Securing Teredo Client From Nat Holes Vulnerability
Loading...
Date
2009-04
Authors
Slehat, Shaher Suleman Mousa
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
IP version 6 (lPv6) is a new version of the Internet Protocol, developed by IETF.
One of the mechanisms of transition from current IPv4 to IPv6 is tunneling.
Automatic tunneling has mechanisms to encapsulate IPv6 packets into IPv4 packets.
These mechanisms are Teredo, ISAT AP, and 6t04. However, in some cases, these
mechanisms have problems such as source routing, neighbor discovery and NAT
holes. This research tries to solve one of the problems related to the Teredo, called
"Teredo NAT Holes", which increases the attack surface. This causes the NAT
service to become vulnerable. This thesis proposes a method called the Packet
Authentication and Integrity Services (PAIS) that takes advantage of the Certificate
Authentication (CA), Diffie-hellman key exchange and Hash Message
Authentication Code (HMAC) to solve the problem. We suggest a generation of an
innovative message digest (md) of header and data section of packet. The proposed
method creates a PAIS at the Tunnel starting point and verifies it at the end point of
the tunnel by recreating the value of md which is in inserted in the md field and
comparing it against the mi field in the packet. The proposed methodology adds md
field to replace the next header in the packet header structure; we also use the Diffiehellman
key exchange. Since IPv6 supports loopback virtual network, we used it as
the experimental test bed to verify the efficiency of the method. Based on the
experiments, we found that our method shows a good performance.
Description
Keywords
Automatic tunneling has mechanisms to encapsulate , IPv6 packets into IPv4 packets.