IP Network IconIP.network

IPv6 Teredo Parser

Parse a Teredo address (2001:0000::/32) to extract server IPv4, flags, port, and client IPv4.

About This Tool

The Teredo IPv6 Address Parser decodes Teredo addresses (2001:0000::/32 prefix) to extract embedded information including the Teredo server IPv4 address, client flags, obfuscated UDP port, and client IPv4 address. Teredo (RFC 4380) was a tunneling protocol designed to provide IPv6 connectivity to hosts behind NAT devices by encapsulating IPv6 packets in UDP/IPv4. While largely deprecated in favor of modern IPv6 connectivity, understanding Teredo remains important for security analysis, legacy network troubleshooting, and forensic investigations of older Windows systems.

How to Use

  1. Enter a Teredo IPv6 address starting with 2001:0000:: or 2001::
  2. The address can be in compressed or expanded format
  3. Click "Parse" to decode the embedded information
  4. View the extracted Teredo server IPv4 address
  5. Check the flags value (typically 0x0000 or 0x8000)
  6. See the decoded UDP port used by the client
  7. Review the extracted client IPv4 address (obfuscated in the address)
  8. Error messages appear if the address is not a valid Teredo address

Features

  • Parses Teredo IPv6 addresses (2001:0000::/32)
  • Extracts Teredo server IPv4 address from bits 32-63
  • Decodes client flags from bits 64-79
  • Reveals obfuscated UDP port (bits 80-95, XOR with 0xFFFF)
  • Extracts client IPv4 address (bits 96-127, XOR with 0xFFFFFFFF)
  • Validates 2001:0000:: prefix
  • Supports both compressed and expanded IPv6 formats
  • Clear display of all embedded components

Common Use Cases

  • Security analysis of Teredo traffic in network captures
  • Forensic investigation of Windows systems with Teredo enabled
  • Understanding client IP addresses behind Teredo tunnels
  • Debugging legacy Teredo connectivity issues
  • Analyzing historical network traffic logs
  • Learning IPv6 NAT traversal mechanisms
  • Identifying Teredo server infrastructure
  • Security research on deprecated IPv6 transition mechanisms
  • Network archaeology and legacy system analysis
  • Understanding why Teredo is disabled by default in modern systems

Technical Details

Teredo encodes multiple pieces of information within the IPv6 address itself, using obfuscation to prevent certain types of NAT interference. The address structure is carefully designed to work through NAT devices.

Teredo Address Structure (128 bits):

  • Bits 0-31: Prefix 2001:0000 (always 2001:0::/32)
  • Bits 32-63: Teredo Server IPv4 address (32 bits, plain)
  • Bits 64-79: Flags (16 bits, typically 0x0000 or 0x8000)
  • Bits 80-95: Obfuscated UDP port (XOR with 0xFFFF)
  • Bits 96-127: Obfuscated client IPv4 (XOR with 0xFFFFFFFF)

Example Parsing:

  • Teredo Address: 2001:0000:4136:e378:8000:63bf:3fff:fdd2
  • Server IPv4: 65.54.227.120 (from 4136:e378)
  • Flags: 0x8000 (cone NAT indicator)
  • UDP Port: 40000 (from 0x63bf XOR 0xFFFF = 0x9C40)
  • Client IPv4: 192.0.2.45 (from 0x3fff:fdd2 XOR 0xFFFF:FFFF)

Why Obfuscation?

IP addresses and ports are obfuscated (XORed) to prevent NAT devices from rewriting them:

  • Some NATs perform deep packet inspection and modify IP addresses in payloads
  • Obfuscation makes addresses unrecognizable to simple pattern matching
  • Port obfuscation prevents port-rewriting NATs from interfering

Flags Field:

  • 0x0000: Client behind restricted cone NAT or unknown
  • 0x8000: Client behind cone NAT (easier traversal)
  • Used to optimize NAT traversal strategy

How Teredo Worked:

  1. Client contacts Teredo server to obtain IPv6 prefix
  2. Server encodes client's IPv4:port in IPv6 address
  3. IPv6 packets encapsulated in UDP to IPv4 destination port 3544
  4. NAT keeps UDP mapping alive through periodic keepalives
  5. Teredo relay forwards to/from native IPv6 Internet

Why Teredo is Deprecated:

  • Security concerns: Anyone could be a relay, enabling attacks
  • Performance: Double encapsulation overhead, high latency
  • Unreliable: NAT traversal failures, firewall blocks UDP 3544
  • Complexity: Difficult to troubleshoot and maintain
  • Better alternatives: Native IPv6, 464XLAT, NAT64 more reliable

Modern Status:

Windows Vista/7 enabled Teredo by default, but Windows 10/11 disable it by default. Most modern networks use native IPv6 or NAT64 instead. Teredo addresses in logs typically indicate legacy systems or security research scenarios.