Microsoft Vista's IPv6 raises new security concerns

Turn off Microsoft Vista's Teredo tunneling, IETF document recommends

Yet another problem is that network managers may not be aware that some of their hosts are using IPv6 through Vista and are now globally addressable. "Unlike what would be the case for native IPv6, some network administrators will not even be aware that their hosts are globally addressable," the authors say. They add that "it may not be efficient to find all Teredo traffic for network devices to examine."

The document lists the following additional security problems with Teredo and offers these recommendations:

  • Teredo bypasses inbound-destination-address and outbound-source-address filtering unless "extraordinary" measures are taken. In this situation, either routers or clients need to be upgraded to handle this filtering for Teredo-tunneled IPv6 addresses.
  • Teredo clients may forward IPv6 packets to another destination, thereby bypassing network-based source-routing controls. One solution is to have Teredo clients by default discard IPv6 packets that specify additional routing.
  • No mechanism exists to filter all Teredo packets efficiently or immediately. One suggestion is for network administrators to block all Teredo use.
  • There's no efficient mechanism for deep packet-inspection of Teredo traffic as there is for native IPv6 traffic. This is one reason the authors do not recommend Teredo as a transition mechanism for network administrators who want to monitor IPv6 traffic.
  • The opening created in a NAT device by Teredo can be used by network attackers. The recommendation here is to minimize Teredo use.
  • It may be easier for network attackers to guess Teredo addresses because these addresses reveal some information about the corresponding clients. The document suggests randomizing the server settings or Teredo client ports in use to alleviate this concern.
Even more alarming to the document's authors is that Teredo's original RFC 4380 specification argues that Teredo improves security for IPv6. "This misleading or inaccurate claim can be taken out of context and used to downplay Teredo security implications," the new document states.

The Hoagland/Krishnan document does not address the use of Teredo in unmanaged networks.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?