IPv6 tunneling in Vista ' a new area of concern

LAS VEGAS ' Microsoft completely rewrote the network stack of its new Windows Vista operating system, embedding IPv6 as the preferred protocol by default. To use IPv6, it has included the Teredo tunneling protocol to pass IPv6 traffic through Network Address Translation devices and across non-IPv6-enabled local networks, using UDP packets.

'Teredo raises a number of security concerns, some of them serious,' said Jim Hoagland, principal security researcher at Symantec Security Response.

Hoagland presented results from an analysis of network-facing elements of Vista Thursday at the Black Hat Briefings information technology security conference.

Because of the concerns raised, he recommended that Teredo should not be used on managed networks. Native IPv6 traffic should be the preferred method of transport.

Vista is designed to use Teredo as the 'IPv6 provider of last resort,' used only when native IPv6 or ISAP, another tunneling protocol, is not available. But Hoagland said that his research revealed that Teredo was being used more frequently that Microsoft documentation indicated it should.

'The safest thing is to assume that Teredo will often be used,' he said.

Teredo can make computers unexpectedly accessible from the outside. It can also bypass security controls, avoiding inspection by firewalls and intrusion detection systems unless they are specifically aware of Teredo and know to look into the UDP packets.

'You should be applying as strong controls to Teredo packets as to IPv6,' Hoagland said.

But because Teredo packets can be difficult to find, the overhead of locating them could be prohibitive on a network. In the final analysis, blocking them could be the better solution, he said.

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.