Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China.

Published byClyde Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China."— Presentation transcript:

1 Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China.

2 Summary Aims at mitigating the Teredo routing-loop attacks described by the USENIX-WOOT paper (Nakibly et al) Discusses both implementation considerations and operations considerations Sanity checks are recommended for Teredo nodes (already implemented in some Teredo implementations), such that the vulnerabilities are eliminated

3 Attack #1: Teredo client to NAT The routing loop involves a Teredo client and the corresponding NAT (it assumes that the NAT is of type "cone", and that the aforementioned NAT supports hair- pin routing with source address translation Implementation advice:  a node SHOULD NOT forward over the Teredo tunnel IPv6 packets that were not originated on the local node, and SHOULD discard those packets received over the Teredo tunnel that are not destined to the Teredo client. The proposed checks completely eliminate this vulnerability.

4 Attack #2: Teredo server The routing loop involves only a Teredo server, having the server send a bubble packet to itself (resulting in an endless loop) Implementation advice:  Teredo servers MUST discard Teredo packets that have an IPv4 Source Address equal to one of the receiving server's IPv4 addresses, and MUST discard Teredo packets that embed the (obfuscated) IPv4 address of the receiving server in the "client IPv4" field of the Source Address or the Destination Address of the encapsulated IPv6 packet. The proposed checks completely eliminate this vulnerability.

5 Moving forward Comments? Adopt as wg item?

Download ppt "Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China."

Similar presentations

73rd IETF meeting, November 16-21, 2008

73rd IETF meeting, November 16-21, 2008
Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
1 Teredo - Tunneling IPv6 through NATs Date: 2003-10-31 Speaker: Quincy Wu National Chiao Tung University.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.

Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.

Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.
An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.

An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.

Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, 2009. Luxembourg.

Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.

Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.
COM555: Mobile Technologies Location-Identifier Separation.

COM555: Mobile Technologies Location-Identifier Separation.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, 2009. Luxembourg.

Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
Lecture Week 7 Implementing IP Addressing Services.

Lecture Week 7 Implementing IP Addressing Services.
July 18th, 200254th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,

July 18th, th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,
NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.
ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.

ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.

Similar presentations

Ads by Google