IPv6 at home, Part 1: Overview, Teredo

[Edit 2010-02-25 - adding some forward links to the other parts of this series. Rewrote parts - no more mention of how slow Teredo is (it's not), and some updated comments to reflect the state of ipv6 in 2010]

This blog post is part of a series on ipv6. In this part, I provide an overview of ipv6 and look at Teredo, the technology built into Windows Vista/7; in part 2, I look at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and part 3 gets back to the original plan: Exploring ipv6 connectivity options – in this case, the tunnel offered by gogonet.

NB: The tunnel described in part 3 is a lot easier to set up than Teredo. It was never my intent to advocate the use of Teredo as the prevalent way to connect a machine to IPv6. I started with it in this series precisely because I thought it would be the least comfortable option. In hindsight, I should probably have started with the easy button.

Part 4 describes Hurricane Electric 6in4 tunnels, and part 4.1 shows how to set one up on a Juniper ScreenOS device. [JunOS tunnels, as opposed to ScreenOS tunnels, are shaky at this point, they work in 10.3r1, but not in 10.2r3 or 10.4r1. I may describe them when this situation has settled down a bit]

For a corporate environment, I take a look at ipv6 renumbering. If you are planning to deploy ipv6 in your network, you need to think about this.

Overview

I’ve been running IPv6 at home since January 2008. When I took the plunge, I did so mainly to learn about the technology in preparation of it being adopted in the field. Factors that made me finally take this step in January 2008, as opposed to pondering it since January 2001, were:

  • The government mandate to deploy IPv6 in federal networks, while weak, will undoubtedly bring IPv6 adoption into some enterprises. When this happens, I want to be ready, and I want my team to be ready, so we can capitalize on our knowledge and can claim to have been running IPv6 since early 2008.
  • We’re deploying Juniper SSG-5 firewalls at our techies’ homes, and these little boxes do now support IPv6 with the release of software version 6.0.0. I could have been running IPv6 using a software client, but that would have done little to prepare me for seeing it deployed in an environment I will actually encounter – namely, hardware firewalls and routers.
  • Four of the Internet DNS root servers are now reachable through IPv6. For the first time ever, this would allow a connection between IPv6 hosts that relies purely on IPv6. This is less a technical concern than a measure of where we are with IPv6: The root servers were the last “you can’t DO IPv6 without IPv4 first” holdout, and that’s gone now. When the root servers, who are very conservative, move, it’s time for mere mortals to test the waters, too.

Since most folk won’t have IPv6-capable hardware firewalls at home, I will talk about host – specifically, PC – based solutions to connect to IPv6 sites to start out with.

All right, starting with: What is IPv6, and why do I care? At its core, IPv6 is simply “more address space”. The “old way” of addressing, called IPv4, with its 32-bit address space, is running out of space to use, even with the use of NAT. Predictions claim we may run out of space as early as 2012, though I would not be surprised to see us “hang on” a little longer. IPv6 in contrast has a 128-bit address space, which is ridiculously huge.

This has some implications:

  • IPv6 will rely on DNS to an even greater degree than IPv4. Let me take the example of go6.net. Its IPv6 address is 2001:5c0:0:1::6. The ‘::’ is a way of saying “multiple zeros here” in IPv6, to shorten writing it. That’s actually a fairly neat and short address, but still hard to memorize. A less ‘neat’ address may look like 2001:470:1f06:223:bd6f:6f5c:a458:2802. Good luck memorizing that one. We’ll need names, and good reverse DNS, and good DDNS.
  • Because we have so much address space now, IPv6 does away with IPv4-style subnetting. In IPv6, every subnet is a /64. That is 16 quintillion addresses, up from 4 billion in the entire IPv4 range. And that’s just for one subnet. The goal is to avoid the pain of different-sized subnets – needing to wrestle with /26, /28 and /29 – and the even greater pain of having to change subnets, say going from a /29 to a /28 because you ran out of space and have now a few machines more than you envisioned. The IPv6 /64 subnet range is envisioned to cover all devices that could possibly be hooked up to the physical medium that carries that subnet.
  • “Leaf nodes” – that is, sites that aren’t large carrier-grade – will receive a /48, which can then be carved up into individual /64s. This will allow for 65,000+ subnets per site, which will be plenty even for large corporations. A /48 is also what you might receive at home, depending on how you connect to IPv6.
  • Lots of address space also means we don’t need private addresses any more. This does away with NAT, which makes life hugely simpler for applications. VPNs become easier, and protocols that embed IP information – notoriously, all the VOIP stuff like H.323 and SIP, as well as Microsoft’s SMB file-sharing protocol – also benefit. As do P2P and game applications, BTW – no more need to configure “port forwards” for these. This also means that firewalling is a must. While NAT was never meant to be a security feature, PAT or Hide-NAT in particular, as implemented in home routers, was often touted as a “firewall” feature by vendors, because by its nature, it disallows incoming connections. There are huge application-level challenges in interop, too, and I’ll get to those.

