Counting Teredo traffic...
So, what is the best way to count teredo traffic on their networks, assume I just want packet counts and nothing else. * I know that if I have netflows I can look for the 2001:0000: address marker inside packets, but this is a) resource intensive, b) assumes I have full netflows. * I can also count traffic originating from the various teredo relays/servers... but this again would require being able to mark a full flow and track things Does anyone know of a better way or at least other techniques? Kind regards -JoelW
On 22/02/2010, at 1:43 PM, Joel Wiramu Pauling wrote:
So, what is the best way to count teredo traffic on their networks, assume I just want packet counts and nothing else.
* I know that if I have netflows I can look for the 2001:0000: address marker inside packets, but this is a) resource intensive, b) assumes I have full netflows. * I can also count traffic originating from the various teredo relays/servers... but this again would require being able to mark a full flow and track things
Does anyone know of a better way or at least other techniques?
There are lots of techniques. I guess the first way to unravel this is ask why you want to count Teredo traffic? -- Nathan Ward
There are lots of techniques.
I guess the first way to unravel this is ask why you want to count Teredo traffic?
Let's assume I manage a large network, with no current native v6 to the edge but a lot of clients at my edge which will have teredo on (win7 etc). And I want to snapshot how much of my total traffic is tunneled v6. This will let me do a few things: a) Capacity plan for say a Teredo relay b) Get a feel for what might happen when I deliver v6 to the edge -JoelW
On 22/02/2010, at 2:12 PM, Joel Wiramu Pauling wrote:
There are lots of techniques.
I guess the first way to unravel this is ask why you want to count Teredo traffic?
Let's assume I manage a large network, with no current native v6 to the edge but a lot of clients at my edge which will have teredo on (win7 etc). And I want to snapshot how much of my total traffic is tunneled v6.
This will let me do a few things:
a) Capacity plan for say a Teredo relay b) Get a feel for what might happen when I deliver v6 to the edge
Actually having Teredo users on your network now will not help you plan for a Teredo relay, unless you infer that everyone with IPv6 in your network also has (and is using) Teredo, and that everyone that has Teredo will use your native IPv6. Both of these are unrealistic in your situation as a provider that does not provide CPE or mandate which OS users use and which OS options are enabled. Teredo relays are used by your native IPv6 users who want to send traffic to Teredo users (either on your network, or elsewhere). Your first stab at this, looking for 2001:0000 in packets does not work, because those bytes are going to be inside the payload of UDP over IPv4 messages. Netflow doesn't get you that sort of information - it gives you up to L4 headers only, and on a per-flow basis with some key things - it does not give you full headers for every packet. Your second stab at this, counting traffic to/from certain relays and servers also doesn't work, because you are not counting traffic between two Teredo users, which is in my estimation going to be by far the majority of Teredo traffic in your network. The only way I have found to estimate Teredo traffic on an IPv4-only network is to use netflow, and process as follows: 1) Look for messages to 3544/UDP and 3545/UDP. There should be one every 30 seconds from every active Teredo stack in your network. 2) Take note of the source IPv4 address and UDP source port of the messages captured by the above. 3) Look for messages to/from these IPv4 address and UDP port combinations. 4) Age out old combinations perhaps 5 minutes after the last time you see a 3544/UDP or 3545/UDP message. This is going to catch a large portion of the traffic - I'm not sure that this will catch Teredo traffic to/from a host behind what the Teredo RFC dubs a symmetric NAT. Initial thinking about it suggests that it will catch some. You might also want to figure out population of active Teredo stacks - just do step 1 above. -- Nathan Ward
On 22/02/2010, at 11:42 AM, Joel Wiramu Pauling wrote: b) Get a feel for what might happen when I deliver v6 to the edge Unless you've got a sad router which switches v4 and v6 packets differently, then a packet is a packet. There's no increase in traffic, just a choice of protocols. (We have IPv6 to the edge) MMC -- Matthew Moyle-Croft Internode /Agile
participants (3)
-
Joel Wiramu Pauling -
Matthew Moyle-Croft -
Nathan Ward