Forum latest

Vendors worried Vista IPv6 too slippery for managed networks
Written by Daniel   
Monday, 10 December 2007 13:10

Vendors worried Vista IPv6 too slippery for managed networks
By Iljitsch van Beijnum | Published: December 10, 2007 - 10:31AM CT
ARS Technica

Researchers have raised new questions about the security of Vista's IPv6 implementation. James Hoagland from Symantec and Suresh Krishnan from Ericsson wrote an Internet-Draft that calls attention to the Teredo protocol and the fact that many firewalls don't understand this protocol, and therefore can't inspect the packets embedded within it. Teredo is Vista's last resort to connect to the IPv6 Internet. First, Vista looks for an IPv6 router on the local LAN.

If so, the router will provide the Vista machine with IPv6 addresses and "native" (not tunneled) connectivity. If there is no IPv6 router, but the Vista machine has a public IPv4 address (i.e., not one from the 10-net or any of the other private address ranges from RFC 1918), it uses the 6to4 tunneling mechanism that embeds IPv6 packets in IPv4 packets. However, 6to4 can't create IPv6 addresses from a private IPv4 address. Teredo, the third mechanism, is able to do this, so if you're behind a network address translator (NAT) then Vista uses Teredo.

 Because of the extra work this requires, Teredo is only used if an application specifically wants to talk IPv6 or a destination is only reachable over IPv6. If you go to an IPv6-enabled what's-my-IP-address page with a Vista machine, the page will tell you you're using IPv4. But on the version that's only reachable over IPv6, you'll see your Teredo IPv6 address. (If your IPv6 address starts with "2002:" you're using 6to4, if it starts with "2001:0:" you're using Teredo.)

The draft authors raise the following security issue about Teredo:
IPv6 traffic tunneled with Teredo will not receive the intended level of inspection or policy application by network-based security devices, unless the devices are specifically Teredo aware and capable. This reduces defense in depth and may cause security gaps.... More    Comments in the Forums


See also

None found.

Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either