RE: Xbox Live and Teredo

[Darrin Veit via NANOG <nanog () nanog org>]

Small clarification:

"- Teredo prefers UDP port 3074 vs. UDP port 3544"

On Xbox One, the Teredo client is bound to UDP 3074 as the default and communicates to the Teredo servers on the 
standard Teredo port, UDP 3544. If UPnP is in play and an Xbox console attempts to port map UDP 3074 and receives a 
mapping conflict error from the gateway, the console will fall back to a pseudo-random port in the ephemeral range. We 
also introduced an update last year where customers could also manually configure the console to use a non-3074 port in 
case UPnP wasn't enabled on the local network and multiple consoles are present.

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Joe Klein
Sent: Tuesday, January 2, 2018 4:13 PM
To: Mark Andrews <marka () isc org>
Cc: NANOG list <nanog () nanog org>
Subject: Re: Xbox Live and Teredo

Are you aware:

- Microsofts justification for Teredo is to support P2P during the transition to IPv6 dominant networks.

- Xbox 360: Console
  - IPv4 preferred and requires the Microsoft 'custom STUN and security implementation."

- Xbox One: Console
  - IPv6 preferred - Native IPv6+IPSec
     - Requires unsolicited inbound IPSec and IKEv2
     - "Disables firewall capabilities if one exists" - UPNP+...

- IPv4 preferred or no IPv6 = [IPv6+IPSec]+Teredo
     - Teredo is only necessary for Xbox Live party chat and multiplayer

      - Within the tunnel, it requires unsolicited inbound IPSec and IKEv2
     - UDP long port mapping refresh intervals (60 seconds+) to avoid losing connections to xbox peers
     - Uses UPNP to "Disables firewall capabilities if one exists"
     - If NAT exists, here is the most successful strategy, left to right:
       -  Open to the Internet > Address Restricted > Port Restricted > Symmetric > UDP Block
    - Teredo prefers UDP port 3074 vs. UDP port 3544

- XBOX - Windows 10
   - Teredo is only necessary for Xbox Live party chat and multiplayer
   - Most common error: “Teredo is unable to qualify”

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.xbox.com%2Fen-US%2Fxbox-on-windows%2Fsocial%2Ftroubleshoot-party-chat&data=02%7C01%7Cdveit%40microsoft.com%7C65a1a83fad664db4ea6308d5523ef9e9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636505352789854753&sdata=ArbsmYbrIPFlVG2ydBCw0jBa8m6WHyZirDT2Rgz7a1A%3D&reserved=0
  - If a third party firewall is installed, good chance it is blocking teredo outbound ports or the Windows10 teredo is 
disabled.

Hope this helps... And don't ask about the security --- It's "good enough for home users" :(




Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 
00C1 4174 FEDF 8ECF 0CC8

On Tue, Jan 2, 2018 at 6:19 PM, Mark Andrews <marka () isc org> wrote:

> Time to buy a Xbox for the NOC so you can trouble shoot.  All puns 
> intended.
>
> Mark
>
> > On 3 Jan 2018, at 10:15 am, Justin Wilson <lists () mtin net> wrote:
> >
> > These are all Xbox one clients.  We don’t hand out IPv6 on this 
> > network
> yet, so I made sure to disable any sort of IPV6 on the interfaces just 
> to be sure because I figured Teredo is tied to v6.  The only thing we 
> have not done yet is disable any IPV6 stuff on the customer routers.  Everyone has
> been getting link local addresses for the longest time.   We just disabled
> ipv6 totally on the interfaces just to be safe.
> > Justin Wilson
> > j2sw () mtin net
> >
> > https://na01.safelinks.protection.outlook.com/?url=www.mtin.net&data
> > =02%7C01%7Cdveit%40microsoft.com%7C65a1a83fad664db4ea6308d5523ef9e9%
> > 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636505352789854753&sdat
> > a=P6GoT4YSwbQ%2FT9guweaTf25wy7J77UkoZqqGBiFXkVo%3D&reserved=0
> > https://na01.safelinks.protection.outlook.com/?url=www.midwest-ix.co
> > m&data=02%7C01%7Cdveit%40microsoft.com%7C65a1a83fad664db4ea6308d5523
> > ef9e9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63650535278985475
> > 3&sdata=uCDl6dWK8vXzCOKkui0LV3RHwhEa8GRzj31xOGSKfXs%3D&reserved=0
> >
> > > On Jan 2, 2018, at 6:06 PM, Chris Adams <cma () cmadams net> wrote:
> > >
> > > Once upon a time, Mark Andrews <marka () isc org> said:
> > > > Given that you have IPv6 I would be looking at why the XBOXs are
> attempting Teredo at all.  I would expect them to use the IPv6 
> addresses that you are assigning your customers.
> > > The OP didn't say what type of Xbox.  IIRC the Xbox 360 does not 
> > > support IPv6, while the Xbox One does (but neither would explain the Teredo).
> > > --
> > > Chris Adams <cma () cmadams net>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka () isc org