Hurricane Electric's IPv6 Tunnel Broker Forums
May 23, 2013, 12:41:40 pm *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome to Hurricane Electric's Tunnelbroker.net forums!
 
   Home   Help Search Login Register  
Hurricane Electric's IPv6 Tunnel Broker Forums > General IPv6 Topics > IPv6 Basics & Questions & General Chatter > Rogue tunnels ?
Pages: [1]
« previous next »
  Print  
Author Topic: Rogue tunnels ?  (Read 1439 times)
adaviel
Newbie
*
Posts: 3


View Profile
« on: May 24, 2011, 08:10:18 pm »
Let's see if I can explain this without getting totally muddled ....

I have a number of Linux machines, on a few of which I have set up a 6in4 tunnel, so that they are on IPv6 with 2001: prefixes. One is at home, one at work. I can send traffic from one to another, and if I look on the network router, I see ip encapsulated traffic type 41 as expected.

Generally, all the Linux machines have a fe80:: scope:link address, and often a  fec0:: scope:site address.
Many also have a 2002: scope:global address. I'm not sure where that is coming from. If I ping6 those addresses from home, i.e. from offsite, I can see an encapsulated icmp6 packet at the router coming from 192.88.99.1 to a laptop onsite. The laptop owner does not know anything about it. I'm guessing that if I wait long enough, I'll see router advertisement packets coming from the laptop, but as I write it's gone offline.
I was trying to test an HE tunnel and was confused to see traffic routed via 2001:478:235::7 (ARIN says EP-NET Almond Oil Process) when I thought I had disabled the tunnel.

Is there a chance this is malware ? Or just a Teredo tunnel on Windows that got active somehow ?

I also see various Windows machines trying to ping6 2002:c058:6301::c058:6301:
via 192.88.99.1, but get "hop limit"
Logged
jimb
Hero Member
*****
Posts: 804


^^^ Warped picture


View Profile
« Reply #1 on: May 24, 2011, 08:18:28 pm »
It's 6to4.
Logged
adaviel
Newbie
*
Posts: 3


View Profile
« Reply #2 on: May 25, 2011, 03:02:59 pm »
Quote from: jimb on May 24, 2011, 08:18:28 pm
It's 6to4.
OK, I see that now - someone upstream must be advertising 192.88.99.1.

Is this normal for Windows 7 or Macs now to try 6to4 without human intervention ? They are probably going to get worse connectivity to dual-homed servers than going through IPv4, apart from the firewall-bypassing issues.

Looks like this laptop is in fact sending ip6 router advertisements around the LAN. Have to chase them down and find out why.
Logged
jimb
Hero Member
*****
Posts: 804


^^^ Warped picture


View Profile
« Reply #3 on: May 25, 2011, 04:36:23 pm »
Quote from: adaviel on May 25, 2011, 03:02:59 pm
Quote from: jimb on May 24, 2011, 08:18:28 pm
It's 6to4.
OK, I see that now - someone upstream must be advertising 192.88.99.1.

Is this normal for Windows 7 or Macs now to try 6to4 without human intervention ? They are probably going to get worse connectivity to dual-homed servers than going through IPv4, apart from the firewall-bypassing issues.

Looks like this laptop is in fact sending ip6 router advertisements around the LAN. Have to chase them down and find out why.
I'm pretty sure 6to4 is on by default on Macs and I know Teredo and I think 6to4 is on in Windows 7.

192.88.99.1 is an anycast address for 6to4 relays, so anyone running a relay is advertising that, as well as the 2002::/16 space.
Logged
cholzhauer
Hero Member
*****
Posts: 2082


View Profile
« Reply #4 on: May 25, 2011, 05:31:23 pm »
6to4 is enabled by default on Windows 7.  Teredo is installed, but does need configured if you want to use it.
Logged
adaviel
Newbie
*
Posts: 3


View Profile
« Reply #5 on: May 25, 2011, 05:35:37 pm »
Quote from: cholzhauer on May 25, 2011, 05:31:23 pm
6to4 is enabled by default on Windows 7.  Teredo is installed, but does need configured if you want to use it.

Thanks guys. I found that "share this interface" was checked on the wireless interface, so per
http://programming4.us/desktop/2762.aspx the machine was sending out RAs
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!