The Teredo Protocol: Tunneling Past Network Security and Other Security Implications
Greetings and welcome to my first blog posting. Back when Tim Newsham and I wrote Windows Vista Network Attack Surface Analysis: A Broad Overview, we expressed concern about Teredo's security implications, although we hadn't yet had the opportunity to investigate it. Subsequently, I had a chance to dig into the protocol and found that our concerns were justified: Teredo can have an important and negative impact on your host and network security. With that said, let me announce our new research paper: The Teredo Protocol: Tunneling Past Network Security and Other Security Implications.
Teredo is a timely protocol to look into since it is included in Windows Vista and is enabled by default. So, Vista hosts will be using it unless it is explicitly disabled or blocked (which is something I recommend). It was also included in with some service packs in earlier Windows releases, but was disabled by default (as was IPv6) and open source implementations for Unix/Linux and MacOS are available. Teredo was developed by Christian Huitema of Microsoft and is an open standard (RFC 4380). This research paper covers the security implications of the Teredo protocol in general, as opposed to any particular implementation of it.
Teredo is an IPv4 to IPv6 transition mechanism for dual stack hosts that wish to use IPv6 to connect to the Internet, but which are "stuck" behind an IPv4 NAT that doesn't support native IPv6 traffic or 6to4/ISATAP (a fairly common situation). It does this by tunneling the IPv6 traffic through the NAT on top of IPv4 UDP connections and does not require any support at all from the local network.
In fact, this leads to our major security concern: the bypassing of network security devices, such as firewalls and IDS / IPS. Unless those are specifically Teredo-aware, they will not see the IPv6 traffic as IPv6 traffic, but merely as UDP traffic on unknown ports and thus will miss the real traffic on which to apply security controls. Thus, Teredo being enabled introduces a security risk to your network. Even if on the host-side the same security is being applied to Teredo as native IPv6 (as seems to be the case with Vista), security is lowered because: (1) not all network controls may be available or active on the host as well and (2) defense in-depth has been reduced. After all, the network security controls were there for a reason.
Teredo provides a host with a global-scope address and anyone on the Internet can send traffic to the host. Additional security concerns associated with the use of Teredo include the capability of remote nodes to open the NAT for themselves, benefits to worms, ways to deny Teredo service, and the difficulty in finding all Teredo traffic to inspect. Teredo does provide some anti-spoofing mechanisms and is compatible with IPsec, though.
The report also includes a succinct description of how Teredo works that is more accessible than the 50 page RFC and even analyzes the relative security of different NAT types.