So, how does an IPv6 host talk to an IPv4 host, or vice versa? The answer is “with difficulty”, if at all. Proposals for rewriting addressing on-the-fly are technically brittle. Particularly when it comes to those applications mentioned that embed IP addresses, like H.323 and SIP and SMB, rewriting that data stream is not very feasible, and not at all scalable. The best idea proposed so far has been to “dual-stack” IPv6-capable equipment: Any given host would have both an IPv6 address and an IPv4 address. It will talk to IPv4 hosts using IPv4, and to IPv6 hosts using IPv6. That is a workable way around those application-level interop challenges. At some point, of course, one would have to either phase out IPv4 or bite the bullet and do application-layer translation for those clients that are still IPv4-only.

For DNS, what you need to know is:

  • IPv4 records are A records, IPv6 records are AAAA records. Any given host can have one, the other, or both. go6.net has both, google.com has only IPv4, and IPv6-only hosts such as ipv6.google.com are extremely rare right now. Who in their right mind, after all, would limit content to a tiny portion of the Internet users.
  • Windows XP will always use IPv4 to query DNS servers. Even to get an AAAA record, the actual query will run over IPv4. Windows Vista can run IPv6-native and query DNS over IPv6.
  • Both Windows XP and Windows Vista will advertise their IPv6 address as a DDNS update. If you run your own DNS server at home and it is IPv6-capable, it should pick up the addresses of your IPv6 hosts.

Connecting to IPv6

Alright, so how do you connect to, say, a web server, using IPv6? Your home router does not know IPv6, and even if it does, your ISP’s router is most likely not configured for IPv6, and would not forward your IPv6 packets. Therefore, you have three ways to get to IPv6 hosts, two of which are actually going to be available for most people at this point.

  1. Native IPv6. Your ISP supplies you with IPv6 address space and does all the hard work for you. Rejoice, you are done! Just that, as of this writing, unless you live in France or near one of these ISPs, you are pretty much out of luck. Comcast and other cable providers are starting to make noises about DOCSIS 3.0, which is IPv6-capable, but that is years out. [Edit] Or rather, was years out in 2008 – Comcast is now trialing ipv6 for consumers, with rollout planned in a 2011/2012 timeframe. If you have Verizon FiOS in your area, you’ll get DOCSIS 3.0 earlier – though not necessarily with IPv6 right away. If there’s no FiOS, don’t expect DOCSIS 3.0 very soon. We need other ways of connecting – of tunneling IPv6 traffic through an IPv4 network in some way shape or form.
  2. Use a tunnel broker. This is actually going to be your best bet for connecting to IPv6, which is why, perversely, I’ll discuss it in more detail in a later post. Tunnel brokers available are SixXS , which supports both hardware (static) and software/client (heartbeat, AYIYA) tunnels and gives you a full /48; Hurricane Electric, which is more geared towards static (hardware) tunnels and gives you one /64 subnet now also offers a /48; Gogonet/Freenet6, who have their own proprietary way of traversing NAT and are really easy to set up; and Earthlink R&D, which is very specialized: You connect using a custom firmware for a Linksys WRT54G router, and get a /64. Earthlink would be a good choice if you wanted to run IPv6 on your home router, not your home PC, and you don’t have a Cisco / Juniper / what-have-you at home. I’d expect most people to go with Freenet6 or SixXS and use their software client. I’m set up with Hurricane right now, but for a client setup, I’d choose Freenet6.
    There’s also the Apple Airport Extreme, which handles IPv6 tunnels without exposing any of the nuts-and-bolts to the user. [Edit] D-Link have released a number of ipv6 capable routers, too, as have Linksys/Cisco.
  3. Use Teredo, a Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. [Edit] And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply.

Setting up Teredo

And here’s the breakdown of how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

  • Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
  • Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6″, hit “OK” until you’re out again.
  • Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4″. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
  • Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
  • If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
  • The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
  • Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
  • Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

  • IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
  • Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

[Edit 2010-02-24 - added Windows 7 and Troubleshooting sections]

Windows 7 [this is the same procedure as for Vista, tested on Win7 x64]

[Edit 2010-04-09 - replaced kludgy workaround for disappearing default route with elegant workaround received through comment]

  • IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses.
  • Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/.
  • Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

In my testing, Win7 would deactivate the default ipv6 route when there was no ipv6 traffic. Thanks to Sam Karim, I can present a fix for this issue: Configure Teredo to be “Default Qualified” so it will not enter into “Dormant” state.

On Windows 7 Business and better:

  • Run “gpedit.msc” from the Start Menu by typing it into the search bar or “Run” bar.
  • Navigate to Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies
  • Double click the “Teredo Default Qualified” setting, change it from “Not Configured” to “Enabled”, and click OK, then close gpedit.msc.
  • The setting should take effect rather quickly, but you can do “gpupdate /force” to force a refresh.

