Re: Microsoft Vista's IPv6: Dangerous Information Leak?

[Jim Hoagland <jim_hoagland () symantec com>]

Hadmut and all,

In case some people didn't see it, Symantec recently took an initial look at
Vista networking security concerns and released it's findings:
   http://tinyurl.com/eazp2

Subsequent to that I've starting taking a look at Teredo (though not so much
in the context of Vista specifically yet).

There are things to definitely watch out for with Teredo (the main one being
that having a client running creates an open ended tunnel though your NAT;
even if a host firewall, etc is applied to the tunneled IPv6 traffic, any
network-based security controls have been bypassed unless they are Teredo
aware).

However, I don't really rate disclosure of your network traffic as one of
them.  That is since Teredo servers are specifically designed to never
handle the tunneled network data; they only handle tunnel set-up packets.

Teredo relays do handle your real traffic, but so do IPv4 and IPv6 routers
in normal cases.  So the risk of disclosure from that doesn't rate
significantly higher to me.  (BTW, Microsoft has written code for a Teredo
client, server, and relay, but they only plan to operate servers
themselves.)

BTW, servers in Teredo are stateless, so they have no memory of clients they
have helped in the past (unless of course they keep a log).

Here's a good step-by-step intro to Teredo that Microsoft wrote:
   http://tinyurl.com/c6qh7
And of course there is the RFC:
   http://www.ietf.org/rfc/rfc4380.txt

Hope this helps,

  Jim

On 8/27/06 3:32 AM, "Hadmut Danisch" <hadmut () danisch de> wrote:

> Hi,
>
> I haven't been using a Microsoft Windows Vista so far, just read some
> announcements and white papers. However, it appears to me at a first
> glance, as if it had a significat information leak.
>
> Microsoft introduced a new IPv6 over IPv4 tunneling mechanism called
> Teredo. (See e.g. RFC 4380). It is somehow similar to 6to4, but the
> differences are:
>
>
>
> - IPv6 packages are wrapped in UDP
>
> - Thus, they run more easily through Firewalls and NAT devices
>
> - You can do it with RFC1918 addresses
>
> - In contrast to 6to4 it is intended to be used host-to-host.
>  
>   While 6to4 is something you would run on your outermost router
>   (the one with an official IPv4 address) and provide plain IPv6 to
>   your internal network (then you know what your're doing, you
>   actively have to configure it), Teredo is designed to run
>   automatically on the local host. So every desktop machine becomes a
>   tunneling client.
>
>
>
>
> As announced by Microsoft, Teredo is activated by default. Windows
> Vista will allways prefer IPv6 to IPv4 where possible. So most
> Vista users, especially common users with network experience, would
> not even realize that they are using IPv6.
>
> Most network and security devices, and network admins will not realize
> this either, since they see only plain IPv4 UDP packets. I haven't
> seen any firewall so far able to unpack Teredo packets.
>
>
> So the implications can be severe. As far as I can see at the moment:
>
> - You are using IPv6 without realizing or enabling it.
>
> - You are running it from your desktop machine.
>
> - You are thus opening a tunnel through your NAT/Firewall device
>   passing _all_ kind of traffice unfiltered through, no logging.
>
> - Many connections (i.e. Teredo-Teredo and Teredo-IPv6) will be routed
>   over a central Teredo server or relay, which is "helping" in the
>   configuration of the Teredo client and routing Teredo packets to
>   other Teredo clients or plain IPv6.
>
>   So these servers (and thus network devices and IP providers close to
>   the servers) can easily wiretap your traffic.
>
> - I guess that every Vista client will try to register at a Teredo
>   server, so the server will/can generate an almost complete list of
>   all clients.
>
>
>
> Can anyone experienced with Windows Vista comment on? Am I correct or
> did I overlook anything? (Did not have a running Vista yet...)
>
>
> regards
> Hadmut
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/