Mailing List Archive

On 2014-11-17 16:06, Phil Mayers wrote:
> All,
>
> ISTR that Teredo was going to be sunset, Microsoft having tested
> removing the DNS name "teredo.ipv6.microsoft.com".
>
> (Ignoring the Xbox One stuff here - just the windows desktop
> server/relay stuff)
>
> However, my Windows 7 machine is still resolving that name and forming a
> Teredo address, and setting an IPv6 default route via that tunnel - I
> can see Teredo-encap'd router-solicit and router-advert messages being
> sent and received.

Did you update your Windows edition to the latest service
pack/fixes/updates?

> No traffic flows however - the Teredo "direct connect" tests are all
> failing (no reply to the ICMPv6 echo). So I've got a broken IPv6 tunnel :o/

You likely are picking a broken relay or something in your network is
breaking it on purpose.

But like 6to4, as that stuff is anycasted, bit hard to determine where
what breaks.

Why are you attempting to bother with Teredo? There are a lot of much
better and more importantly more reliable alternatives.

As you are in *.ac.uk JANET has been providing native IPv6 to their
network for a decade already. Hence, what is the problem you are trying
to solve?

> Any ideas what's going on? Microsoft, anyone care to comment?

Does anybody care about it? :)

Teredo connections are depreffed by all getaddrinfo-alike
implementations, thus you won't use it for connections anyway.

Greets,
Jeroen

On 17/11/2014 15:59, Jeroen Massar wrote:

> Did you update your Windows edition to the latest service
> pack/fixes/updates?

It's a completely stock Win 7 SP1 machine, which patches itself
according to Microsoft default behaviour. I don't even notice it
patching usually, but I think once a week?

>
>> No traffic flows however - the Teredo "direct connect" tests are all
>> failing (no reply to the ICMPv6 echo). So I've got a broken IPv6 tunnel :o/
>
> You likely are picking a broken relay or something in your network is
> breaking it on purpose.
>
> But like 6to4, as that stuff is anycasted, bit hard to determine where
> what breaks.
>
> Why are you attempting to bother with Teredo? There are a lot of much
> better and more importantly more reliable alternatives.

You have failed to understand my question, almost completely ;o)

I don't want to use Teredo. I want Microsoft to sunset it, as they said
they were going to, by removing the "teredo.ipv6.microsoft.com" DNS name
or otherwise stopping it.

This hasn't happened. I'm asking if anyone knows why and observing what
I see.

> As you are in *.ac.uk JANET has been providing native IPv6 to their
> network for a decade already. Hence, what is the problem you are trying
> to solve?

Well, the meta-problem here is apparently making myself understood :o/

The actual problem is I'd like to unblock the Teredo port so that the
XBox One platform Teredo - which is not normal Teredo, and is basically
used for IPv4 peers in place of NAT traversal - can work.

Before I unblock that port, I'd like to be sure that it won't cause our
unmanaged windows clients to change behaviour, so I'd like Microsoft to
disable it as per their plan.

See the list archives for more info on the XB1 stuff, or this link:

http://www.ietf.org/proceedings/88/slides/slides-88-v6ops-0.pdf


>> Any ideas what's going on? Microsoft, anyone care to comment?
>
> Does anybody care about it? :)
>
> Teredo connections are depreffed by all getaddrinfo-alike
> implementations, thus you won't use it for connections anyway

You won't use it *for connections which use DNS to resolve peers*. For
other stuff - for example, BitTorrent which has peer discovery based on
non-DNS methods - you'll definitely see Teredo traffic in some cases.

BitTorrent and other filesharing are actually a major concern for us. I
definitely don't want hundreds of student PCs to suddenly start doing
BitTorrent over Teredo...

