Author Topic: Teredo IPv6 traffic / vulnerability to IPv6 masking?  (Read 41055 times)

Offline freshhh

  • Comodo Loves me
  • ****
  • Posts: 198
Teredo IPv6 traffic / vulnerability to IPv6 masking?
« on: May 03, 2008, 03:35:26 PM »
Why Teredo blocking is important

All Windows Vista machines come with a service known as "Teredo" enabled by default. This enables you to access the IPv6 internet using IPv4. It also means that any IPv4 user can masquerade as being on IPv6 in attempt to evade IP blockers and firewalls.

PeerGuardian fully detects these types of IPv6 users and will check them against the regular blocklist.



IPv6 protocol used by Vista

6to4, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, usually because of IPv4 address shortage. In such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons.

Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don't have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.

Teredo is a temporary measure: in the long term, all IPv6 hosts should use native IPv6 connectivity. The Teredo protocol includes provisions for a sunset procedure: Teredo implementation should provide a way to stop using Teredo connectivity when IPv6 has matured and connectivity becomes available using a less brittle mechanism.

Source : http://en.wikipedia.org/wiki/Teredo_tunneling
(follow the link to read more)



Teredo may render your firewall useless

You most certainly know IPV4. You may have heard about IPV6. Do you know what Teredo is? No? That's bad provided you run a firewall to seperate the Internet from your local network. Teredo is a mechanism that allows encapsulation of IPV6 packets into IPV4 UDP and uses relay servers to let IPV6 clients communicate by using relay servers. Symantec has a very thorough analysis of Teredo:

Currently hardly any firewalls or intrusion detection systems are able to recognise Teredo packets and they are therefore unable to filter IPv6 traffic. Rather they see UDP traffic via any ports. Teredo could become a problem, in particular because it circumvents the supposed protection offered by NAT. While, to date, private IPv4 addresses have not been routed via the internet, with IPv6 every computer is automatically assigned a unique IPv6 address, into which goes, for example, the MAC address of the network card and which is in principle accessible from the internet.

Source : http://web.luchs.at/article.php?cat=2&aid=298
« Last Edit: February 16, 2009, 05:36:06 PM by freshhh »

Offline AeoniAn

  • Comodo's Hero
  • *****
  • Posts: 317
  • V5.4 customized ROCKS!
BUMP!
A serious problem. Almost a month ago...  Hmmm... Comodo people are taking care about?  Is CFP v3 able to "understand and see" the whole possibilities of Teredo?  Do we still are in need of PG2?
Please...
CIS v5.4 full (disabled SB & cloud)
W7-Ultim-x32-BR + XP-PRO-SP3-x86-BR + Ubuntu LTS x32
SBIE+sbiextra; PeerBlock v1.0+r; GPO/Secpol restricted rules + some more... (just in case)
Zero, Nada, No-one single infecction since 2006.
(REAL Thank's to COMODO! - steps ahead, always)

Someone

  • Guest
I have faith that Egemen in all his wisdom will attend to the firewall proper.

Right now i see a lot of focus on Defense+, most people discussing D+, so i really don't have a clue. It's keylogger this, safe files that.
:P

Offline freshhh

  • Comodo Loves me
  • ****
  • Posts: 198

Still waiting for comments from Comodo team...

Offline freshhh

  • Comodo Loves me
  • ****
  • Posts: 198
any news?

Offline freshhh

  • Comodo Loves me
  • ****
  • Posts: 198
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #5 on: February 19, 2009, 10:44:09 AM »

btw this is not only for vista... ive xp and ive enabled ipv6 protocol...

Offline Pfipps

  • Comodo Family Member
  • ***
  • Posts: 90
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #6 on: February 22, 2009, 03:41:06 AM »
Currently hardly any firewalls or intrusion detection systems are able to recognise Teredo packets and they are therefore unable to filter IPv6 traffic. Rather they see UDP traffic via any ports.

So, that appears to mean that if you have the Stealth ports wizard on stealth mode (block all IP inbound) it will block potential IPv6 packets as UDP IPv4 ones? If so, then there really is no issue yet.

