Your IP Address is: 38.103.63.16
Re: [moonv6] RE: Vista DNS behavior
From: Jeroen Massar (jeroen@unfix.org)
Date: 09/15/06
- Next message: Jeroen Massar: "Re: [moonv6] RE: Vista DNS behavior - Re: [nav6tf] IPv6 news - weekly summary"
- Previous message: Latif Ladid \(\: "RE: [moonv6] RE: Vista DNS behavior - Re: [nav6tf] IPv6 news - weekly summary"
- In reply to: CPT Alexander R. Tambascica, Armor: "Re: [moonv6] RE: Vista DNS behavior - Re: [nav6tf] IPv6 news - weekly summary"
- Next in thread: JF Tremblay: "Re: [moonv6] RE: Vista DNS behavior"
- Reply: JF Tremblay: "Re: [moonv6] RE: Vista DNS behavior"
CPT Alexander R. Tambascica, Armor wrote:
> Alain,
>
> Why are you using Teredo to begin with? With all it's security
> vulnerabilities and issues there are far better and safer solutions to use.
Can you please point us to a document outlining these issues?
The following document:
http://www.ipv6forum.com/dl/white/NAv6TF_Security_Report.pdf
only refers to problems which are inherent to any mechanism where
packets are not verified to be received from/sent to the real intended
sender/recipient.
Actual biggest problem with Teredo is BGP, anybody can easily insert a BGP announcement for the Teredo prefix, similary to announcing 192.88.99.1/24 and involving one selves in all the 6to4 traffic, or announcing in BGP or with some other spoofs, the IPv4 address of the address of the TSP server. S-BGP can solve these issues mostly, but that, or a similar thing, won't see the light in years to come. If somebody has on-link access to your network, you are down the rabbithole anyway.
> My team was aware many of these DNS issue over 8 months ago with vista
> but according to Microsoft they "should" be fixed in RC1.
The "DNS issues" that people are mentioning are bogus, as it is quite normal, it simply asks for AAAA and then an A adddress, at least when the application uses getaddrinfo() and asks for AF_ANY. Solaris/AIX/HPUX/Linux/*BSD/etc do exactly the same thing. Or do you mean other "DNS issues" ?
Just that some reporter saw a nice outcry to flame M$ again for something bogus is just news frenzy, don't believe the news. Not everything published on the internet is automatically true ;) Did the internet break since people started using the 6bone and had tools which looked AAAA + A's, did the internet break when firefox turned it on for Windows users? It all comes down to: "Internet death immninent, movie at 11" ;)
Now if you would claim that DNSSEC brings a lot of load to the DNS infrastructure, then you are correct. But a single extra query for an AAAA record, not really, sorry.
Note also that most DNS servers and networks have enough capacity to solve that. If ones servers is not capable to handle a bit of extra load then one should have started upgrading them before anyway.
> But we haven't done anything with Teredo because that is one of the
> first things we disabled.
Having not tested it, how do you know how it behaves?
> If you need a tunnel broker I would recommend using Hexago's free tunnel
> broker over teredo
TSP itself is only for configuration of the tunnel. The UDPv6 protocol that is attached to it does the actual tunneling of IPv6 packets inside UDP. UDPv6 is vulnerable to a very easy attack: just send the packets. One only has to know the source & destination IPv4 address of the connection, which in effect is a VPN tunnel made for IPv6, and one can use it to inject malicious packets at wish, similar to Teredo, 6to4 and plain proto-41 tunnels. Sequence number guessing is trivial and mostly protects it for very simple replay attacks.
To take the list of the pdf I mentioned above, TSP is vulnerable to:
- spoofing, just inject a lot of packets with a guessed sequence.
- man in the middle attacks, when one is on-link/on-route one can easily spoof catch all the packets and insert arbitrary packets as one has control over the sequence numbering.
For instance AYIYA, and most normal VPN tools (openvpn, tinc, ipsec-based tunnels to name a few) are not vulnerable for this, as every packet is signed, which in turn gives quite some overhead per packet, but does take care of any spoofing problems. (In the case of AYIYA, there exist a small window of opportunity at the moment to generate dupes for MD5 + SHA1 though)
Simple way to fix UDPv6: sign every packet, then it is secure (depending on values of what people call secure)
Next to all of this, Teredo exists for a totally different purpose than Tunnel Brokers do: you don't have to configure anything. If M$ would pre-load the TSP client and there would be useable anonymous TSP servers that
Next to all of this, unless Hexago made an update to the TSP tun/tap driver for Windows, the TSP client won't even run on Vista as the tun/tap driver bluescreens due to the API's having changed ;) So how did you test Vista + TSP in the first place, or is there a version out that supports Vista?
> which will also remove DNS issues that is seen with
> Vista because the tunnel broker does the heavy lifting.
I lost you here. The Tunnel Broker does not do DNS resolving, the Vista box, which is the client, asks for AAAA's and A's from it's DNS servers. Can you elaborate what you meant to say here?
Greets,
Jeroen
</sorry for the semi rant...>
- application/pgp-signature attachment: OpenPGP digital signature
This archive was generated by hypermail 2.1.7 : 12/01/06 EST