Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Rogue tunnels ?  (Read 4465 times)

adaviel

  • Newbie
  • *
  • Posts: 3
Rogue tunnels ?
« on: May 24, 2011, 08:10:18 PM »

Let's see if I can explain this without getting totally muddled ....

I have a number of Linux machines, on a few of which I have set up a 6in4 tunnel, so that they are on IPv6 with 2001: prefixes. One is at home, one at work. I can send traffic from one to another, and if I look on the network router, I see ip encapsulated traffic type 41 as expected.

Generally, all the Linux machines have a fe80:: scope:link address, and often a  fec0:: scope:site address.
Many also have a 2002: scope:global address. I'm not sure where that is coming from. If I ping6 those addresses from home, i.e. from offsite, I can see an encapsulated icmp6 packet at the router coming from 192.88.99.1 to a laptop onsite. The laptop owner does not know anything about it. I'm guessing that if I wait long enough, I'll see router advertisement packets coming from the laptop, but as I write it's gone offline.
I was trying to test an HE tunnel and was confused to see traffic routed via 2001:478:235::7 (ARIN says EP-NET Almond Oil Process) when I thought I had disabled the tunnel.

Is there a chance this is malware ? Or just a Teredo tunnel on Windows that got active somehow ?

I also see various Windows machines trying to ping6 2002:c058:6301::c058:6301:
via 192.88.99.1, but get "hop limit"

Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: Rogue tunnels ?
« Reply #1 on: May 24, 2011, 08:18:28 PM »

It's 6to4.
Logged

adaviel

  • Newbie
  • *
  • Posts: 3
Re: Rogue tunnels ?
« Reply #2 on: May 25, 2011, 03:02:59 PM »

It's 6to4.
OK, I see that now - someone upstream must be advertising 192.88.99.1.

Is this normal for Windows 7 or Macs now to try 6to4 without human intervention ? They are probably going to get worse connectivity to dual-homed servers than going through IPv4, apart from the firewall-bypassing issues.

Looks like this laptop is in fact sending ip6 router advertisements around the LAN. Have to chase them down and find out why.
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: Rogue tunnels ?
« Reply #3 on: May 25, 2011, 04:36:23 PM »

It's 6to4.
OK, I see that now - someone upstream must be advertising 192.88.99.1.

Is this normal for Windows 7 or Macs now to try 6to4 without human intervention ? They are probably going to get worse connectivity to dual-homed servers than going through IPv4, apart from the firewall-bypassing issues.

Looks like this laptop is in fact sending ip6 router advertisements around the LAN. Have to chase them down and find out why.
I'm pretty sure 6to4 is on by default on Macs and I know Teredo and I think 6to4 is on in Windows 7.

192.88.99.1 is an anycast address for 6to4 relays, so anyone running a relay is advertising that, as well as the 2002::/16 space.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: Rogue tunnels ?
« Reply #4 on: May 25, 2011, 05:31:23 PM »

6to4 is enabled by default on Windows 7.  Teredo is installed, but does need configured if you want to use it.
Logged

adaviel

  • Newbie
  • *
  • Posts: 3
Re: Rogue tunnels ?
« Reply #5 on: May 25, 2011, 05:35:37 PM »

6to4 is enabled by default on Windows 7.  Teredo is installed, but does need configured if you want to use it.

Thanks guys. I found that "share this interface" was checked on the wireless interface, so per
http://programming4.us/desktop/2762.aspx the machine was sending out RAs
Logged