|
Rogue tunnels ?
![[ca]](/s/countries/ca.gif) Shadow Hawkins on Wednesday, 25 May 2011 08:30:27
I have a number of Linux machines, on a few of which I have set up a 6to4 tunnel, so that they are on IPv6 with 2001: prefixes. One is at home, one at work. I can send traffic from one to another, and if I look on the router, I see ip encapsulated traffic type 41 as expected.
Generally, all the Linux machines have a fe80:: scope:link address, and often a fec0:: scope:site address.
Many also have a 2002: scope:global address. I'm not sure where that is coming from. If I ping6 those addresses from offsite, I can see an encapsulated icmp6 packet at the router coming from 192.88.99.1 to a laptop onsite. The laptop owner does not know anything about it. I'm guessing that if I wait long enough, I'll see router advertisement packets coming from the laptop, but as I write this it's gone offline.
(I was trying to test a tunnel and was confused to see traffic routed via 2001:478:235::7 (ARIN says EP-NET Almond Oil Process) when the tunnel was down.)
Is there a chance this is malware ? Or just a Teredo tunnel on Windows that got active somehow ?
I also see various Windows machines trying to ping6 2002:c058:6301::c058:6301:
via 192.88.99.1, but get "hop limit"
Rogue tunnels ?
I have set up a 6to4 tunnel, so that they are on IPv6 with 2001: prefixes.
6to4 lives in 2002::/16, and 2001::/32 is Teredo, thus I assume that you mean that you have a static tunnel (6in4 is a reasonable term) with global unicast address space (2000::/3).
Many also have a 2002: scope:global address
That is 6to4.
coming from 192.88.99.1
That is the 6to4 anycast address, as such the closest instance of that will be used.
Or just a Teredo tunnel on Windows that got active somehow ?
It is 6to4. Windows tries to get native IPv6, if it does not have that it falls back to 6to4 or if that fails to Teredo.
To disable 6to4 and Teredo issue the following in a command prompt (cmd.exe):
netsh interface ipv6 6to4 set state disabled
netsh interface teredo set state disabled
Rogue tunnels ?
Shadow Hawkins on Thursday, 26 May 2011 00:21:16
Yes, I have a 6in4 tunnel to a single endpoint.
I found that the laptop is indeed sending ipv6 router advertisements across the LAN, and someone upstream must be advertising 192.88.99.1.
Is that true, that Windows 7 will automatically try the anycast address to get a tunnel, bypassing a better-routed IPv4 path to dual-homed servers ?
I presume that the router advertisement is aberrant. Do you know how that is controlled ?
Rogue tunnels ?
Shadow Hawkins on Thursday, 26 May 2011 02:31:29
Apparently this is normal for Windows, per http://programming4.us/desktop/2762.aspx
I found the laptop had "share this interface" checked on the wireless card for some reason. The user did not know why.
|
![[ch]](/s/countries/ch.gif)
on Wednesday, 25 May 2011 09:16:08
Posting is only allowed when you are