New Zealand IPv6 specialist Dean Pemberton warns that a transitional protocol to IPv6 may have underlying security risks.
Teredo is one of several tunnelling protocols that carry IPv6 traffic encapsulated in IPv4 packets to ensure transmission over an IPv4 network. Teredo, moreover, is designed to ensure that the packets also cleanly cross network address translation (NAT) devices.
Recent Microsoft operating systems Vista and Windows 7 “turn on Teredo tunnelling almost by default”, Pemberton told a meeting of a special interest group in Wellington earlier this month. “If not by default, then very quickly it gets turned on by you installing something innocuous.”
“Your Windows box gets an IPv6 address and will start a dynamic tunnel out to somewhere on the internet – through your [network] firewall. Suddenly all the Windows boxes deployed in your organisation have what is essentially a big backdoor.”
He knows of at least one organisation that blocked its employees from using Peer to Peer (P2P) and subsequently noticed an unexpected volume of traffic, which proved to be P2P clients evading the block with Teredo tunnelling.
But this type of tunnelling is not a major security threat if individual PCs have their own competent firewalls. It is only if the organisation, or individual with a home network, is relying on their network firewall to protect them, will a serious opportunity be created for exploits to sneak in, Pemberton says.
Microsoft national technology officer Mark Rees dismisses the suggestion that Teredo poses a substantial risk. He says it is “enabled but not active” in both Windows 7 and Vista, and to turn it on requires installation of an application configured to use IPv6 – for example Microsoft’s NetMeeting.
He says Teredo is primarily designed for home users. “To this end Teredo is designed to look for the presence of an Active Directory Domain Controller (DC). If a DC is found [any DC; it doesn’t have to be the authoritative DC for that user], then Teredo will automatically not activate. Thus [firewall penetration] won’t be an issue for any organisation that uses Active Directory without manual user configuration.”
Even so, in order for Teredo to be activated, “an application that has the ‘allow edge traversal’ option checked in the Windows Firewall must be installed and actively used,” Rees says. As another precaution, the port Teredo uses (Port 3544) can be blocked to outgoing UDP traffic, which will stop it from traversing the firewall – a point Pemberton also made at the meeting.
Other remedies Pemberton suggests are installing a Teredo server on the local network — so Teredo will find that first and not tunnel through the firewall in search of a remote server – or to install native IPv6 as early as possible.
Pemberton counsels IPv6 adopters to take full advantage of the improved security inherent in IPsec, which is part of all standards-compliant implementations of IPv6 and encrypts and authenticates each packet.
Because there will be so many addresses (two to the power 64) available in a segment of a LAN, the old-style hacker’s practise of scanning every address to pick out the active ones will disappear. But this does not make communications safer. Hackers will be listening for traffic from specific valid hosts. This makes it even more important to be careful about information leaking out of your network, he says. “You must make sure that any box that communicates out to the world, you know about.”