On 2014-11-17 17:08, Phil Mayers wrote:
> On 17/11/2014 15:59, Jeroen Massar wrote:
>
>> Did you update your Windows edition to the latest service
>> pack/fixes/updates?
>
> It's a completely stock Win 7 SP1 machine, which patches itself
> according to Microsoft default behaviour. I don't even notice it
> patching usually, but I think once a week?
>
>>
>>> No traffic flows however - the Teredo "direct connect" tests are all
>>> failing (no reply to the ICMPv6 echo). So I've got a broken IPv6
>>> tunnel :o/
>>
>> You likely are picking a broken relay or something in your network is
>> breaking it on purpose.
>>
>> But like 6to4, as that stuff is anycasted, bit hard to determine where
>> what breaks.
>>
>> Why are you attempting to bother with Teredo? There are a lot of much
>> better and more importantly more reliable alternatives.
>
> You have failed to understand my question, almost completely ;o)
>
> I don't want to use Teredo. I want Microsoft to sunset it, as they said
> they were going to, by removing the "teredo.ipv6.microsoft.com" DNS name
> or otherwise stopping it.
>
> This hasn't happened. I'm asking if anyone knows why and observing what
> I see.

That is just normal Teredo brokeness.


As for when that label goes away, maybe check:

http://www.ietf.org/proceedings/87/slides/slides-87-v6ops-5.pdf

which also has:
8<-----------
Next step is to set the date teredo.ipv6.microsoft.com will shut down
• Send feedback to teredo@microsoft.com
------------->8

>> As you are in *.ac.uk JANET has been providing native IPv6 to their
>> network for a decade already. Hence, what is the problem you are trying
>> to solve?
>
> Well, the meta-problem here is apparently making myself understood :o/
>
> The actual problem is I'd like to unblock the Teredo port so that the
> XBox One platform Teredo - which is not normal Teredo, and is basically
> used for IPv4 peers in place of NAT traversal - can work.

What are you trying to achieve by blocking that port?

> Before I unblock that port, I'd like to be sure that it won't cause our
> unmanaged windows clients to change behaviour, so I'd like Microsoft to
> disable it as per their plan.

Those clients will have other kinds of VPN tools too that you won't like.

But if you are that worried about those:
- either spoof the DNS label for teredo.ipv6.microsoft.com to NXDOMAIN
- or route the address it maps to normally to /dev/null.

That won't break Xbox One as that does not use the same one.

> See the list archives for more info on the XB1 stuff, or this link:
>
> http://www.ietf.org/proceedings/88/slides/slides-88-v6ops-0.pdf

I am well aware of the Xbox One usage and also about the fact that even
though PS4 is FreeBSD based it does not do IPv6... silly for a product
launched in 2013. But they could bolt it on later, the base has support
for it.

>>> Any ideas what's going on? Microsoft, anyone care to comment?
>>
>> Does anybody care about it? :)
>>
>> Teredo connections are depreffed by all getaddrinfo-alike
>> implementations, thus you won't use it for connections anyway
>
> You won't use it *for connections which use DNS to resolve peers*. For
> other stuff - for example, BitTorrent which has peer discovery based on
> non-DNS methods - you'll definitely see Teredo traffic in some cases.
>
> BitTorrent and other filesharing are actually a major concern for us. I
> definitely don't want hundreds of student PCs to suddenly start doing
> BitTorrent over Teredo...

You won't stop them from doing Bittorrent, they will find other ways to
do that.

You also won't be easily able to differentiate those clients from Xbox
One's trying to do updates.

Also, wasn't your Teredo broken? :)

Greets,
Jeroen

On 17/11/2014 16:23, Jeroen Massar wrote:

> What are you trying to achieve by blocking that port?

I honestly don't know why you want to talk about other things, but I've
no interest in discussing them with you.

On 2014-11-17 17:38, Phil Mayers wrote:
> On 17/11/2014 16:23, Jeroen Massar wrote:
>
>> What are you trying to achieve by blocking that port?
>
> I honestly don't know why you want to talk about other things, but I've
> no interest in discussing them with you.

Then don't make statements that you are blocking them...

Greets,
Jeroen

On 17/11/2014 16:40, Jeroen Massar wrote:
> On 2014-11-17 17:38, Phil Mayers wrote:
>> On 17/11/2014 16:23, Jeroen Massar wrote:
>>
>>> What are you trying to achieve by blocking that port?
>>
>> I honestly don't know why you want to talk about other things, but I've
>> no interest in discussing them with you.
>
> Then don't make statements that you are blocking them...

In the interests of the principle of charity - I am trying hard to
assume good motives on your part - let me try again...

===

We've historically blocked Teredo, for probably erroneous reasons. I'd
like to unblock it, to specifically let XBox One consoles use their new
Teredo stuff.

