MIREDO

Section: System Manager's Manual (8)
Updated: $Date: 2005-06-17 17:35:53 +0200 (ven, 17 jun 2005) $
Index Return to Main Contents

NAME

miredo - Teredo IPv6 tunneling for Unix

SYNOPSIS

miredo [-c config_file] [-f] [-u user] [server_name]

DESCRIPTON

Miredo is an Unix daemon program which implements the "Teredo: Tunneling IPv6 over UDP through NATs" Internet draft specification. It can provide either Teredo client or Teredo relay functionality.

It can be used to provide IPv6 connectivity to users behind NAT which do not support IPv6, and not even proto-41 forwarding. For this to work, users need to have a Teredo client running on their system.

A Teredo relay is an IPv6 router which forwards IPv6 packets between the IPv6 Internet and Teredo clients through UDP/IPv4.

A Teredo client is an IPv6-enabled host which is located behind an IPv4-only Network Address Translator (a.k.a. NAT), and encapsulates its IPv6 traffic inside UDP over IPv4 packets.

A Teredo server is a special Teredo relay which is required for Teredo clients to setup their IPv6 connectivity through Teredo. A Teredo server must have to global static subsequent IPv4 addresses. It receives packets from Teredo clients and Teredo relays on UDP port 3544.

This version of the program is designed according to draft-huitema-v6ops-teredo-05.txt, although it might not be entirely conformant to that version of the Teredo specification.

OPTIONS

-c config_file or --config config_file

Specify an alternate configuration file for Miredo instead of the default, /usr/local/etc/miredo.conf.

-f or --foreground

Do not detach from the console. Run the program in the foreground.

-h or --help

Display some help and exit.

-u username or --user username

Override the user that the program will run as. By default, it runs as nobody.

-V or --version

Display program version and license and exit.

server_name

This optional command argument specifies a Teredo server to use. It will override any ServerAddress directive found in the configuration file. It is ignored if RelayType is not set to "client" (see miredo.conf).

The Internet draft specification for Teredo has not yet been validated. As such it is subject to change and miredo might not work correctly with other implementations.

SECURITY

Miredo requires root privileges to create its IPv6 tunneling network interface, and to set it up properly. Once its initialization is complete, it will setgid, chroot into an empty directory and ultimately setuid (see option -u), so as to decrease the system's exposure to potential security issues. However, if Miredo runs as a Teredo client, it needs root privileges when running, in order to change the tunneling network interface settings automatically. To prevent possible root compromise, Miredo implements priveleges separation. The process that handles data from the network is not privileged.

Miredo is still beta quality code. As such, it should not be deployed in production or security-sensitive environment. It is supposedly easy to deny service by flooding the relay with vaguely carefully crafted IPv6 packets.

Teredo connectivity throughout the IPv6 Internet seems pretty poor and unstable at the time of writing these lines. That will hopefully improve as time goes.

While that is not specific to nor dependant on Miredo, it should be noted that Teredo connectivity allows anyone behind a NAT to obtain global public IPv6 connectivity. It might break some corporate policy. If that is an issue, outgoing UDP packets with destination port 3544 should be blocked at the perimeter firewall.

SIGNALS

SIGHUP Force a reload of the daemon.

SIGINT, SIGTERM Shutdown the daemon.

SIGUSR1, SIGUSR2 Do nothing, might be used in future versions.

FILES

/usr/local/etc/miredo.conf: The default configuration file.
/usr/local/var/run/miredo.pid: The process-id file.
/usr/local/var/run/miredo/: The chroot directory.

AUTHOR

Remi Denis-Courmont <rdenis at simphalempin.com>

$Id: miredo.8 621 2005-06-17 15:35:53Z remi $

http://www.remlab.net/miredo/

This document was created by man2html, using the manual pages.
Time: 16:07:19 GMT, June 17, 2005