'MIsc:' Is Teredo still relevant, or is it expected to become an attack surface?

[timcoote]

According to Google's tracker: https://bit.ly/3U1vzf5 Teredo is now 0.00% of internet traffic. I think that there's a risk of confusing people, or undermining GCHQ credibility if this isn't at least explained.

[a3957273]

Unfurled link: https://www.google.com/intl/en/ipv6/statistics.html

Looking at that link, when this function was released (6 years ago), Teredo had 0.01% global usage, so even when first created I'm doubtful a huge number of people would run into it. This is... surprising. I guess it's even more surprising that even though the draft for IPv6 came out in 1998 and we've had IPv4 exhaustion for ages now we're still only at 10% global traffic adoption!

In general CyberChef has a lot of features that can only be described as... niche. We've implemented ancient Chinese encryption methods, Numberwang and an XKCD Random Number Generator. I hope our reputation isn't being undermined because 6 years ago we wrote one line of code to detect Teredo tunnelling (if (ipv6[0] === 0x2001 && ipv6[1] === 0)) 😛 .

I think the comment about confusion is more applicable. However, I think the description is suitable to explain what it is:

Recognises all reserved ranges and parses encapsulated or tunnelled addresses including Teredo and 6to4.

It includes the fact that both Teredo and 6to4 is a 'tunnelled' address and a simple google reveals a well researched and complete Wikipedia article on what Teredo is.