At the same time, I'd like to avoid even the possibility of triggering a
behaviour change on Microsoft Windows clients. I had thought Teredo was
sunsetted, but examination of my Windows 7 PC suggests it is not,
although it is broken.

To inform my decision about unblocking it, I'd like to ask a few questions.

Does anyone know why Teredo has not been sunsetted yet?

Does anyone know when Teredo will be sunsetted?

Does anyone know of a safe way to block Teredo from Microsoft Windows
clients, but leave Teredo from XBox One unaffected? Jeroen, your
suggestion of blocking the DNS name is a good one. Anyone any other
ideas I should also consider.

===

Hopefully this is specific enough...

Why not just disable teredo at the command line?

netsh int ipv6 set teredo disabled


-----Original Message-----
From: ipv6-ops-bounces+cholzhauer=sscorp.com@lists.cluenet.de [mailto:ipv6-ops-bounces+cholzhauer=sscorp.com@lists.cluenet.de] On Behalf Of Phil Mayers
Sent: Monday, November 17, 2014 11:55 AM
To: Jeroen Massar; IPv6 Ops list
Subject: Re: Teredo sunset - did it happen?

On 17/11/2014 16:40, Jeroen Massar wrote:
> On 2014-11-17 17:38, Phil Mayers wrote:
>> On 17/11/2014 16:23, Jeroen Massar wrote:
>>
>>> What are you trying to achieve by blocking that port?
>>
>> I honestly don't know why you want to talk about other things, but
>> I've no interest in discussing them with you.
>
> Then don't make statements that you are blocking them...

In the interests of the principle of charity - I am trying hard to assume good motives on your part - let me try again...

===

We've historically blocked Teredo, for probably erroneous reasons. I'd like to unblock it, to specifically let XBox One consoles use their new Teredo stuff.

At the same time, I'd like to avoid even the possibility of triggering a behaviour change on Microsoft Windows clients. I had thought Teredo was sunsetted, but examination of my Windows 7 PC suggests it is not, although it is broken.

To inform my decision about unblocking it, I'd like to ask a few questions.

Does anyone know why Teredo has not been sunsetted yet?

Does anyone know when Teredo will be sunsetted?

Does anyone know of a safe way to block Teredo from Microsoft Windows clients, but leave Teredo from XBox One unaffected? Jeroen, your suggestion of blocking the DNS name is a good one. Anyone any other ideas I should also consider.

===

Hopefully this is specific enough...

Presumably because the clients are "unmanaged"?

On Mon, Nov 17, 2014, 09:02 Carl Holzhauer <cholzhauer@sscorp.com> wrote:

> Why not just disable teredo at the command line?
>
> netsh int ipv6 set teredo disabled
>
>
> -----Original Message-----
> From: ipv6-ops-bounces+cholzhauer=sscorp.com@lists.cluenet.de [mailto:
> ipv6-ops-bounces+cholzhauer=sscorp.com@lists.cluenet.de] On Behalf Of
> Phil Mayers
> Sent: Monday, November 17, 2014 11:55 AM
> To: Jeroen Massar; IPv6 Ops list
> Subject: Re: Teredo sunset - did it happen?
>
> On 17/11/2014 16:40, Jeroen Massar wrote:
> > On 2014-11-17 17:38, Phil Mayers wrote:
> >> On 17/11/2014 16:23, Jeroen Massar wrote:
> >>
> >>> What are you trying to achieve by blocking that port?
> >>
> >> I honestly don't know why you want to talk about other things, but
> >> I've no interest in discussing them with you.
> >
> > Then don't make statements that you are blocking them...
>
> In the interests of the principle of charity - I am trying hard to assume
> good motives on your part - let me try again...
>
> ===
>
> We've historically blocked Teredo, for probably erroneous reasons. I'd
> like to unblock it, to specifically let XBox One consoles use their new
> Teredo stuff.
>
> At the same time, I'd like to avoid even the possibility of triggering a
> behaviour change on Microsoft Windows clients. I had thought Teredo was
> sunsetted, but examination of my Windows 7 PC suggests it is not, although
> it is broken.
>
> To inform my decision about unblocking it, I'd like to ask a few questions.
>
> Does anyone know why Teredo has not been sunsetted yet?
>
> Does anyone know when Teredo will be sunsetted?
>
> Does anyone know of a safe way to block Teredo from Microsoft Windows
> clients, but leave Teredo from XBox One unaffected? Jeroen, your suggestion
> of blocking the DNS name is a good one. Anyone any other ideas I should
> also consider.
>
> ===
>
> Hopefully this is specific enough...
>

