IPv6 tunneling through IPv4 - Blockage

Unanswered Question
Nov 4th, 2009

Would like to learn from you what tools I could use in a Network that provides IPv6 visibility and also completely blocks IPv6 from being tunneled through ipv4 only networks.


I have tested this from Linux running some internal penetration test apps,but specifically running Teredo tunneling in Local LAN that is able to completely bypass security paremeters such as websence filtering servers and be able to accessing internet IPv6 sites, even its equivalent IPv6 address based on its IPv4 PAT address could be pinged from outside.. is like the PIX firewall never existed - wide opened door .

Blocking in outbound and inbound direction udp ports 3545 and 3544 seem to done the trick in dropping IPv6 at the PIX/ASA from being tunneled out or in.. Is this so ? Realy ? not to fast!!

None of our local systems - users PCs or servers have IPv6 stack enabled as a policy, however, in reality this poses a serious thread.

For example, Teredo tunneling running in a host inside LAN say by a user who is a hacker can use different UDP ports from the standard listening udp 3545/3544 ports, host will still be able to tunnel IPv6 through IPv4 again, in this case I want to have tool or a strategy that can detect this internally beside being blocked at the firewall, I am looking at AIP for our ASAs would this help? What other tools could I utilized to have some sort of IPv6 awareness in our LAN without having to rung IPv6 that can provide some visibility of this invisible traffic in IPv4 LANs.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Pavel Pokorny Fri, 04/26/2013 - 00:55


Did you find any solution?

I have found only easy solution for ISATAP (blocking protocol 41), but blocking TEREDO (MIREDO) with ASA is problem.

Having router, I would have no trouble with blocking (ie:

http://www.networkworld.com/community/node/47270), but on Security appliance there is no option :

class-map type access-control, or class-map type stack.




James Leinweber Fri, 04/26/2013 - 12:38

There are a lot of ways of tunneling IPv6 over IPv4, so it's hard to block all of them.  You can certainly get 99% of the low hanging fruit by:

1) block protocol 41.  That takes out ISATAP, 6to4, default 6in4, and 6rd.

2) block the default Teredo server port, udp/3544.

In particular, this will stop the default tunneling behaviors by windows vista/7/8 clients.  If you have to worry about  GRE, IPSEC, and TLS as evasive measures you probably have bigger problems than just IPv6 tunneling.

Meanwhile, on the LAN side, you want to block rogue RA's and rogue DHCPv6 etc, so add some switchport ACL's or something.  On our catalys 3570G's I use:

ipv6 access-list v6client

deny udp any eq 547 any eq 546

deny icmp any any router-advertisement

deny icmp any any redirect

permit ipv6 any any


  ipv6 traffic-filter v6client in

on the access switchports.  I have a related v4 ACL too, of course.

-- Jim Leinweber, WI State Lab of Hygiene


This Discussion