Hi, I've been sniffing some Teredo traffic in our Teredo relay and I saw similar packets. See below my comments in-line.
Regards Miguel > -----Mensaje original----- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En > nombre de Pekka Savola > Enviado el: lunes, 06 de agosto de 2007 14:38 > Para: users@ipv6.org > Asunto: [IPv6 Users] Teredo client brokenness: link-local > destination ? > > Hello all, > > After setting up a teredo relay, I've noticed some weird > packets going by, which may or may not be an indication of > buggy client implementation. > > Observation 1: > > 15:16:23.784565 IP6 (hlim 21, next-header: unknown (59), > length: 0) 2001:0:4136:e38c:0:d134:ac48:xxxx > > 2002:c950:bbbb::cccc:dddd: no next header > > All of these packets are "empty" (no next header), and all of > them have hop limit = 21. But nothing really wrong > (protocol-wise) with these, just a little bit oddness. > I've saw such packets. They are bubbles and they are used for keeping alive the Teredo client's NAT once the Teredo client is communicating to other IPv6 host. > Observation 2: > > Similar packet, but with hop-limit=255 and destined to a > link-local address. This seems to be an indication of > brokenness, as I fail to see how sending a link-local packet > to a teredo relay could ever work. > > It seems that Teredo clients try to do this repeatedly, > always with the same fe80::foo address. During a half-hour > period, I saw the following slightly obfuscated attempts (the > first number is the number of attempts) > > 15 2001:0:4136:e38e:47c:f227:7c94:xxxx > fe80::1c9e:9aad:zzzz:vvvv > 12 2001:0:53aa:64c:0:f226:2bcd:xxxx > fe80::20eb:4661:zzzz:vvvv > 11 2001:0:4136:e38c:2807:1ce1:b841:xxxx > fe80::e0e0:f185:zzzz:vvvv > 10 2001:0:4136:e390:30b5:177a:bb89:xxxx > fe80::a413:8b01:zzzz:vvvv > 10 2001:0:4136:e38a:14e2:f227:7c94:xxxx > fe80::fc31:b43b:zzzz:vvvv > 9 2001:0:4136:e38e:18d7:1f64:352d:xxxx > fe80::44c4:29c7:zzzz:vvvv > 9 2001:0:4136:e38c:1856:126f:ad51:xxxx > fe80::80c2:3487:zzzz:vvvv > 9 2001:0:4136:e38a:455:3c63:b880:xxxx > fe80::847:b9a3:zzzz:vvvv > 8 2001:0:4136:e38c:83b:aac:ae35:xxxx > fe80::400:ba47:zzzz:vvvv > 8 2001:0:4136:e38c:1438:ea53:b351:xxxx > fe80::20bb:5f9d:zzzz:vvvv > 8 2001:0:4136:e38a:3468:38b9:ba74:xxxx > fe80::ccb8:98e5:zzzz:vvvv > 7 2001:0:4136:e390:cf1:1172:bd48:xxxx > fe80::c03e:cd52:zzzz:vvvv > 7 2001:0:4136:e390:1077:1728:b39c:xxxx > fe80::e472:4cc0:zzzz:vvvv > 7 2001:0:4136:e38e:1822:f227:7c94:xxxx > fe80::6839:32c6:zzzz:vvvv > 7 2001:0:4136:e388:8b3:1a9a:a531:xxxx > fe80::c026:c2e9:zzzz:vvvv > 7 2001:0:4136:e388:88a:fbfc:b73e:xxxx > fe80::8014:371:zzzz:vvvv > 6 2001:0:4136:e390:36:e03:b8ac:xxxx > fe80::3057:c540:zzzz:vvvv > 6 2001:0:4136:e390:28d7:290:b3e9:xxxx > fe80::542c:770b:zzzz:vvvv > 6 2001:0:4136:e38e:1877:3b99:b487:xxxx > fe80::907c:b9e9:zzzz:vvvv > 6 2001:0:4136:e38c:8000:d824:aaad:xxxx > fe80::4c11:52a7:zzzz:vvvv > 6 2001:0:4136:e38c:1ce9:3cf6:e78c:xxxx > fe80::c06d:e576:zzzz:vvvv > 6 2001:0:4136:e38c:1cb2:f227:7c94:xxxx > fe80::4cea:313d:zzzz:vvvv > 6 2001:0:4136:e38a:6c:3892:b396:xxxx > fe80::f094:7d58:zzzz:vvvv > 6 2001:0:4136:e38a:1ce0:169f:e732:xxxx > fe80::fc56:a649:zzzz:vvvv > 6 2001:0:4136:e38a:14b5:2b0:ae3a:xxxx > fe80::3826:a264:zzzz:vvvv > 6 2001:0:4136:e388:80b:3a70:3390:xxxx > fe80::5008:1656:zzzz:vvvv > 6 2001:0:4136:e388:14c8:e67e:b39c:xxxx > > fe80::cc8c:71d5:zzzz:vvvv ... and some number of fewer attempts.. > > What's going on? I'd say that Teredo client code should > filter out packets with a link-local address as destination at egress. > I've also saw similar packets but the link local address used is different. It's always fe80::8000:5445:5245:444F. As curiosity, the corresponding ASCII characters of the last part of the link-local ID field is: 54 45 52 45 44 4F ==> TEREDO Those packets are also bubbles. They are used for open the (restricted) Teredo client's NAT and then starting the communication between the Teredo client and the IPv6 (no Teredo) destination. I guess that the link local address in the bubble may depend on the teredo client/relay implementation. In my view there are no bugs, just it's the usual behavior of Teredo protocol. > -- > Pekka Savola "You each name yourselves king, yet the > Netcore Oy kingdom bleeds." > Systems. Networks. Security. -- George R.R. Martin: A Clash > of Kings _______________________________________________ > Users mailing list > Users@ipv6.org > https://lists.ipv6.org/mailman/listinfo/users > ********************************************** The IPv6 Portal: http://www.ipv6tf.org Bye 6Bone. Hi, IPv6 ! http://www.ipv6day.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited. _______________________________________________ Users mailing list Users@ipv6.org https://lists.ipv6.org/mailman/listinfo/users