On 11/17/2014 7:06 AM, Phil Mayers wrote:
> All,
>
> ISTR that Teredo was going to be sunset, Microsoft having tested
> removing the DNS name "teredo.ipv6.microsoft.com".
>
> (Ignoring the Xbox One stuff here - just the windows desktop
> server/relay stuff)
>
> However, my Windows 7 machine is still resolving that name and forming a
> Teredo address, and setting an IPv6 default route via that tunnel - I
> can see Teredo-encap'd router-solicit and router-advert messages being
> sent and received.
>
> No traffic flows however - the Teredo "direct connect" tests are all
> failing (no reply to the ICMPv6 echo). So I've got a broken IPv6 tunnel :o/
>
> Any ideas what's going on? Microsoft, anyone care to comment?

Microsoft released an Windows Update for the prefix policy table. The
update dropped Teredo's precedence to lower than IPv4.

On 17/11/2014 17:43, Darren Pilgrim wrote:

>> Any ideas what's going on? Microsoft, anyone care to comment?
>
> Microsoft released an Windows Update for the prefix policy table. The
> update dropped Teredo's precedence to lower than IPv4.

Just to be clear - are you suggesting they did this instead of
sunsetting Teredo altogether?

In any case, I was always under the impression this was the day-one
experience - Teredo would only be used to talk to another Teredo DNS
name or an IPv6-only name in the absence of native IPv6. Am I mistaken?

On 18/11/2014 07:12, Phil Mayers wrote:
> On 17/11/2014 17:43, Darren Pilgrim wrote:
>
>>> Any ideas what's going on? Microsoft, anyone care to comment?
>>
>> Microsoft released an Windows Update for the prefix policy table. The
>> update dropped Teredo's precedence to lower than IPv4.
>
> Just to be clear - are you suggesting they did this instead of
> sunsetting Teredo altogether?
>
> In any case, I was always under the impression this was the day-one
> experience - Teredo would only be used to talk to another Teredo DNS
> name or an IPv6-only name in the absence of native IPv6. Am I mistaken?

I think that was always the intention, but unmanaged tunnels are
liable to behave undesirably. From what Dave Thaler said during
the discussion at the IETF last week on deprecating 6to4, MS
clearly sees Teredo for Xbox-to-Xbox as operational and Teredo
for regular client/server use as undesirable, same as you do.
Dave therefore wanted no change to the RFC 6724 default policy
table, which I assume is exactly what Windows now ships.

Then, even if the Teredo interface comes up, since
::ffff:0:0/96 has higher precedence than 2001::/32, Teredo will
not be tried unless there is no IPv4 address at all for the
target host.

But if the client has the old RFC 3483 policy table,
::ffff:0:0/96 has the lowest precedence so Teredo would win over
IPv4, which is a Bad Thing. There isn't much to be done about
that unless the user has netsh skills.

Brian

I said:

> But if the client has the old RFC 3483 policy table,
> ::ffff:0:0/96 has the lowest precedence so Teredo would win over
> IPv4, which is a Bad Thing. There isn't much to be done about
> that unless the user has netsh skills.