On Windows 7 Home Premium and Starter editions, you will need to manually create a registry key.

  • Open regedit from the Start Menu by typing it into the search bar or “Run” bar
  • Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
  • Right-click the “Windows” Key and choose New -> Key, create a “TCPIP” Key (observe case)
  • Right-click the “TCPIP” Key and choose New -> Key, create a “v6Transition” Key (observe case)
  • Right-click the “v6Transition” Key and choose New -> String Value, create an entry called “Teredo_DefaultQualified” with a value of “Enabled” (observe case, note the underscore)

Old workaround for reference until I have fully tested the above new-and-improved methods:

Create a text file, name it “fix-ipv6.cmd” (make sure you can see file extensions!) and paste these lines into it:

  1. REM Because Win7 gets rid of ipv6 routes
    netsh interface ipv6 delete route ::/0 interface=14
    netsh interface ipv6 add route ::/0 interface=14
    REM Optionally, run a continuous ping here instead of through a task
    REM ping -t ipv6.google.com
  2. Change the ID of the interface in this text file to the ID of the Teredo interface on your system
  3. Create a task to run a continuous ping. Optionally, just un-comment the ping command in the file you just created.
    Control Panel | System and Security | Schedule tasks
    Create task (on the right)
    General pane: Give it a name, “Run whether user is logged on or not”, “Configure for: Windows 7″
    Triggers: “New”, “At Startup”, hit “OK”
    Actions: “New”, “Start a program”, enter “ping” into “Program/script” and “ipv6.google.com -t” into “Add arguments (optional)”
    Conditions: Uncheck “Start the task only if the computer is on AC power”
    Settings: Check “Run task as soon as possible after a scheduled start is missed”, “If the task fails, restart every” and uncheck “Stop the task if it runs longer than”
  4. After reboot, you’ll need to right-click your “fix-ipv6″ and “Run as administrator”

In my testing, this workaround kept the ::/0 route active. You can check using “route print -6″ – you want to see the ::/0 route in both active and persistent routes. When it is inactive, it shows up only in persistent.

If this all sounds like more trouble than it’s worth, then using a tunnel broker as described in part 3 may be the ticket for you.

Google and v6

You can add a Google-v6-savvy DNS server, such as HE’s 2001:470:20::2, to your LAN or WiFi connection, and this will give you both ipv4 and ipv6 addresses for Google. However, as Windows will always prefer ipv4 if all you have is Teredo, ipv6 won’t be used in that case. If you’d like to use ipv6 for Google/Youtube, take a look at part 3 of this series instead, and go with a tunnel broker.

Troubleshooting

  • Test ipv6 DNS lookup from command line. Note the ping fails to resolve the name, but nslookup can resolve it. This means our DNS server has the entry, but we haven’t configured Win7 yet to use v6 addresses.
    >ping ipv6.google.com
    Ping request could not find host ipv6.google.com. Please check the name and try again.
    >nslookup ipv6.google.com
    Non-authoritative answer:
    Name:    ipv6.l.google.com
    Addresses:  2001:4860:b009::93
    2001:4860:b009::63
    2001:4860:b009::67
    2001:4860:b009::69
    2001:4860:b009::68
    2001:4860:b009::6a
    Aliases:  ipv6.google.com
  • Check that the ::/0 route has been added correctly. Open netsh, navigate to interface ipv6, and enter show route. This is what you want to see:
    netsh interface ipv6>show route
    Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
    ——-  ——–  —  ————————  —  ————————
    No       Manual    256  ::/0                       14  Local Area Connection* 9
  • On my system, after changing the IPv6 address of the LAN interface, that route goes into “limbo”. Meaning show route does not show it, but route print does. In that case, you can delete and re-create it, again from netsh’s interface ipv6 context:
    delete route ::/0 “Local Area Connection* 9″
    add route ::/0 “Local Area Connection* 9″
  • show teredo is useful to see whether Teredo connectivity is there. You want to see your state as “qualified”
    netsh interface ipv6>show teredo
    Teredo Parameters
    ———————————————
    Type                    : client
    Server Name             : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo client
    Network                 : unmanaged
    NAT                     : symmetric (port)
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           :  —
    External NAT Mapping    : —
  • In order for DNS to resolve IPv6 addresses, the LAN/WiFi interface must have a 6to4 address without a default route, Teredo must be working, and a default route through Teredo must be configured. Miss one of those three, and you won’t be able to resolve ipv6 DNS.
About these ads

50 Responses to IPv6 at home, Part 1: Overview, Teredo

  1. Mark says:

    Very useful article. When’s part 2 coming?

    • Sam Karim says:

      Great article! I can’t wait to get on the new FIOS IPv6 trial.

      You mention a pretty complicated script for enabling Teredo “all of the time” and I’d like to share a different method for Windows 7 which is much simpler.

