Teredo tunneling: IPv6 over IPv4 with NAT traversal

Teredo is a tunneling protocol that provides IPv6 connectivity across IPv4 networks, including those using NAT. This article explains how it works, address format, components, uses, and limitations.

Overview

Teredo is a transition technology that allows an IPv6-capable device to communicate over an IPv4 network when native IPv6 is unavailable. Unlike simple IPv6-over-IPv4 encapsulation, Teredo was designed to operate even when the IPv4 path includes a network address translator (NAT), which would otherwise block direct IPv6-in-IPv4 traffic. Teredo encapsulates IPv6 packets inside UDP datagrams so they can traverse NATs and IPv4 firewalls that permit outbound UDP.

How Teredo works

Teredo uses three logical components: clients (the hosts wanting IPv6 connectivity), Teredo servers (publicly reachable IPv4/UDP endpoints that assist in address acquisition and NAT traversal), and Teredo relays (routers that forward traffic between native IPv6 networks and Teredo clients). A Teredo client establishes communication with a server to learn its externally visible IPv4 address and port as seen through the NAT; it then forms a Teredo IPv6 address that encodes that information and advertises it on IPv6-capable applications.

Address format and example

Teredo addresses use the IPv6 prefix 2001:0::/32. A typical Teredo IPv6 address encodes:

the Teredo prefix (2001:0::/32),
the IPv4 address of the Teredo server that assisted bootstrapping,
flags and client-specific information describing NAT type and other options,
the client's public IPv4 address and UDP port mapped through the NAT (the latter two are encoded in a reversible way).

For example, an address such as 2001:0:4136:e378:8000:63bf:3fff:fdd2 can be decomposed into those parts: the prefix, server identity, and an encoded form of the client’s IPv4 address and port. The client address and port are transformed (often by bitwise operations) so they are carried inside the IPv6 interface identifier portion.

Components and operation details

Teredo client: runs on a host and handles encapsulation/decapsulation of IPv6 in UDP/IPv4, manages server interactions, and maintains NAT mappings.
Teredo server: assists with discovery and helps create a routable Teredo address; it does not relay user traffic long-term.
Teredo relay: advertises reachability for the 2001:0::/32 prefix into the IPv6 internet and forwards packets between Teredo clients and native IPv6 hosts.

History, platform support and alternatives

Teredo originated as an IETF-defined transition mechanism to ease adoption of IPv6 where IPv4 NATs were prevalent. Implementations are available on multiple platforms: Microsoft included Teredo support in Windows (it has been present since Windows XP and enabled by default on Windows Vista and later), and open-source implementations such as Miredo provide clients for Unix-like systems. Alternatives with different trade-offs include 6to4, ISATAP, and native dual-stack deployment; some alternatives assume public IPv4 addressability and will not work behind many NATs.

Uses, limitations and security considerations

Teredo can be useful where native IPv6 is absent and applications need IPv6 reachability without manual tunneling configuration. However, it has drawbacks: added latency and overhead from encapsulation, dependence on public Teredo servers and relays, and potential complications with certain NAT types. Because Teredo opens UDP paths and may bypass local filtering policies, administrators sometimes disable it for security reasons. For long-term, robust IPv6, native or well-managed tunneling/transition solutions are generally preferred.

For protocol comparison see Protocol 41. For historical platform notes, see Windows XP and Windows Vista references.