Jim Hoagland wrote: > Hello all, > > For anyone that is interested, there is a new report available about Teredo > security: > http://www.symantec.com/avcenter/reference/Teredo_Security.pdf One very simple solution (at least as far as I know ;) is to block, the in the paper mentioned, UDP port 3544 and the Teredo client can't reach any of the servers anymore for an initial contact, thus won't find relays to talk. If the user is willing + able to tweak those ports or other things they can also find their way out of your network over a HTTP-through-proxy or NSTX (IP over DNS) and various other models. There are enough covert channel possibilities, as such Teredo is not a thread per se. The big problem though is that it is there by default (at least on Vista and also on XP's that have IPv6 installed). Administrators should thus be made very aware of this; then again if they still are not aware of this problem they are probably completely ignorant of IPv6, and that was one of the reasons that this protocol exists in the first place ;) For (net)admins the solutions are: - Enable IPv6 and provide native IPv6 to their users, as then in Vista/XP Teredo is not used. - block UDP port 3544 Smart admins that don't want to enable their full network to do IPv6 yet (eg no firewall that supports it or no numbering plan, no upstream that can provide it etc), might simply opt to do IPv6 Route Advertisements anyway using 2001:db8::/32 (documentation) as a prefix. The router that advertises the prefix should then send ICMPv6 destination unreaches for everything, effectively blocking IPv6 connectivity and because of the RA, Vista's/XP's Teredo is disabled. Note that Vista/XP also try and do ISATAP and 6to4 automatically to get out of the NAT box. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature