OIT filters Teredo Multicast traffic on the wireless networks operated by OIT.
We do so because we have found that this traffic triggers traffic spikes that degrade wireless network services provided by OIT, while at the same time being unnecessary for the network functionality OIT supports at this time.
We installed the filter in several stages during mid-September 2010 - early-November 2010.
Teredo is a tunneling protocol designed to provide IPv6 connectivity to devices that are behind IPv6-unaware NATs. IPv6 is the next generation of the Internet Protocol (IP). The current version of IP is IPv4; that's the version that is in widespread use throughout the Internet.
While use of IPv6 on the Internet is expected to grow in the future, at this time it is deployed in select locations on the Internet. Few sites on the Internet require clients to speak IPv6 to reach them; such Internet sites would be unreachable to the vast majority of clients, as most clients throughout the Internet have IPv4 access to the Internet, but not IPv6 access to the Internet. Most individuals using IPv6 today are doing so to experiment with the new protocol.
While IPv6 indeed may be an important future direction for the University, OIT is not prepared at this time to provide IPv6 service to the campus network. We also do not operate a Teredo service at this time.
Some popular operating systems include Teredo software. This software may be enabled by default, or may automatically enable itself when any IPv6Pv6-capable software is run on the device.
Most customers operating devices that transmit Teredo traffic on the campus network today likely do not realize their devices are transmitting this traffic. They may derive no benefit from that traffic at this time.
Teredo clients may use IP multicast to automatically locate Teredo servers and relays located on the same IP network as the client. That is, they may use IP multicast as a resource discovery protocol.
Analysis of our wireless networks shows that these networks experience sporadic spikes of broadcast and multicast traffic. When these spikes are large, they can degrade or possibly disrupt service to wireless clients.
One of the triggers for the large spikes is Teredo multicast traffic. Teredo clients may use IPv4 multicast packets to locate Teredo relays or servers on the same IP subnet. Although the volume of these multicast packets is low, they trigger a large flurry of ARP Request broadcast packets among both the Teredo relays/servers and the Teredo clients. This ARP Request traffic is the broadcast traffic spike that degrades service.
To stop these traffic spikes, OIT filters the Teredo multicast traffic that trigger the spikes.
The traffic is filtered at the campus network's core Ethernet switches; all buildings (or groups of buildings) are attached to these core switches. It's installed in such a way as to apply only to those networks supporting wireless services provided by OIT. This causes the filter to apply to traffic (for our wireless networks) as that traffic passes through the campus core on its way from one leg of the network to another. (In some cases, multiple buildings share a single connection to the campus core, so this filter doesn't affect traffic which remains within that group of buildings.)
The filter is also applied at the edge of the wireless services provided by OIT, so it also applies to traffic sent by a wireless client as that traffic arrives at the wireless access point or the wireless controller. This filters the traffic before it would be flooded to other clients (wireless or wired), even if those clients are on the same leg of the network, or behind the same wireless access point.
The filter discards any IPv4 traffic destined to IP address 224.0.0.253 UDP port 3544.
We do not filter Teredo multicast traffic on the campus wired networks at this time.
It is possible that customers who wish to continue using Teredo on the University's wireless networks might be able to do so, if it is possible to configure their devices in such a way as to locate a desired Teredo relays or server without using IP multicast to discover the Teredo relay/server. OIT has blocked only the Teredo multicast traffic, not all Teredo traffic.