1 / 5

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 )

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ). Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China. Summary. Aims at mitigating the Teredo routing-loop attacks described by the USENIX-WOOT paper (Nakibly et al)

cassandraw
Download Presentation

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mitigating Teredo Routing Loop Attacks(draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China.

  2. Summary • Aims at mitigating the Teredo routing-loop attacks described by the USENIX-WOOT paper (Nakibly et al) • Discusses both implementation considerations and operations considerations • Sanity checks are recommended for Teredo nodes (already implemented in some Teredo implementations), such that the vulnerabilities are eliminated

  3. Attack #1: Teredo client to NAT • The routing loop involves a Teredo client and the corresponding NAT (it assumes that the NAT is of type "cone", and that the aforementioned NAT supports hair- pin routing with source address translation • Implementation advice: • a node SHOULD NOT forward over the Teredo tunnel IPv6 packets that were not originated on the local node, and SHOULD discard those packets received over the Teredo tunnel that are not destined to the Teredo client. • The proposed checks completely eliminate this vulnerability.

  4. Attack #2: Teredo server • The routing loop involves only a Teredo server, having the server send a bubble packet to itself (resulting in an endless loop) • Implementation advice: • Teredo servers MUST discard Teredo packets that have an IPv4 Source Address equal to one of the receiving server's IPv4 addresses, and MUST discard Teredo packets that embed the (obfuscated) IPv4 address of the receiving server in the "client IPv4" field of the Source Address or the Destination Address of the encapsulated IPv6 packet. • The proposed checks completely eliminate this vulnerability.

  5. Moving forward • Comments? • Adopt as wg item?

More Related