Mitigating the risks of unintentional IPv6 tunnels to IPv4 corporate networks

Some network administrators have started to look at mitigating the risks of unintentional IPv6 tunnels which introduce threats to corporate IPv4 networks. Basically, there are three type of threats :

a. Teredo tunnels by internal hosts;
b. GUI-based tunnel-broker clients like gogoclient; and
c. 6to4 tunnels which affect public servers in the DMZ.

For (a), we can ban UDP port 3544 in the outgoing direction since all Teredo servers must listen on that port within the IPv4 network path. For (b), Gogoclient and other similar programs must adhere to the specification of Tunnel Setup Protocol (TSP) and the port used is UDP 3653. Hence killing this port is feasible to disable all kinds of GUI TSP clients. As for 6to4 tunnels, some have suggested to ban Protocol 41 (IPv6 Protocol Number) entirely in a firewall. Banning entirely Protocol 41 is just like demolishing a big house because of a worm found inside the house. Just a little bit of pesticide to spray on the worm is ok. I think we can stop all servers or hosts to access the anycast address as a way to eliminate the establishment of 6to4 tunnels.

If anyone has better ideas of stopping unintentional IPv6 tunnels by means of a coporate firewall, please share your knowledge.

No comments: