > all of the xbox live ports are open. As an FYI these are not netted > customers, but have true publics. > > We have tried disabling IPV6 on their interfaces and that does not seem to > have helped. We have had some customers power cycle everything in their home > (CPE, router, xbox) and still no go. > > Anyone else running into this? Does Microsoft have a higher level support for > talking with ISPs at all? > > > Justin Wilson > j...@mtin.net > > www.mtin.net > www.midwest-ix.com > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org