      Windows 7 only:
      Open the local group policy editor, “gpedit.msc” using Run.
      Navigate to Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies.
      Double click the “Teredo Default Qualified”.
      Enable the control with the radio button and choose “Enabled State” from the pull down menu (ok, that’s the only choice).
      Hit OK and close gpedit.msc.

      The setting should take effect rather quickly, but you can do “gpupdate /force” to force a refresh.

  2. yorickdowne says:

    Thank you for inquiring about part 2. It’s just been posted. I’m still not 100% done with it – the “Windows PC to route for the rest of the network” bit is missing – but it’s functional enough for one PC.

  3. GadgetDave says:

    Thanks for the walkthrough, very helpful.

    A better link for determining appropriate 6to4 ip addressing is:

    http://www.twibble.org/Articles/IPv6/6to4 Explains that anything with a 2002: prefix is a 6to4 address, and that you can convert an ipv4 adddress into hex using the following format:

    2002:aabb:ccdd:: where aa is the hex equivalent of the first byte of your ipv4 address (e.g. 192 in the address of 192.168.0.1) would make an aa of “c0″, and so on where bb is the second byte, cc is the third byte, and dd is the fourth byte.

    If you have access to a linux or *bsd shell, use this:

    printf “2002:%x%02x:%x%02x\n” 192 168 0 1

    (where 192 168 0 1 is the ip address that you want to convert)

    The dnsstuff site requires a login, and payment to function for the ipv6 utils, so is not completely useful to many.

  4. aongenae says:

    Good article to begin with IPv6,
    I now understand why go6 told me that I use IPv4 to reach their website while using teredo…On to other way when I connect to http://www.whatismyipv6.net/ wich support the two it tell me that I use IPv6…

    You don’t say that Teredo exist for Linux/Mac and it’s called Miredo (http://www.remlab.net/miredo)

    I do want to read the next part …

  5. yorickdowne says:

    Thank you for the Linux/Mac insight. I am purposefully not mentioning anything about Linux/Mac. I use Linux only as a headless server, and Mac not at all. I’m not writing these articles as quickly as I thought I would, and that’s with just XP64 and Vista64 to worry about. I’ll leave the Linux/Mac stuff to insightful folk like yourself, who are kind enough to add value in comments :).

  6. Hello, thanks for writing this how to on IPv6 and Teredo.

    I was wondering if you could help me get Teredo up and running on my system. I followed your instructions and I’m unable to ping any v6 websites. My host system is connected to the internet directly so my home router shouldn’t be an issue. FWs have been disabled to rule that out as well.

    Since I know that Teredo requires a Teredo Server and Relay, your instructions for Xp only mentioned the use of teredo.ipv6.microsoft.com as the Teredo server. What relay were you using?

    I’m also in Massachusetts, beautiful weather we’re having huh?

    Sincerely,

    Erik

  7. yorickdowne says:

    Teredo relays serve the endpoint you are trying to access, not your client, thus they are not configured on the client. A more in-depth explanation can be found at the wikis, here: http://en.wikipedia.org/wiki/Teredo_tunneling

    If the issue you are experiencing has its roots in your client machine configuration, you are likely running into an issue with the “forcing traffic through Teredo by means of a fake v6 address and a route” trick. Is “netsh int ipv6 show teredo” providing any useful information?

  8. Here is the output of show teredo:

    Teredo Parameters
    ———————————————
    Type : client
    Server Name : teredo.ipv6.microsoft.com
    Client Refresh Interval : default
    Client Port : default
    State : qualified
    Type : teredo host-specific relay
    Network : unmanaged
    NAT : restricted

    I guess my issue is that I’m not being assigned a valid v6 address.

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%4
    Default Gateway . . . . . . . . . :

    Here’s the output of show routes

    Querying active state…

    Publish Type Met Prefix Idx Gateway/Interface Name
    ——- ——– —- ———————— — ———————
    no Autoconf 10 2001::/32 4 Teredo Tunneling Pseudo-Interface
    yes Manual 1101 ::/0 3 2002:c058:6301::c058:6301
    yes Manual 1001 2002::/16 3 6to4 Tunneling Pseudo-Interface

  9. yorickdowne says:

    I would hazard a guess and say you have a NAT issue. show teredo claims you are behind “restricted” NAT, but that seems unlikely in a home environment. More likely, you are behind some sort of PAT, which Teredo calls “Symmetric NAT”. Teredo on Windows XP does not handle PAT at all.

    You don’t necessarily want to have to redesign your entire home network. My recommendation at this point would be to skip to part 2 of the series and configure an AYIYA tunnel – or go even further and look at some of the tunnel brokers mentioned there and set up a static tunnel on a router.

    The easiest way to get v6 connectivity at home that I know of, BTW, is to get an Apple Airport Extreme, which has one-click ipv6 tunnel setup built right in. I have not personally used the unit, but online reports of the ipv6 setup are favorable.

