IPv6 6to4 tunneling - PIX Firewall

Question about PIX 500 series IOS version 7.x firewall access-lists.

I work for a school district with over 8000 users. I am starting to see a pattern of staff and students using 6to4 (IPv6 to IPv4) tunneling to bypass our content filtering systems.

I am trying to find out if I can implement an access list to drop IPv4 packets with a IPv6 tunnel payload?

I have run packet captures looking for protocol 41 (IPv6) with none found. The packets are being tunneled at the PC level (Windows XP) using 6to4 and Microsoft Tereno tunneling.

Any input or ideas would be greatly appreciated!

Thanks in advance. Curtis

Reply to
Loading thread data ...

By blocking protocol 41 ...

... just like you tried too.

It's called "Teredo". And it uses UDP packages. Please read this webpage for details:

formatting link
Kind regards

Reply to
Matthias Scheler

Protocol 41 is IPv6. If the packets are tunneled through IPv4, then it would not show up as protocol 41, right? It would be using protocol 6 (IPv4) The problem I am seeing its that the packets are tunneled at the client PC level. The packets are seen by the PIX firewall as IPv4 packets.

Thanks, Curtis

Reply to

That's IPv6 in IPv4. But there a lot of others tunneling protocols which can be used to tunnel IPv6 e.g. GRE or IPsec.

Yes, if they use IPv6 in IPv4. If they use Teredo the IPv6 packets will be tunneled in UDP packets.

Try something better e.g. Wireshark to figure out what they are really using.

Kind regards

Reply to
Matthias Scheler

I used tcpdump and found that all packets were transmitted through a udp tunnel. It depends on the 6to4 client as to which udp ports are used. I have blocked the ports being used currently.

Thanks for the help... Curtis

Matthias Scheler wrote:

Reply to

In that case, it's not *6to4*. 6to4 is a very specific protocol, not a generic name for "just about anything done with IPv6 and IPv4".

UDP tunneling is Teredo.

6to4 uses IPv4 protocol 41, with a payload of IPv6, and a specific range of IPv6 addresses (2002:xxx:).


Reply to
Gert Doering

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.