Securing Teredo Client From Nat Holes Vulnerability

Loading...
Thumbnail Image
Date
2009-04
Authors
Slehat, Shaher Suleman Mousa
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
IP version 6 (lPv6) is a new version of the Internet Protocol, developed by IETF. One of the mechanisms of transition from current IPv4 to IPv6 is tunneling. Automatic tunneling has mechanisms to encapsulate IPv6 packets into IPv4 packets. These mechanisms are Teredo, ISAT AP, and 6t04. However, in some cases, these mechanisms have problems such as source routing, neighbor discovery and NAT holes. This research tries to solve one of the problems related to the Teredo, called "Teredo NAT Holes", which increases the attack surface. This causes the NAT service to become vulnerable. This thesis proposes a method called the Packet Authentication and Integrity Services (PAIS) that takes advantage of the Certificate Authentication (CA), Diffie-hellman key exchange and Hash Message Authentication Code (HMAC) to solve the problem. We suggest a generation of an innovative message digest (md) of header and data section of packet. The proposed method creates a PAIS at the Tunnel starting point and verifies it at the end point of the tunnel by recreating the value of md which is in inserted in the md field and comparing it against the mi field in the packet. The proposed methodology adds md field to replace the next header in the packet header structure; we also use the Diffiehellman key exchange. Since IPv6 supports loopback virtual network, we used it as the experimental test bed to verify the efficiency of the method. Based on the experiments, we found that our method shows a good performance.
Description
Keywords
Automatic tunneling has mechanisms to encapsulate , IPv6 packets into IPv4 packets.
Citation