  10. So I figured out my Teredo issue and it does make sense.

    I had 6to4 enabled on my system which was giving me a valid Global unicast address for my Hamachi interface. When I disabled the 6to4 service, Teredo finally kicked in with a valid 2001::/32 unicast address for my system and now all is well.

    I also came across this and might be of help for *some* users who are still experiencing issues.

    “NOTE for Windows XP users
    Once Teredo became RFC, the old IPv6 prefix from 6BONE (3ffe:8319::/32) has been replaced by the IANA allocated one, 2001::/32. This change, together with the 6Bone phase-out on 6/6/2006, requires a modification in the old Windows XP Teredo Clients to support it. Teredo client in Windows Vista does not require such a modification.
    The modification of Windows XP Teredo clients can be done with any of the folowing two ways:
    A) Installing the Windows Update KB922819. Note that if you have installed the Peer Name Resolution Protocol (PNRP), which is available in the Windows Update KB920342, then you do not need to install the KB922819 update.
    B) Adding or altering the REG_DWORD value of the \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\GlobalParams\TeredoPrefix entry in the Windows Registry. The REG_DWORD value is interpreted as a 32 bit prefix, in network byte order. To do that just follow the following steps:
    1. Run the regedit.exe program: Start -> Run -> Write regedit.exe and then click on OK button.
    2. Browse through the registry tree to check if the
          \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\GlobalParams\TeredoPrefix
          entry exists. If don’t so, add it.
    3. Add/modify the REG_DWORD value to 0×00000120 (288).
    4. Reboot your system.
    5. Follow the configuration guides for Windows XP/ Windows 2003 below for configuring your Windows Teredo Client.
    For that modification to work it is essential that the Teredo Server advertises the new IPv6 prefix (2001:0000::/32).
    Teredo Client implementation in Windows Vista supports the new IPv6 prefix without modifications.”

    Source: http://www.ipv6tf.org/index.php?page=using/connectivity/teredo

    I hope this information helps someone out there.

    Sincerely,
    Erik

    • Susanne says:

      After having searched high and low for a tutorial how to set this up on Windows 7, finally, here is a useful and understandable (for a run-of-the-mill computer user) explanation!
      Thank you!

      I still have to run your ipv6-fix after every reboot, but still, that’s easy enough.
      Changing the setting in gpedit doesn’t seem to work here.

  11. petermoses says:

    You can check this application which uses teredo to safely access a system over internet & disables it after usage…

    http://www.lanoninternet.com

  12. Marlow says:

    Hi,

    thanks for a good article. This explained a few issues we were seeing with Vista clients and teredo.

  13. Faheem Syed says:

    Hi,
    The Explanation is great. This gave me an oppurtunity to ask one of a burning issue which I am facing for last 2 months. I need to establish a stateful DHCPv6 in a test lab to gain control over client population using predetermined scopes of IPv6 address. So far Couldnt succeed on windows platform (server 2000, 2003, 2008). Windows 7 Seems to be a good client OS but Servre OS to support DHCPv6 (stateful and to go beyond /64) is not there. Any help on this, pls. It will really be appreciated.
    Thanks.
    Faheem

  14. John Fleuren says:

    If anyone is interested. I did get it to work and its much the same as for the Vista advice here. I just interpreted some things wrong.

    Three things I did were:

    1)add address 2002:A01:104::/48 to TCP/IPV6 item of wireless network adapter via the connection properties dialog. (note this is the Wireless Adapter LAN address 10.1.1.4)

    2)Add IPV6 route to teredo with
    netsh interface ipv6 add route ::/0 “Teredo Tunneling Pseudo-Interface”

    3)Add IPV6 route to Wireless Network Connection with
    netsh interface ipv6 add route ::/0 “Wireless Network Connection”

    It works but its shaky.

    For 1) I originally used the IPV6 equivalent of my WAN IP address. I thought it didn’t matter what that address was. But it didn’t work.

    For 2) and 3) the naming convention for local adapters is changed from vista to be more descriptive. I don’t have Vista, so it took a long time to never find this Local Area Connection* xx. (Silly me)

    Finally still looking for that ipv6 renew command that has dissapeared from windows 7. I am sure there must be a simple replacement for it.

    Good luck everyone with IPV6 on windows 7.

  15. yorickdowne says:

    I’ve added a Win7 section. It is the same procedure as for Vista. You only want one ::/0 route through Teredo, definitely not two of those.

    The renew command is still there: ipconfig /release6 and ipconfig /renew6

  16. John Fleuren says:

    Very nice to see the Win7 section.

    There isn’t much internet information aimed at the casual PC user on IPV6. But the high level’over my head stuff’ does provide a fair bit of material for trial and error learning.

    I did end up eventually doing pretty much of what you prescribe in the new Win7 section (using batch files).

    The command ROUTE -p add ::/0 :: if “interface number” was usefull to set up a persistent route through the teredo interface.

