You Are Using IPv4 To Access This Site
Your IP Address is: 38.107.191.81

Re: [moonv6] RE: Vista DNS behavior

New Message	Reply	Date view	Thread view	Subject view	Attachment view

From: JF Tremblay (jean-francois.tremblay@hexago.com)
Date: 09/15/06

Next message: Jeroen Massar: "Re: [moonv6] RE: Vista DNS behavior"
Previous message: Latif Ladid \(\: "RE: [moonv6] RE: Vista DNS behavior - Re: [nav6tf] IPv6 news - weekly summary"
In reply to: Jeroen Massar: "Re: [moonv6] RE: Vista DNS behavior"
Next in thread: Jeroen Massar: "Re: [moonv6] RE: Vista DNS behavior"
Reply: Jeroen Massar: "Re: [moonv6] RE: Vista DNS behavior"
Reply: Jeroen Massar: "Re: [moonv6] RE: Vista DNS behavior"

moonv6 post from JF Tremblay <jean-francois.tremblay@hexago.com> Hi Jeroen.
I agree to most of what you mentioned, but I'd like to add a few comments (inline).

--On Friday, September 15, 2006 2:17 PM +0200 Jeroen Massar <jeroen@unfix.org> wrote:

> Actual biggest problem with Teredo is BGP, anybody can easily insert
> a BGP announcement for the Teredo prefix, similary to announcing
> 192.88.99.1/24 and involving one selves in all the 6to4 traffic, or
> announcing in BGP or with some other spoofs, the IPv4 address of the
> address of the TSP server. S-BGP can solve these issues mostly, but
> that, or a similar thing, won't see the light in years to come. If
> somebody has on-link access to your network, you are down the
> rabbithole anyway.

<snip>

> TSP itself is only for configuration of the tunnel. The UDPv6
> protocol that is attached to it does the actual tunneling of IPv6
> packets inside UDP. UDPv6 is vulnerable to a very easy attack: just
> send the packets.

Agreed. Hence the need for an IPv6 host firewall on any host using tunneling.

> One only has to know the source & destination IPv4 address of the
> connection, which in effect is a VPN tunnel made for IPv6, and one
> can use it to inject malicious packets at wish, similar to Teredo,
> 6to4 and plain proto-41 tunnels. Sequence number guessing is trivial
> and mostly protects it for very simple replay attacks.

One bemol here. If you use UDP tunneling, you are likely behind a NAT. You'll need the UDP port number to inject packets. This is where I believe Teredo has a perceived security issue: it broadcasts the NAT IPv4 address AND port to the world, as you get them from the address.

> To take the list of the pdf I mentioned above, TSP is vulnerable to:
> - spoofing, just inject a lot of packets with a guessed sequence.
> - man in the middle attacks, when one is on-link/on-route one can
> easily spoof catch all the packets and insert arbitrary packets
> as one has control over the sequence numbering.

Actually, the UDP tunnel is vulnerable. As you mentioned, TSP is only used for the tunnel setup. Using reverse path forwarding check on the server may mitigate this problem, although it doesn't prevent it for the man-in-the-middle attack.

> For instance AYIYA, and most normal VPN tools (openvpn, tinc,
> ipsec-based tunnels to name a few) are not vulnerable for this, as
> every packet is signed, which in turn gives quite some overhead per
> packet, but does take care of any spoofing problems. (In the case of
> AYIYA, there exist a small window of opportunity at the moment to
> generate dupes for MD5 + SHA1 though)
>
> Simple way to fix UDPv6: sign every packet, then it is secure
> (depending on values of what people call secure)

Agreed. At least that will prevent spoofing, even if there's an associated cost.

> Next to all of this, Teredo exists for a totally different purpose
> than Tunnel Brokers do: you don't have to configure anything. If M$
> would pre-load the TSP client and there would be useable anonymous
> TSP servers that

Agreed. Automatic tunneling serves a different purpose than negotiated/established/softwire tunnels. The biggest difference being the temporary vs permanent address/prefix.

> Next to all of this, unless Hexago made an update to the TSP tun/tap
> driver for Windows, the TSP client won't even run on Vista as the
> tun/tap driver bluescreens due to the API's having changed ;)
> So how did you test Vista + TSP in the first place, or is there a
> version out that supports Vista?

Not yet. From what we heard from MS, there are also issues configuring proto-41 tunnels using netsh in Vista. They wouldn't fix it before RC1, according to the information they provided us (which is a shame).

Cheers,
JF Tremblay
tremblay@hexago.com
Notice: <vendor hat may have been on at some point in this email>

New Message	Reply	Date view	Thread view	Subject view	Attachment view

This archive was generated by hypermail 2.1.7 : 12/01/06 EST