Teredo Security Updates
This draft outlines crucial updates to the Teredo specifications aimed at improving security. It proposes modifications to the flags field to reduce the guessability of Teredo addresses, introducing randomization through the use of 12 random bits instead of the previous zeros. The draft also deprecates the Cone bit to protect network security posture and discusses backward compatibility with existing Vista implementations. The necessity for all implementations to adopt these changes is emphasized to maintain security without causing interoperability issues.
Teredo Security Updates
E N D
Presentation Transcript
Teredo Security Updates draft-krishnan-v6ops-teredo-update-01.txt Suresh Krishnan & Jim Hoagland v6ops@IETF70
Scope • Standards track document • Update the base Teredo spec to reduce the guessability of Teredo addresses • Split out from the original Teredo security concerns draft • Security considerations section that updates the SecCons of RFC4380.
Changes • The flags field is modified as Teredo as follows • Randomize flags • Reduces predictability of addresses by using 12 random bits instead of 12 zero bits • Deprecate Cone bit • The cone-bit divulges the security posture of the network. Avoid this • The new redefined flags field looks like this
Backward compatibility • Vista implementation of Teredo already randomizes the previously zero flag bits • Other implementations need to be updated if they need the reduced predictability • All implementations need to be modified to set the Cone bit to 0 • No interoperability issues between modified and unmodified clients
Further steps • Questions? • Accept as wg item? • Appropriate venue
Address Format +-------------+-------------+-------+------+-------------+ | Prefix | Server IPv4 | Flags | Port | Client IPv4 | +-------------+-------------+-------+------+-------------+