    I notice that it can take some time before an IPV6 session begins to resolve Domain Names. Is this because it takes time to “seed” the connection? Would hese commands help speed things up
    “netsh p2p pnrp cloud start Global_” and
    “netsh p2p pnrp cloud synchronize seed Global_”?

  17. yorickdowne says:

    In my testing, as long as the default route is active, DNS resolution works right away. I will lose the very 1st ping, with traffic being smooth after that – not that you’d notice when you have a continuous ping going, though.

    Teredo does not tie into the p2p networking mechanism provided by Windows at all, as far as I know. Therefore, no, I don’t think those commands will make a difference.

    When you have trouble with DNS resolution, check your routing table. Is there an active ::/0 route? And does it terminate on your Teredo interface?

    The one thing that kept tripping me up in testing was that while the ::/0 route was shown as “persistent”, it wasn’t shown as active right after boot, or after a period of ipv6 idle time.

    Teredo is a pretty good mechanism. Built-in, and fast – now that HE has deployed their Teredo relays, that is. And MS meant it to be used on a per-application basis, for example by DirectAccess. Using it to give the whole system ipv6 connectivity is not “as intended” – and thus do-able, but not a streamlined process.

  18. John Fleuren says:

    Thanks so much for the informative and indeed most useful reply.

    I’ve never checked if the default route is active or not on the Teredo Interface, but will do so now.

    In case anyone wonders why I bother with IPV6 and Teredo:-
    For people like me with a low speed / limited data broadband (typical in Australia)it provides a practical and convenient way to get free access to usenet IPV6 test servers. Its a win – win for all.

  19. yorickdowne says:

    I had wondered – thank you for explaining. Out of curiosity: Are you using an Australian Teredo server, then, such as debian-miredo.progsoc.org? And what made you decide against using a tunnel broker, such as gogonet?

  20. John Fleuren says:

    I briefly looked for alternative Teredo servers but didn’t notice any Aussie ones. I ended up leaving it set to the teredo.remlab.net server. I will try the one you mentioned though.

    Re not using a tunnel broker:
    I was on Win XP using free IPV4 usenet servers, but it became difficult so I jumped on the new IPV6 servers. Teredo on Win XP was very easy to get going, and I assumed it would be even easier on Win 7. Of course it didn’t work and I got interested in finding out why it was so.

    When I got it all working there was no need for shifting to another transition method.
    (The DNS issue wasn’t a problem for me because I directly addressed the usenet servers).

  21. Bobbuck says:

    It amazes me in this day and age and with the hundreds of billions of dollars profit Microsoft makes, you can’t buy a windows 7 laptop and network it with a windows 7 PC without having a Harvard degree in computer science?

    Absolutely ridiculous!

    • yorickdowne says:

      Bobbuck, I’ll, ah, leave the Microsoft networking tech support to Microsoft. Suffice it to say that this series of articles is about bringing IPv6 (next-generation Internet addressing) into the home of early adopters. This is an article for geeks, written by a geek. As for someone who just wants a home network and some Internet, your best bet is to stick with what comes from your ISP and “out of the box” – and that’ll be an IPv4 network. Not that you need to know or care. It does, actually, “just work” in that case. Good luck!

  22. Will says:

    Hello,

    Thanks for writing this, there are surprisingly few documents online detailing the steps to get IPv6 sites running in, say, Firefox. That said, I am still having trouble connecting to an ipv6 website (ipv6.google.com) using Firefox, but am able to ping -6 it perfectly fine. I am running Windows 7 and followed the steps you described. When configuring the properties of my LAN connection I used 2002:c0a8:102:: and 48 (even though it auto-completed the subnet field with 64) and left the DNS info blank (which admittedly may be the problem). I then ran the command “netsh interface ipv6 add route ::/0 interface=13″ (mine was 13) and got the message “The object already exists.” I then did the gpedit.msc stuff, which worked fine. Finally, after all of that, I not only couldn’t connect to ipv6.google.com, but I couldn’t ping it either. Changing the LAN properties back to auto appears to bring me back to square one, allowing me to ping but not reach ipv6.google.com via web browser. Any idea of what might be the problem? Should I try disabling 6to4 in the gpedit.msc? Should I fill in the DNS fields of the LAN properties with something?

    Thanks a lot,
    Will

  23. Will says:

    I got it working!… sort of. I found some info from http://m.slickdeals.net/forums/showthread.php?t=1597859, which based most of the process off of this site. Basically, I needed to use an IPv6 address when editing my LAN properties that was based off my actual IPv4 address and not the general one used here. Still didn’t need to provide DNS either. I used the IPv6 address found from http://ip-lookup.net/conversion.php.

    The problem I’m facing now is that IPv6 connectivity via pings and browsers fails after about five minutes of non-use and can be restarted only after running the following command:
    netsh interface ipv6 add route ::/0 interface=13
    And then 5 minutes later it’s gone again.

