<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] New report on Teredo security



Jim Hoagland wrote:
> Hello all,
> 
> For anyone that is interested, there is a new report available about Teredo
> security:
>   http://www.symantec.com/avcenter/reference/Teredo_Security.pdf

One very simple solution (at least as far as I know ;) is to block, the
in the paper mentioned, UDP port 3544 and the Teredo client can't reach
any of the servers anymore for an initial contact, thus won't find
relays to talk.

If the user is willing + able to tweak those ports or other things they
can also find their way out of your network over a HTTP-through-proxy or
NSTX (IP over DNS) and various other models.

There are enough covert channel possibilities, as such Teredo is not a
thread per se. The big problem though is that it is there by default (at
least on Vista and also on XP's that have IPv6 installed).
Administrators should thus be made very aware of this; then again if
they still are not aware of this problem they are probably completely
ignorant of IPv6, and that was one of the reasons that this protocol
exists in the first place ;)

For (net)admins the solutions are:
 - Enable IPv6 and provide native IPv6 to their users,
   as then in Vista/XP Teredo is not used.
 - block UDP port 3544

Smart admins that don't want to enable their full network to do IPv6 yet
(eg no firewall that supports it or no numbering plan, no upstream that
can provide it etc), might simply opt to do IPv6 Route Advertisements
anyway using 2001:db8::/32 (documentation) as a prefix. The router that
advertises the prefix should then send ICMPv6 destination unreaches for
everything, effectively blocking IPv6 connectivity and because of the
RA, Vista's/XP's Teredo is disabled. Note that Vista/XP also try and do
ISATAP and 6to4 automatically to get out of the NAT box.

Greets,
 Jeroen

Attachment: signature.asc
Description: OpenPGP digital signature