14 DAY TRIAL // "The Teredo Protocol: tunneling past network security and other security implications" is a white paper signed by Dr. James Hoagland, Principal Security Researcher Symantec Advanced Threat Research. Symantec published its insight on the Teredo protocol as part of a series of studies containing the company's conclusions after having evaluated the level of Windows Vista security.
One of the aspects that Symantec has focused on is the overhauled network stack that Microsoft has introduced concomitantly with Windows Vista. Teredo is an integer part of this new Vista network stack designed to provide IPv6 support on IPv4 networks. Symantec warned that the use of the Teredo protocol in corporate environments comes with an inherent security risk.
The Teredo protocol is enabled by default in Windows Vista and its role is to ease the migration from Ipv4 to IPv6. Via Teredo, nodes located behind an IPv4 NAT are able to connect to IPv6 nodes on the Internet.
"However, by tunneling IPv6 traffic over IPv4 UDP through the NAT and directly to the end node, Teredo raises some security concerns. Primary concerns include bypassing security controls, reducing defense in depth, and allowing unsolicited traffic. Additional security concerns associated with the use of Teredo include the ability of remote nodes to open the NAT for themselves, how it may benefit worms, ways to deny Teredo service, and the difficulty in finding all Teredo traffic to inspect," Hoagland explained.
Aside from the negative impact Teredo can potentially deliver to IPv4 and IPv6 areas of the Internet, the protocol also introduces automatically applied peer anti-spoofing measures. Symantec welcomed the addition of extended peer validation as one of the few pluses of the Teredo protocol.