    I thought that editing gpedit.msc to have Teredo Default Qualified enabled would fix the issue, but it has not. I also tried to enable Teredo Refresh Rate with a value of 1 second, but that didn’t work. The only way to re-enable IPv6 is to run the above command again.

    Any ideas on how to maintain IPv6 connectivity?

    Thanks,
    Will

    • yorickdowne says:

      Yeah, that’s why I had a continuous ping running for a while, to avoid that timeout. The old workaround is still in the article, if the “more elegant” method doesn’t work for you.

      I really only ever used Teredo for testing and to write the article. Day-to-day, I am running a 6in4 tunnel off my Juniper SSG to Hurricane Electric. If I didn’t have the Juniper, I’d likely use a gogonet tunnel, or a 6to4-capable router.

      I am curious what advantage Teredo has for you over gogonet, or 6to4, or 6in4. I see people using Teredo a lot, and given the fight Windows 7 puts up, I am really curious. There must be something compelling about it, or people wouldn’t use it.

      • Will says:

        The problem is that I’m behind a router with NAT that I can’t do anything about. I don’t believe it is IPv6 capable either. I’d like to use 6to4 or 6in4, but I think with my set up I can’t. That said, I have a CentOS box that’s able to use 6to4 with the same router, where I was able to just tell 6to4 what global IPv4 address (the router’s address) to use. Is there any way to set up 6to4 on Windows 7 where the machine is behind a router with NAT and (probably) no IPv6 support?

        Thanks,
        Will

  24. yorickdowne says:

    Gogonet is a lot easier to set up than Teredo, and works fine behind NAT. In hindsight, maybe I should have started with that. When I planned these blog posts, I wanted to end with what I guessed would be the easiest way to connect. Maybe I should have led with that instead.

  25. RaFi says:

    One word: AddrConfigControl
    (look it up in Google)

    This will solve your Teredo DNS problem.

    • John Fleuren says:

      I never did get DNS resolution to work very well with Teredo and Win 7. Maybe this great tip will fix that.

      Nu longer use Teredo as I now have a subscription to a IPV4 usenet server (rather than using free IPV6 test servers)

      Will try this Tip though and see if it will now reliably resolve.

  26. RaFi says:

    the prefixpolicy has also influence on DNS resolution. You can try to _remove_ prefixpolicies for 2002::/16 and 2001::/32

  27. Vladimir says:

    Better way to enable Teredo in Vista or Win7:
    netsh interface teredo set state enterpriseclient teredo.remlab.net
    (teredo.remlab.net is good choice for Europe)
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters /v AddrConfigControl /t REG_DWORD /d 0
    You may copy this commands and put to your cmd line.

  28. [...] How want to understand better teredo tunneling, try this: yorickdowne.wordpress.com http://www.pps.jussieu.fr This entry was posted in Computers and Internet and tagged IE8, IPV6. [...]

  29. robert says:

    Excellent Article

    How can I access a dual stack web site from Teredo but get to it as IPv6. I tried entering the ipv6 address in the browser [IE8] e.g. http://%5B2404:d000:100:ff00::17]/ but it still won’t work. This format does work for ipv6 only sites

    • yorickdowne says:

      There could be a number of things at play here: The site may not actually be reachable via ipv6 (that address you gave isn’t responding to ping or http), or it may be something IE-related, or Teredo-related.

      With all of the hoops to jump through to make Teredo work – from name resolution to avoiding tunnel timeout – I think it much easier to use the tunnel described in part 3, or, if an IPv6-capable router is available, a 6in4 tunnel via HE.

      Give the tunnel described in part 3 a go, which is a breeze to set up, and see how it behaves. That would at least remove Teredo-related issues from your troubleshooting.

      • robert says:

        Thank you for the reply the dual stack address I provided i.e. 2404:d000:100:ff00::17 is http://www.ipv6.govt.nz and is definately accessable as IPv6 at least according to http://ipv6-test.com/validate.php

        Meanwhile I’ll read part 3 of your article :)

      • yorickdowne says:

        That is so strange. Maybe HE doesn’t route it? I can’t ping it, and tracert times out after the first hop.

        It’s an IPv6 black hole! HE’s looking glass claims that “the address that you entered does not have a matching route entry”. Spot-testing a few routers in Europe and Asia, I get the same result. Maybe nz doesn’t advertise routes worldwide? The NZ govt’s v6 network isn’t well-connected to the “Internet v6 backbone”? It’s got to be something along those lines.

  30. robert says:

    I tried HE looking glass and can get a successful tracert to fx.net.nz [the last mile ISP] at least from their Tokoyo & Singapore nodes. http://www.ipv6.govt.nz will not respond to ping or tracert. Can you get to the site as IPv4 ?

