Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China.

Slides:



Advertisements
Similar presentations
73rd IETF meeting, November 16-21, 2008
Advertisements

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.
An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.
COM555: Mobile Technologies Location-Identifier Separation.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
Lecture Week 7 Implementing IP Addressing Services.
July 18th, th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,
NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.
ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.
Implementing IP Addressing Services Accessing the WAN – Chapter 7.
1 Network Security Lecture 8 IP Sec Waleed Ejaz
IPv6, the Protocol of the Future, Today Mathew Harris.
Security Assessment of the Transmission Control Protocol (TCP) (draft-ietf-tcpm-tcp-security-02.txt) Fernando Gont project carried out on behalf of UK.
49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier.
v6ops, Ole Trøan
Thierry Ernst - MOTOROLA Labs / INRIA Ludovic Bellier - INRIA project PLANETE Claude Castelluccia - INRIA project PLANETE Hong-Yon Lach - MOTOROLA Labs.
Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.
Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91
RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
REGIONAL COLLEGE FOR EDUCATION RESEARCH & TECHNOLOGY.
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
DHCP Option for Configuring IPv6-in-IPv4 Tunnels DHC WG – 59 th IETF S. Daniel Park
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
17/10/031 Euronetlab – Implementation of Teredo
Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan.
: MobileIP. : r Goal: Allow machines to roam around and maintain IP connectivity r Problem: IP addresses => location m This is important for efficient.
1 Behcet Sarikaya Frank Xia November 2010 NAT64 for DSMIPv6 IETF 79
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.
Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations (RFC 6324) Po-Kang Chen Oct 19,
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the.
COM594: Mobile Technologies Location-Identifier Separation.
Lecture 14 Mobile IP. Mobile IP (or MIP) is an Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile.
Draft-fm-bess-service-chaining-01 Prague, July 2015 Rex Fernando Stuart Mackie Dhananjaya Rao Bruno Rijsman Maria Napierala.
Security Implications of Predictable Fragment Identification Values
A Fragmentation Strategy for Generic Routing Encapsulation (GRE)
Security Implications of IPv6 on IPv4 Networks
Gateway-Initiated 4over6 Deployment
On-demand Continuity Check (CC) and Connectivity Verification(CV) for OverlayNetworks draft-ooamdt-rtgwg-demand-cc-cv-01 Greg Mirsky Erik Nordmark Nagendra.
Planning the Addressing Structure
Current Issues with DNS Configuration Options for SLAAC
76th IETF meeting, November 8-13, 2009
RBridge Channel Tunnel Protocol
Magnus Westerlund / Ericsson Thomas Zeng / PacketVideo
DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
ND-Shield: Protecting against Neighbor Discovery Attacks
TCP for DNS security considerations
Implementing IP Addressing Services
November 7-12, Beijing,China.
Tunnel Loops and Its Detection draft-ng-intarea-tunnel-loop-00.txt
NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt
Implementing IP Addressing Services
Chapter 11: Network Address Translation for IPv4
Computer Networks Protocols
OAM for Deterministic Networks with MPLS Data Plane draft-mirsky-detnet-mpls-oam Greg Mirsky Mach Chen IETF-105 July 2019, Montreal.
M. Boucadair, J. Touch, P. Levis and R. Penno
Presentation transcript:

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.

Summary Aims at mitigating the Teredo routing-loop attacks described by the USENIX-WOOT paper (Nakibly et al) Discusses both implementation considerations and operations considerations Sanity checks are recommended for Teredo nodes (already implemented in some Teredo implementations), such that the vulnerabilities are eliminated

Attack #1: Teredo client to NAT The routing loop involves a Teredo client and the corresponding NAT (it assumes that the NAT is of type "cone", and that the aforementioned NAT supports hair- pin routing with source address translation Implementation advice:  a node SHOULD NOT forward over the Teredo tunnel IPv6 packets that were not originated on the local node, and SHOULD discard those packets received over the Teredo tunnel that are not destined to the Teredo client. The proposed checks completely eliminate this vulnerability.

Attack #2: Teredo server The routing loop involves only a Teredo server, having the server send a bubble packet to itself (resulting in an endless loop) Implementation advice:  Teredo servers MUST discard Teredo packets that have an IPv4 Source Address equal to one of the receiving server's IPv4 addresses, and MUST discard Teredo packets that embed the (obfuscated) IPv4 address of the receiving server in the "client IPv4" field of the Source Address or the Destination Address of the encapsulated IPv6 packet. The proposed checks completely eliminate this vulnerability.

Moving forward Comments? Adopt as wg item?