Protecting teredo clients from source routing exploits

Tunneling techniques such as configured tunnel, 6to4, ISATAP and Teredo are common mechanisms in the early deployment of IPv6 to connect between two isolated IPv6 LANs or hosts by using the IPv4 infrastructure. We focused on Teredo tunnel as it allows users behind NATs to obtain IPv6 connectivity. Teredo tunnel has been designed to encapsulate IPv6 packet in UDP using IPv6-in-UDPin-IPv4 technology. Though, Teredo tunnel raised some security threats including source routing exploits. This paper describes source routing exploits at the Teredo client and proposes a Teredo Client Protection Algorithm (TCPA) as an alternative mechanism to protect Teredo clients from IPv6 routing header risks. Since source routing in the IPv6 header could be exploited by either external or internal attackers, we believed our TCPA algorithm plays an impact in preventing potential attacks. TCPA is based on the filtration principle of matching. It operates on the Teredo client to deny the IPv6 packets which have routing header addresses unless the user allows these addresses traverse through it. The TCPA was implemented as a simulation in a real environment and the results showed that the proposed method is efficient and its logic sounds enough to protect Teredo client from attackers.