• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Rogue tunnels ?

Started by adaviel, May 24, 2011, 08:10:18 PM

Previous topic - Next topic

adaviel

Let's see if I can explain this without getting totally muddled ....

I have a number of Linux machines, on a few of which I have set up a 6in4 tunnel, so that they are on IPv6 with 2001: prefixes. One is at home, one at work. I can send traffic from one to another, and if I look on the network router, I see ip encapsulated traffic type 41 as expected.

Generally, all the Linux machines have a fe80:: scope:link address, and often a  fec0:: scope:site address.
Many also have a 2002: scope:global address. I'm not sure where that is coming from. If I ping6 those addresses from home, i.e. from offsite, I can see an encapsulated icmp6 packet at the router coming from 192.88.99.1 to a laptop onsite. The laptop owner does not know anything about it. I'm guessing that if I wait long enough, I'll see router advertisement packets coming from the laptop, but as I write it's gone offline.
I was trying to test an HE tunnel and was confused to see traffic routed via 2001:478:235::7 (ARIN says EP-NET Almond Oil Process) when I thought I had disabled the tunnel.

Is there a chance this is malware ? Or just a Teredo tunnel on Windows that got active somehow ?

I also see various Windows machines trying to ping6 2002:c058:6301::c058:6301:
via 192.88.99.1, but get "hop limit"


jimb


adaviel

Quote from: jimb on May 24, 2011, 08:18:28 PM
It's 6to4.
OK, I see that now - someone upstream must be advertising 192.88.99.1.

Is this normal for Windows 7 or Macs now to try 6to4 without human intervention ? They are probably going to get worse connectivity to dual-homed servers than going through IPv4, apart from the firewall-bypassing issues.

Looks like this laptop is in fact sending ip6 router advertisements around the LAN. Have to chase them down and find out why.

jimb

Quote from: adaviel on May 25, 2011, 03:02:59 PM
Quote from: jimb on May 24, 2011, 08:18:28 PM
It's 6to4.
OK, I see that now - someone upstream must be advertising 192.88.99.1.

Is this normal for Windows 7 or Macs now to try 6to4 without human intervention ? They are probably going to get worse connectivity to dual-homed servers than going through IPv4, apart from the firewall-bypassing issues.

Looks like this laptop is in fact sending ip6 router advertisements around the LAN. Have to chase them down and find out why.
I'm pretty sure 6to4 is on by default on Macs and I know Teredo and I think 6to4 is on in Windows 7.

192.88.99.1 is an anycast address for 6to4 relays, so anyone running a relay is advertising that, as well as the 2002::/16 space.

cholzhauer

6to4 is enabled by default on Windows 7.  Teredo is installed, but does need configured if you want to use it.

adaviel

Quote from: cholzhauer on May 25, 2011, 05:31:23 PM
6to4 is enabled by default on Windows 7.  Teredo is installed, but does need configured if you want to use it.

Thanks guys. I found that "share this interface" was checked on the wireless interface, so per
http://programming4.us/desktop/2762.aspx the machine was sending out RAs