IPv6 tunneling in Vista ' a new area of concern
- By William Jackson
- Aug 02, 2007
LAS VEGAS ' Microsoft completely rewrote the network stack of its new Windows Vista operating system, embedding IPv6 as the preferred protocol by default. To use IPv6, it has included the Teredo tunneling protocol to pass IPv6 traffic through Network Address Translation devices and across non-IPv6-enabled local networks, using UDP packets.
'Teredo raises a number of security concerns, some of them serious,' said Jim Hoagland, principal security researcher at Symantec Security Response.
Hoagland presented results from an analysis of network-facing elements of Vista Thursday at the Black Hat Briefings information technology security conference.
Because of the concerns raised, he recommended that Teredo should not be used on managed networks. Native IPv6 traffic should be the preferred method of transport.
Vista is designed to use Teredo as the 'IPv6 provider of last resort,' used only when native IPv6 or ISAP, another tunneling protocol, is not available. But Hoagland said that his research revealed that Teredo was being used more frequently that Microsoft documentation indicated it should.
'The safest thing is to assume that Teredo will often be used,' he said.
Teredo can make computers unexpectedly accessible from the outside. It can also bypass security controls, avoiding inspection by firewalls and intrusion detection systems unless they are specifically aware of Teredo and know to look into the UDP packets.
'You should be applying as strong controls to Teredo packets as to IPv6,' Hoagland said.
But because Teredo packets can be difficult to find, the overhead of locating them could be prohibitive on a network. In the final analysis, blocking them could be the better solution, he said.
William Jackson is a Maryland-based freelance writer.