Look Before You Leap into IPv6 with Teredo

The open Teredo protocol, which tunnels IPv6 traffic through IPv4 networks, has some security gotchas.

ITPro Today

December 5, 2006

3 Min Read
ITPro Today logo in a gray background | ITPro Today

We're told that the future of the Internet revolves around the IPv6 protocol. Meanwhile, the majority of computers on the Internet still use IPv4. The two protocols are different enough that key software packages that are designed for IPv4 are unable to properly handle IPv6 traffic. This is of course one of the major hurdles for IPv6 adoption.

To help with this problem, Microsoft developed the open Teredo protocol, which tunnels IPv6 traffic over IPv4 networks when IPv6 clients are behind some sort of Network Address Translation (NAT) device that doesn't understand IPv6. If you're interested in the technical specifications for Teredo, you can read RFC 4380, "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)," at the URL below.

http://www.rfc-editor.org/rfc/rfc4380.txt

Because Teredo is an open specification, Teredo software packages are available for a variety of platforms, including Mac OS X, Linux, BSD, and Sun Microsystems Solaris. One such package is Miredo, at the URL below.

http://www.simphalempin.com/dev/miredo

For Windows, Teredo first appeared in service packs for Windows XP and Windows Server 2003. It's also a standard part of Windows Vista and will be a standard part of Longhorn when it's released. Teredo is a decent idea, however you should understand some security implications before you jump into using the technology.

Last week, Symantec published a white paper titled "The Teredo Protocol: Tunneling Past Network Security and Other Security Implications," written by Dr. James Hoagland, principal security researcher with Symantec Advanced Threat Research. The white paper presents an examination of real and potential security problems. For example, Hoagland explains how worms that use network layer 3 or 4 could use Teredo to escape a contained IPv6 network and reach remote IPv6 networks. You recall that the Slammer worm was able to propagate itself by using only one UDP packet.

Hoagland also writes that security devices such as intrusion detection and prevention systems (IDSs/IPSs) that are designed for IPv4 don't understand IPv6 traffic. Thus, the IPv4 devices can't enforce adequate security controls on IPv6 traffic encapsulated in IPv4 packets.

Another problem is that Teredo might allow unwanted traffic into the IPv6 or IPv4 network. Other potential security problems relate to the possibilities of creating a Denial of Service (DoS) condition in both Teredo clients and servers and the ability for remote systems to traverse the NAT in ways that are probably undesirable.

If you're interested in using Teredo, by all means download a copy of Symantec's white paper (at the URL below) and read it over carefully. It might save you many headaches and answer a lot of questions before they even arise as a result of oddities in your network. http://www.symantec.com/avcenter/reference/Teredo_Security.pdf

Keep in mind that the white paper discusses Teredo in general and is based on the associated RFC. Hoagland said that Symantec intends to look specifically at Teredo in Windows Vista sometime in the future. So keep an eye out for that white paper to become available.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like