s/3483/3484/

Brian

On 18/11/2014 13:01, Brian E Carpenter wrote:
> On 18/11/2014 07:12, Phil Mayers wrote:
>> On 17/11/2014 17:43, Darren Pilgrim wrote:
>>
>>>> Any ideas what's going on? Microsoft, anyone care to comment?
>>> Microsoft released an Windows Update for the prefix policy table. The
>>> update dropped Teredo's precedence to lower than IPv4.
>> Just to be clear - are you suggesting they did this instead of
>> sunsetting Teredo altogether?
>>
>> In any case, I was always under the impression this was the day-one
>> experience - Teredo would only be used to talk to another Teredo DNS
>> name or an IPv6-only name in the absence of native IPv6. Am I mistaken?
>
> I think that was always the intention, but unmanaged tunnels are
> liable to behave undesirably. From what Dave Thaler said during
> the discussion at the IETF last week on deprecating 6to4, MS
> clearly sees Teredo for Xbox-to-Xbox as operational and Teredo
> for regular client/server use as undesirable, same as you do.
> Dave therefore wanted no change to the RFC 6724 default policy
> table, which I assume is exactly what Windows now ships.
>
> Then, even if the Teredo interface comes up, since
> ::ffff:0:0/96 has higher precedence than 2001::/32, Teredo will
> not be tried unless there is no IPv4 address at all for the
> target host.
>
> But if the client has the old RFC 3483 policy table,
> ::ffff:0:0/96 has the lowest precedence so Teredo would win over
> IPv4, which is a Bad Thing. There isn't much to be done about
> that unless the user has netsh skills.
>
> Brian
>

We (Microsoft) has a standing plan to deactivate our public Teredo servers, which would essentially deactivate the default Teredo functionality in the Windows user base. We had thought to do that next year, but delayed for various reasons - one being that the pain/noise around it's default activation on Windows devices has abated considerably over time.

The deactivation of our public Teredo service is not the same thing as "sunsetting Teredo" or deprecating the protocol entirely. It will still be used by the Xbox Live gaming stack and we strongly desire for network operators to continue to treat Teredo as a legitimate NAT traversal and IPv6 transition technology. Other uses of Teredo beyond gaming are being considered.


-----Original Message-----
From: ipv6-ops-bounces+christopher.palmer=microsoft.com@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft.com@lists.cluenet.de] On Behalf Of Brian E Carpenter
Sent: Monday, November 17, 2014 4:11 PM
To: Phil Mayers
Cc: IPv6 Ops list
Subject: Re: Teredo sunset - did it happen?

I said:

> But if the client has the old RFC 3483 policy table,
> ::ffff:0:0/96 has the lowest precedence so Teredo would win over IPv4,
> which is a Bad Thing. There isn't much to be done about that unless
> the user has netsh skills.

s/3483/3484/

Brian

On 18/11/2014 13:01, Brian E Carpenter wrote:
> On 18/11/2014 07:12, Phil Mayers wrote:
>> On 17/11/2014 17:43, Darren Pilgrim wrote:
>>
>>>> Any ideas what's going on? Microsoft, anyone care to comment?
>>> Microsoft released an Windows Update for the prefix policy table.
>>> The update dropped Teredo's precedence to lower than IPv4.
>> Just to be clear - are you suggesting they did this instead of
>> sunsetting Teredo altogether?
>>
>> In any case, I was always under the impression this was the day-one
>> experience - Teredo would only be used to talk to another Teredo DNS
>> name or an IPv6-only name in the absence of native IPv6. Am I mistaken?
>
> I think that was always the intention, but unmanaged tunnels are
> liable to behave undesirably. From what Dave Thaler said during the
> discussion at the IETF last week on deprecating 6to4, MS clearly sees
> Teredo for Xbox-to-Xbox as operational and Teredo for regular
> client/server use as undesirable, same as you do.
> Dave therefore wanted no change to the RFC 6724 default policy table,
> which I assume is exactly what Windows now ships.
>
> Then, even if the Teredo interface comes up, since
> ::ffff:0:0/96 has higher precedence than 2001::/32, Teredo will not be
> tried unless there is no IPv4 address at all for the target host.
>
> But if the client has the old RFC 3483 policy table,
> ::ffff:0:0/96 has the lowest precedence so Teredo would win over IPv4,
> which is a Bad Thing. There isn't much to be done about that unless
> the user has netsh skills.
>
> Brian
>

On 17 November 2014 17:22:37 GMT+00:00, Michael Chang <thenewme91@gmail.com> wrote:
>Presumably because the clients are "unmanaged"?

Correct. It's already disabled by group policy on our managed base.
--
Sent from my mobile device, please excuse brevity and typos

On 18/11/14 00:25, Christopher Palmer wrote:

> The deactivation of our public Teredo service is not the same thing
> as "sunsetting Teredo" or deprecating the protocol entirely. It will

Sorry, that's my sloppy language then. I am indeed referring to shutting
down the public Teredo service used for the default Windows user base.