  31. Zeke says:

    Nice work on the tutorial. I recently changed my main router from a WRT54GS v2.1 (8MB Flash) to a DIR-615 D2 (4MB) for the increased performance I need for upgrading to 30Mb or 50Mb VM broadband. In the process I had to go from the Mega build of DD-WRT to the standard one, which for whatever reason means loss of the IPv6 support via Radvd/6to4 scripting.

    Additionally I had wanted to look into a lightweight solution to allow tunnelling regardless of network infrastructure (for example when away from home) as I like having IPv6 support especially when the AAAA record resolves to a seperate server from the sometimes overloaded IPv4 equivelents. I didn’t want to sign up for a broker, especially considering the bad press around SixXS (HE fares better) so this is a good stopgap.

    As far as I can tell, ports don’t need to be opened/forwarded on the router. Upon bootup all I have to do is run the small batch file to delete and add the ::/0 route again. Assuming I haven’t added or removed a network device the Teredo interface number does not change, and even if it does a quick edit of the batch file on my modified Quick Launch/Programs menu on the Win7 startbar is quick and painless enough. All I have to do is wait for the wireless to find my preferred network, negotiate the connection, run the batch file and then open my browser.

    To get around the IPv4 preference it was necessary to reorder the prefixes using command line netsh commands. My list now resembles the following:

    50 0 ::1/128 = localhost
    40 1 ::/0 = default (IPv6 native)
    30 2 2002::/16 = 6to4 (IPv6)
    20 3 ::/96 = IPv4 compatibility
    10 4 ::ffff:0:0/96 = IPv4 compatibility
    5 5 2001::/32 = Teredo (IPv6)

    The list itself aims to future proof somewhat by having native IPv6 first, followed by Teredo and 6to4 tunnelling before falling back to regular IPv4.

    I have also employed the “default qualified” tip mentioned, although it doesn’t seem to keep IPv6 tunnelling alive. I recommend also enabling the Teredo Refresh Rate within gpedit.msc; I have mine set to 60 seconds and this seems to stop the timeout even after five minutes or so, which I believe was the exact amount of time the tunnel would fail after disuse.

    Once again, thanks for the tutorial. Although Teredo is not a flawless workaround I have managed to make it almost seamless to use with the pointers here and those elsewhere which were precipitated by this article.

  32. Zeke says:

    My apologies; the list included with my previous post is in the wrong order! Here is the correct one I use, gleaned using the “netsh interface ipv6 show prefix” command.

    50 0 ::1/128 = localhost
    40 1 ::ffff:0:0/96 = IPv4 compatibility
    30 2 ::/96 = IPv4 compatibility
    20 3 2002::/16 = 6to4 (IPv6)
    10 4 2001::/32 = Teredo (IPv6)
    5 5 ::/0 = default (IPv6 native)

    Note that this list appears to change when Teredo’s interface number does, or at least from my observations that is what occurs. As a failsave you could always use the “set prefix” subcommand to reset the list after removing and reinstating the tunnel (i.e. after bootup or when changing networks).

  33. Jim says:

    Regarding Teredo and the Symmetric NAT / Windows XP issue…

    After playing around with Windows XP SP3 and a Symmetric NAT, I did get it to work.

    First use port forwarding on the NAT (UDP 3544 to UDP 3544) then specify the same port with the parameter ClientPort=portnumber on the client as follows:

    netsh interface ipv6 set teredo client ClientPort=3544

    thats all there is to it.

  34. Jake says:

    I can ping ipv6.google.com directly (that is, ping the actual ip address), but since I am using windows 7 DNS resolution doesn’t work. So I tried the workaround posted here (set a static IP), but as soon as I set a static IP address in the network adapter settings, I get a “general failure” in ping, and all ipv6 connectivity ceases to function.

    What could be wrong?

  35. Greg says:

    On Windows 7, make a registry modification to enable DNS resolution of AAAA records.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters

    Add a DWORD value “AddrConfigControl” = 0

    You should now be able to navigate to ipv6 sites such as ipv6.google.com

  36. NeneaAla says:

    I checked the route and it’s persistent, I checked teredo and it is qualified. I did everything listed but the ::/0 route STILL dies after a while.

  37. NeneaAla says:

    I am dropping this comment here for the issue I listed above, for anyone who will have this issue.

    If your ::/0 route drops from active, add a ::/1 and an 8000::/1 route instead.

    I’ve noticed that for some reason ::/0 refuses to stay active under routes, but ANY OTHER route will have no problem, so instead of adding one route with the whole IP range, add those 2 routes, each containing each half the IPs. It’s the same thing.

    • yorickdowne says:

      Clever. Though I still prefer not to use Teredo at all, it just seems it takes too many workarounds to make it do what MS didn’t mean it to do.

    • Susanne says:

      I’m probably way too late, but just in case:
      can someone please explain the above a little more?
      I don’t quite understand about adding two routes, each containing half the IPs.

  38. Thanks very much. The registry key is what did it for me and all is working.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: