Teredo Security Concerns

1
Teredo Security Concerns

• draft-hoagland-v6ops-teredosecconcerns-01
• Suresh Krishnan Jim Hoagland

2
Classification of security concerns

• Bypassing network security
• Inspecting contents of Teredo data packets
• Increased attack surface
• Guessable addresses due to structured addressing
• Misleading claims in RFC4380

3
Bypassing network security

• Evasion by tunneling is a common problem
• Firewall vendors need to add support for
  detunneling each tunneling protocol
• Current firewalls may not be aware of the IP
  payload over UDP
• Tunnel allows bidirectional traffic
• Burden of filtering this traffic is shifted to
  the host
• Bypasses ingress and egress filtering
• Source routing past the Teredo host
• Recommendations
• disable Teredo in managed networks
• Prefer native IPv4 access to IPv6 Teredo
• Perform ingress and egress filtering on all
  teredo packets
• Clients to discard source routed packets

4
Content filtering of Teredo packets

• Easy to filter Teredo signaling packets
  (connection requests)
• Harder to filter the contents of Teredo data
  packets
• Algorithm for deep packet inspection is complex
• Recommendations
• In managed networks filter out Teredo connection
  requests
• If the network wishes to monitor IPv6 traffic,
  discourage use of Teredo

5
Increased attack surface

• Teredo creates NAT holes
• Teredo NAT holes are usually open for a longer
  duration than a typical NAT hole
• External IP address and port are visible in the
  Teredo address
• Bubbles
• Recommendations
• Restrict Teredo use to when it is required and
  turn it off otherwise.

6
Guessable addresses

• Teredo addresses are predictable
• Teredo prefix,server,flags,client port,client
  ipv4 address
• Cone bit divulges the posture of the NAT and
  helps the attacker infer that he/she needs a
  bubble.
• Recommendations
• Use random values in flags
• Randomize Teredo service port on client
• Deprecate cone bit

7
Misleading claim in RFC4380

• Teredo improves security
• It does in some ways
• But it makes security worse in some cases
• Recommendation
• Remove such claims in teredo bis or qualify them

8
(No Transcript)
9
Teredo Deep Packet Inspection Algorithm

• 1. The packet is not Teredo if it is not UDP over
  IPv4.
• 2. Set T to the UDP payload offset.
• 3. Set E to the end of the packet plus one.
• 4. If E-T lt 40 (the length of an IPv6 base
  header), the packet is not Teredo.
• 5. If the octets starting with T are 0x0001 (an
  indication of authentication data), T T13 plus
  the lengths of the client identifier and the
  authentication value, assuming T is the start of
  authentication data.
• 6. If E-T lt 40, the packet is not Teredo.
• 7. If the octets starting with T are 0x0000 (an
  indication of origin encapsulation), T T8.
• 8. If E-T lt 40, the packet is not Teredo.
• 9. If the octets starting with T is 0x0000 or
  0x0001, loop back to step 5.
• 10. If the most significant nibble of the octet
  at T is not 6, the packet is not Teredo.
• 11. Assuming T is the start of an IPv6 header,
  set L to value of the payload length field, S to
  the start of the source address, and D to the
  start of the destination address.
• 12. If E-T ! L40, the packet is not Teredo.
• 13. If neither S nor D start with 0x20010000 (the
  Teredo prefix), the packet is not Teredo.
• 14. The packet is assumed to be Teredo, with the
  IPv6 header starting at T.

10
Address Format
---------------------------------------------
------- Prefix Server IPv4 Flags
Port Client IPv4 --------------------------
--------------------------