Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3002
Views
0
Helpful
3
Replies

IPv6 tunneling through IPv4 - Blockage

JORGE RODRIGUEZ
Level 10
Level 10

‎11-04-2009 04:12 PM - edited ‎03-11-2019 09:36 AM

Would like to learn from you what tools I could use in a Network that provides IPv6 visibility and also completely blocks IPv6 from being tunneled through ipv4 only networks.

Scenario:

I have tested this from Linux running some internal penetration test apps,but specifically running Teredo tunneling in Local LAN that is able to completely bypass security paremeters such as websence filtering servers and be able to accessing internet IPv6 sites, even its equivalent IPv6 address based on its IPv4 PAT address could be pinged from outside.. is like the PIX firewall never existed - wide opened door .

Blocking in outbound and inbound direction udp ports 3545 and 3544 seem to done the trick in dropping IPv6 at the PIX/ASA from being tunneled out or in.. Is this so ? Realy ? not to fast!!

None of our local systems - users PCs or servers have IPv6 stack enabled as a policy, however, in reality this poses a serious thread.

For example, Teredo tunneling running in a host inside LAN say by a user who is a hacker can use different UDP ports from the standard listening udp 3545/3544 ports, host will still be able to tunnel IPv6 through IPv4 again, in this case I want to have tool or a strategy that can detect this internally beside being blocked at the firewall, I am looking at AIP for our ASAs would this help? What other tools could I utilized to have some sort of IPv6 awareness in our LAN without having to rung IPv6 that can provide some visibility of this invisible traffic in IPv4 LANs.

Regards

Jorge Rodriguez
Labels:
0 Helpful
3 Replies 3

slug420
Level 1
Level 1

‎03-09-2011 11:24 AM

1.5 years later...any thoughts?

0 Helpful

Pavel Pokorny
Level 1
Level 1

‎04-26-2013 12:55 AM

Hi,

Did you find any solution?

I have found only easy solution for ISATAP (blocking protocol 41), but blocking TEREDO (MIREDO) with ASA is problem.

Having router, I would have no trouble with blocking (ie:

http://www.networkworld.com/community/node/47270), but on Security appliance there is no option :

class-map type access-control, or class-map type stack.

:-(

Regards,

Pavel

0 Helpful

James Leinweber
Level 4
Level 4

‎04-26-2013 12:38 PM

There are a lot of ways of tunneling IPv6 over IPv4, so it's hard to block all of them.  You can certainly get 99% of the low hanging fruit by:

1) block protocol 41.  That takes out ISATAP, 6to4, default 6in4, and 6rd.

2) block the default Teredo server port, udp/3544.

In particular, this will stop the default tunneling behaviors by windows vista/7/8 clients.  If you have to worry about  GRE, IPSEC, and TLS as evasive measures you probably have bigger problems than just IPv6 tunneling.

Meanwhile, on the LAN side, you want to block rogue RA's and rogue DHCPv6 etc, so add some switchport ACL's or something.  On our catalys 3570G's I use:

ipv6 access-list v6client

deny udp any eq 547 any eq 546

deny icmp any any router-advertisement

deny icmp any any redirect

permit ipv6 any any

with

  ipv6 traffic-filter v6client in

on the access switchports.  I have a related v4 ACL too, of course.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card