[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380



Fully agree.

It is a matter of properly managing a "managed network". There are hundreds
of alternatives to Teredo that can be used to do bad things if you allow the
users to install whatever they wish, or to upgrade to new versions of OSs
without managing that upgrade, etc. It is not to blame Teredo.

In fact, Teredo will never come up if there is IPv6 support in the managed
network, and that's the right thing to do.

Regards,
Jordi




> De: Rémi Denis-Courmont <rdenis@simphalempin.com>
> Organización: Remlab.net
> Responder a: <owner-v6ops@ops.ietf.org>
> Fecha: Sat, 2 Jun 2007 11:48:26 +0300
> Para: v6 ops <v6ops@ops.ietf.org>
> Asunto: Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
> 
> Le vendredi 1 juin 2007, james woodyatt a écrit :
>> I think the worry here is about the Teredo implementations that might
>> be integrated into malware for the purpose of escaping network
>> perimeter policy enforcement.  In particular, I'd think that
>> enterprises interested in controlling Skype would be concerned that
>> Teredo might present an otherwise uncontrolled communication vector.
> 
> I respectfully disagree. There is no concern that Teredo might be
> integrated implemented by malware. If there is a concern, it might be
> that it might be enabled by default in Vista^Wsome hosts within a
> managed network. There is something terribly wrong with a managed
> network that:
> - allows its users to upgrade to Vista unsupervised and/or without
> ensuring that Teredo is blocked; OR
> - relies on NAT for perimeter security.
> 
> You are blaming Teredo instead of the poorly managed network here.
> Besides, as you say, it's not like there's not already Skype and other
> P2P protocols that have already broken out of such network perimeters,
> and are much more firewall-unfriendly.
> 
> Now back to the malware issue, take a network that can be "broken out
> of" with Teredo today. Disable every single Teredo client, relay and
> server on the whole Internet tomorrow. The only difference for a
> malware in that network tomorrow will be that it cannot contact a
> native IPv6 host directly. Any host that was reachable yesterday,
> including any public IPv4 host, is still reachable without Teredo, and
> any other NATed malware host can still use a similar hole punching
> mechanism. I doubt the native IPv6 reachability is much of a problem
> for malware authors.
> 
> -- 
> Rémi Denis-Courmont
> http://www.remlab.net/




**********************************************
The IPv6 Portal: http://www.ipv6tf.org

Bye 6Bone. Hi, IPv6 !
http://www.ipv6day.org

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.