Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IPv6 Focus Month: IPv6 Encapsulation - Protocol 41

Published: 2013-03-09
Last Updated: 2013-03-11 23:55:35 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

Packet Tunneling IPv6 over IPv4 protocol 41 (Teredo or 6to4) is nothing new. It was first introduce in RFC 2473 in December 1998 and has been in use since ~2002. Depending of the age of your home router, it may already have some form of IPv6 support. As an example, the Linksys WRT610N router version 1.0 has a hidden page http://router/System.asp that adds support for protocol 41 and this support is listed as Vista Premium.

To check if your router is allowing protocol 41 to flow freely in and out of your home network, you can run a sniffer against the external IP of your router looking for that protocol. You can use either tcpdump or Wireshark to verify. Using tcpdump, you can issues the following command:


tcpdump -ns 0 -i eth1 proto 41

19:11:47.447246 IP XX.245.121.230 > ZZ.246.188.99: IP6 2001:0:5ef5:79fb:2ce5:306e:8dd6:7711 > 2002:63f6:bc63:0:6975:9942:470:7a02: ICMP6, echo request, seq 14021, length 12
19:11:49.470610 IP XX.245.121.238 > ZZ.246.188.99: IP6 2001:0:5ef5:79fb:2ce5:306e:8dd6:7711 > 2002:63f6:bc63:0:6975:9942:470:7a02: ICMP6, echo request, seq 21435, length 12
19:12:59.648790 IP YYY.228.192.53 > ZZ.246.188.99: IP6 2002:d3e4:c035::d3e4:c035.54377 > 2002:63f6:bc63:0:6975:9942:470:7a02.52538: Flags [S], seq 588108466, win 8192, options [mss 1220,nop,wscale 8,nop,nop,sackOK], length 0
19:13:02.653077 IP YYY.228.192.53 > ZZ.246.188.99: IP6 2002:d3e4:c035::d3e4:c035.54377 > 2002:63f6:bc63:0:6975:9942:470:7a02.52538: Flags [S], seq 588108466, win 8192, options [mss 1220,nop,wscale 8,nop,nop,sackOK], length 0
19:13:08.647639 IP YYY.228.192.53 > ZZ.246.188.99: IP6 2002:d3e4:c035::d3e4:c035.54377 > 2002:63f6:bc63:0:6975:9942:470:7a02.52538: Flags [S], seq 588108466, win 8192, options [mss 1220,nop,nop,sackOK], length 0
19:17:57.403065 IP ZZ.246.188.99 > 192.88.99.1: IP6 2002:63f6:bc63:0:580:ed30:dc11:1d1b.51050 > 2607:f0d0:3001:62:1::52.80: Flags [S], seq 2581307596, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:17:57.443256 IP 192.88.99.1 > ZZ.246.188.99: IP6 2607:f0d0:3001:62:1::52.80 > 2002:63f6:bc63:0:580:ed30:dc11:1d1b.51050: Flags [S.], seq 4094422909, ack 2581307597, win 5760, options [mss 1440,nop,nop,sackOK,nop,wscale 9], length 0
19:17:57.445276 IP ZZ.246.188.99 > 192.88.99.1: IP6 2002:63f6:bc63:0:580:ed30:dc11:1d1b.51050 > 2607:f0d0:3001:62:1::52.80: Flags [.], ack 1, win 258, length 0
 

Even if you are not setup for IPv6, there may be a lot of interesting data flowing your way. For example, from my router I can see ICMP6 echo requests, TCP traffic attempting to connect to strange ports and of course my own outbound 6to4 traffic. The last 3 traces are a 3-way handshake associated with web traffic connecting to the Wireshark website via IPv6 6to4 tunnel. Note that IP 192.88.188.99 is listed as a 6TO4-RELAY-ANYCAST-IANA-RESERVED address.

If your home router supports some form of IPv6, native, Teredo or 6to4 and would like to share that information, post it via our contact page.

[1] http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml
[2] http://tools.ietf.org/html/rfc2473
[3] http://www.cert.org/blogs/certcc/2009/08/managing_ipv6_part_i.html
[4] https://isc.sans.edu/ipinfo.html?ip=192.88.99.1

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

1 comment(s)
Diary Archives