Also, one could simply go to the network connection and uncheck IPv6 - could this be a good work around if my previous statement is false? Also, could you disable the "6TO4" and "Teredo" adapters in the device manager? Or simply unchecking IPv6 in the network connection properties should do it?

Offline tetsuo55

  • Comodo Loves me
  • ****
  • Posts: 107
  • Tweaking windows for Security,Stability and Speed
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #7 on: February 24, 2009, 06:02:33 AM »
Comodo staff should respond to this,

How are you're views on this? is Comodo in any way capable of filtering IPv6?
There are a lot of native IPv6 users in my country as more and more ISP's are offering IPv6 connections to their subscribers.

Offline Commanding The Celsius

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 1520
  • ^^^^
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #8 on: March 02, 2009, 07:16:46 AM »
Quote from Egemen:

IPV6 addresses are not supported right now and will be supported in the future versions.

Its coming.. I guess the need has not been there yet.. but its coming! :) :)

Offline Pfipps

  • Comodo Family Member
  • ***
  • Posts: 90
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #9 on: March 04, 2009, 12:28:25 PM »
IPV6 is already supported in PCtools firewall plus. In fact, the PCTools firewall is much better than the firewall in CIS. I'm even thinking of running it alongside Defense+ while disabling the Comodo firewall. The "killer app" in CIS is the Defense+. No, No, Comodo fanboys can't cover for the AV yet...

For example, Pctools will log every dropped packet, and the program will also log protocols I haven't even heard of. On top of that, the "active connections" resolves all the IPs it can, and you can even look at the actual data being sent in the packets. But the HIPS functionality is very limited, and so the Defense+ wins there.

Offline AeoniAn

  • Comodo's Hero
  • *****
  • Posts: 317
  • V5.4 customized ROCKS!
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #10 on: March 04, 2009, 07:57:08 PM »
This thread was started almost ONE YEAR ago (10 months)...

And we are still waiting...



CIS v5.4 full (disabled SB & cloud)
W7-Ultim-x32-BR + XP-PRO-SP3-x86-BR + Ubuntu LTS x32
SBIE+sbiextra; PeerBlock v1.0+r; GPO/Secpol restricted rules + some more... (just in case)
Zero, Nada, No-one single infecction since 2006.
(REAL Thank's to COMODO! - steps ahead, always)

Offline freshhh

  • Comodo Loves me
  • ****
  • Posts: 198
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #11 on: June 10, 2009, 07:42:02 PM »

*bump*

what's up with this feature?  ???

Toggie

  • Guest
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #12 on: June 10, 2009, 09:58:46 PM »
As mentioned elsewhere IPv6 support is coming, you will just have to be patient.

For now, if your concern regarding Teredo is great enough, the either create a simple Application to block the datagrams or disable Teredo entirely using netsh.

   

Offline freshhh

  • Comodo Loves me
  • ****
  • Posts: 198
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #13 on: June 11, 2009, 04:57:51 AM »

of course but i don't think disabling teredo protocol is enough to be safe from ipv6 masking attack if the firewall is not able to manage it...

How to Disable TCP/IPv6 Teredo Tunneling in Vista
http://www.mydigitallife.info/2007/09/09/how-to-disable-tcpipv6-teredo-tunneling-in-vista/

Toggie

  • Guest
Re: Teredo IPv6 traffic / vulnerability to IPv6 masking?
« Reply #14 on: June 11, 2009, 05:43:11 AM »
Quote
of course but i don't think disabling teredo protocol is enough to be safe from ipv6 masking attack if the firewall is not able to manage it...


CIS is perfectly capable of dealing with protocol 41, which is the 6to4 and SIT tunnelling protocol and as I said additional rules can be created to deal with teredo, assuming one hasen't disabled it entirely.

Here's a quote from an IPv6 security white paper.

Quote
An IPv4 firewall  sees SIT and 6to4 simply as IP protocol 41 on IPv4. For an IPv6 firewall , SIT and 6to4 do not exist. Neither applies rules directly to these tunnels beyond switching protocol 41 on or off. Also, Teredo is nothing more than a UDP protocol on IPv4, and is not seen by the IPv6 stack and rule-set.

I doubt that's verbatim, it's just what I remember from reading it a while ago.



 

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek