Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0702

Summary           : Teredo client information leak in IPv6 addresses
Date              : 31 May 2007
Affected versions : Miredo, all versions
Miredo-specific   : No
Impact            : None immediate
CVE ID            : CVE-2006-6265 (candidate)
ID                : MTFL-SA-0702


Teredo clients, when located behind a restricted NAT, allow remote attackers to establish an inbound connection without the guessing required to find a port mapping for a traditional restricted NAT client, by (1) using the client port number contained in the Teredo address or (2) following the bubble-to-open procedure.


An attacker can reach IPv6-based network services of any Teredo client. Another additionnal vulnerability is required for further exploitation.

It is an essential intent and design property of the Teredo protocol that Teredo clients be reachable by third parties. This vulnerability is hence considered a non-issue.

Threat mitigation

Unneeded network services should not open listening port on a host. By default, they should be protected from the outside using a host-based firewall.


Use a host-based firewall if required.


This vulnerability is considered a non-issue, and cannot be “fixed” due to the very design of the Teredo protocol.


Jim Hoagland has published this issue in his Teredo security report. It had already been known, and eventually documented by ISS over two years earlier.

Some of this page content is copied from the CVE MITRE database.


X-Force database - IPv6 Teredo
Report on Teredo security


31 May 2007
Initial detailled security advisory
29 November 2006
Report published by Jim Hoagland
28 November 2006
Private notification from Jim Hoagland
Some lost date before 27 November 2004
Report published in Internet Security Systems X-Force database.