Posted by: Dan O'Connor
If you have run a snort style sensor you may have seen a snort alert referring to a “teredo tunnel” being detected.
So what is a “teredo tunnel” ?
It is a method to connect IPv6 enabled devices over IPv4 networks, this can even cross multiple NAT points.
This is done by putting the IPv6 packets in IPv4 UDP.
I am not a fan of this, while it does have a purpose it also increases the attack surface of the network. Also if your IPS is not able to understand what is going on, it could be used to bypass policy and subvert your controls.
Wikipedia as always has a good write up.