Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan Dave Thaler

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 2 History ›Originally targeted at documenting security concerns regarding Teredo ›Adopted as v6ops wg document in July 2007 ›Realized that the security concerns were applicable not only to Teredo but to tunnels in general ›Moved to intarea

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 3 Security Devices/Software ›Security devices/software often do packet inspection ›This draft takes no position on whether that is good or bad ›The fact is, they exist –and people use them and expect certain security properties ›If tunnels bypass them in some way, the tunnels are seen by such admins as a security/policy violation

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 4 Dealing With Security Devices ›Don’t automatically tunnel to the Internet from a “managed” network –But may be hard to tell if network is “managed” –Implementations should require explicit user consent to enable tunneling, at least for the first time ›Hosts should prefer native connectivity over tunnels –If tunnel address space is well-known, add to Prefix Policy Table [RFC3484] ›One incentive for a managed network to provide native IPv6 is to reduce demand for IPv6 transition tunnels ›If tunneling isn’t an acceptable risk, admins may block tunneling

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 5 Identifying tunneled data packets ›How can a tunneled data packet be identified? –By protocol number (MIP, 6to4, ISATAP, etc.) –By port number (L2TP, some Teredo, etc.) –By tunnel server address –Pretend you’re the destination for parsing purposes and see if it parses according to that protocol ›But this may incorrectly identify other packets too

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 6 Tunnels May Bypass In/Egress Filtering ›Ingress/egress filters in routers being tunneled over won’t see the inside IP addresses ›Could update routers to recognize tunnels (ugly) ›Tunnel servers can do filtering ›Can do checks in tunnel clients –If v4 addr embedded in v6 addr and supports peer-to-peer tunneling (e.g., 6to4, ISATAP, 6over4, etc), check if addrs correspond –If supports server-client tunneling, check if packet came from known server ›Implies some secure server discovery mechanism (manual config, secure DNS resolution, whatever)

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 7 Increased Attack Surface Area ›If tunnel allows inbound access from public Internet, this may bypass a network “firewall” –Host-based “firewall” may still drop eventually ›If tunnel allows inbound access from a private network (e.g., a VPN), this still increases the amount of attackable code, but not as much ›Additional Recommendations: –Activate tunnels only when needed

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 8 Exposure of a NAT Hole ›NAT mappings kept stable means more discoverable ›External address/port may be easy to learn from client’s inner address –Client’s inner address may be discoverable in DNS, p2p systems, etc –Tunnel packets are seen by more parties than native packets (e.g., due to longer paths) –Learning the external address/port provides access to the entire inner address –Not just the application port that’s communicating with the outside

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 9 Public Tunnels Widen Holes in Stateful Address Filters ›Some devices only allow inbound packets from destinations that have been sent packets ›Public tunnels bypass this and may eliminate need for attacker to spoof –Host-based “firewall” may still drop –Recommendations: –Activate tunnels only when needed –Consider whether tunnel server should do stateful filtering (TURN allows this for instance)

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 10 Guessing Addresses ›Some tunneling protocols make guessing addresses easier than an address scan especially for IPv6 (for IPv4 not so much) –Well-known or popular address prefix? –Embed popular server address? –Some address bits are constant?

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 11 Profiling Targets ›If a tunnel protocol is available on only a subset of host platforms, this helps attacker know what/how to attack ›Similarly if a specific tunnel server is used primarily by a subset of platforms ›Similarly for the client port (range) ›Information about the NAT type (e.g, cone NAT) can be used to target attacks ›If looking at an address reveals any of this information, this profiling can be done passively –Aside: This applies to MAC-based address generation too, not just tunnels

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 12 Securing the use of tunnels ›This document describes several security issues with tunnels. –This does not mean that tunnels need to be avoided at any cost. ›On the contrary, tunnels can be very useful if deployed, operated and used properly. ›Several measures can be taken in order to secure the operation of IPv6 tunnels. –Operating on-premise tunnel servers/relays so that the tunneled traffic does not cross border routers. –Setting up internal routing to steer traffic to these servers/relays –Setting up of firewalls to allow known and controllable tunneling mechanisms and disallow unknown tunnels.

Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./ :; VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | | Page 13 Way forward ›All comments received from v6ops mailing list and SECDIR review have been addressed ›Text has been added to describe secure use of tunnels ›Please take a look and send us comments ›Does this need to be WGLC-ed here?