[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380

To: "Templin, Fred L" <Fred.L.Templin@boeing.com>, <jordi.palet@consulintel.es>, v6 ops <v6ops@ops.ietf.org>
Subject: Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
From: Jim Hoagland <jim_hoagland@symantec.com>
Date: Mon, 04 Jun 2007 11:58:30 -0700
In-reply-to: <39C363776A4E8C4A94691D2BD9D1C9A1029ED832@XCH-NW-7V2.nw.nos.boeing.com>
User-agent: Microsoft-Entourage/11.3.3.061214

In writing the I-D, I was not particularly concerned about Teredo being used
by malware on an internal host.  The inbound direction was more of a
concern, e.g., Teredo opening opportunities for connecting to a client that
exceed what the administrator would want.

-- Jim 


On 6/4/07 9:51 AM, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:

> I agree with this too, and with what Christian Huitema
> said about Teredo having a visible signature. I spent
> some time on analysis of Teredo in 'draft-templin-ipvlx',
> and IMHO malware authors have known for a long time how
> to punch holes through NATs - at least for a longer time
> than the Teredo specification has been around in either
> I-D or RFC form.
> 
> Fred
> fred.l.templin@boeing.com
> 
>> -----Original Message-----
>> From: JORDI PALET MARTINEZ [mailto:jordi.palet@consulintel.es]
>> Sent: Saturday, June 02, 2007 2:04 AM
>> To: v6ops@ops.ietf.org
>> Subject: Re: New I-D: Teredo Security Concerns Beyond What Is
>> In RFC 4380
>> 
>> Fully agree.
>> 
>> It is a matter of properly managing a "managed network".
>> There are hundreds
>> of alternatives to Teredo that can be used to do bad things
>> if you allow the
>> users to install whatever they wish, or to upgrade to new
>> versions of OSs
>> without managing that upgrade, etc. It is not to blame Teredo.
>> 
>> In fact, Teredo will never come up if there is IPv6 support
>> in the managed
>> network, and that's the right thing to do.
>> 
>> Regards,
>> Jordi
>> 
>> 
>> 
>> 
>>> De: Rémi Denis-Courmont <rdenis@simphalempin.com>
>>> Organización: Remlab.net
>>> Responder a: <owner-v6ops@ops.ietf.org>
>>> Fecha: Sat, 2 Jun 2007 11:48:26 +0300
>>> Para: v6 ops <v6ops@ops.ietf.org>
>>> Asunto: Re: New I-D: Teredo Security Concerns Beyond What
>> Is In RFC 4380
>>> 
>>> Le vendredi 1 juin 2007, james woodyatt a écrit :
>>>> I think the worry here is about the Teredo implementations
>> that might
>>>> be integrated into malware for the purpose of escaping network
>>>> perimeter policy enforcement.  In particular, I'd think that
>>>> enterprises interested in controlling Skype would be concerned that
>>>> Teredo might present an otherwise uncontrolled
>> communication vector.
>>> 
>>> I respectfully disagree. There is no concern that Teredo might be
>>> integrated implemented by malware. If there is a concern,
>> it might be
>>> that it might be enabled by default in Vista^Wsome hosts within a
>>> managed network. There is something terribly wrong with a managed
>>> network that:
>>> - allows its users to upgrade to Vista unsupervised and/or without
>>> ensuring that Teredo is blocked; OR
>>> - relies on NAT for perimeter security.
>>> 
>>> You are blaming Teredo instead of the poorly managed network here.
>>> Besides, as you say, it's not like there's not already
>> Skype and other
>>> P2P protocols that have already broken out of such network
>> perimeters,
>>> and are much more firewall-unfriendly.
>>> 
>>> Now back to the malware issue, take a network that can be
>> "broken out
>>> of" with Teredo today. Disable every single Teredo client, relay and
>>> server on the whole Internet tomorrow. The only difference for a
>>> malware in that network tomorrow will be that it cannot contact a
>>> native IPv6 host directly. Any host that was reachable yesterday,
>>> including any public IPv4 host, is still reachable without
>> Teredo, and
>>> any other NATed malware host can still use a similar hole punching
>>> mechanism. I doubt the native IPv6 reachability is much of a problem
>>> for malware authors.
>>> 
>>> -- 
>>> Rémi Denis-Courmont
>>> http://www.remlab.net/
>> 
>> 
>> 
>> 
>> **********************************************
>> The IPv6 Portal: http://www.ipv6tf.org
>> 
>> Bye 6Bone. Hi, IPv6 !
>> http://www.ipv6day.org
>> 
>> This electronic message contains information which may be
>> privileged or confidential. The information is intended to be
>> for the use of the individual(s) named above. If you are not
>> the intended recipient be aware that any disclosure, copying,
>> distribution or use of the contents of this information,
>> including attached files, is prohibited.
>> 
>> 
>> 
>> 
>> 
>

Follow-Ups:
- Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

References:
- RE: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>

Prev by Date: Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
Next by Date: Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
Previous by thread: Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
Next by thread: Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
Index(es):
- Date
- Thread