60 likes | 196 Views
Teredo Security Updates. draft-krishnan-v6ops-teredo-update-01.txt Suresh Krishnan & Jim Hoagland v6ops@IETF70. Scope. Standards track document Update the base Teredo spec to reduce the guessability of Teredo addresses Split out from the original Teredo security concerns draft
E N D
Teredo Security Updates draft-krishnan-v6ops-teredo-update-01.txt Suresh Krishnan & Jim Hoagland v6ops@IETF70
Scope • Standards track document • Update the base Teredo spec to reduce the guessability of Teredo addresses • Split out from the original Teredo security concerns draft • Security considerations section that updates the SecCons of RFC4380.
Changes • The flags field is modified as Teredo as follows • Randomize flags • Reduces predictability of addresses by using 12 random bits instead of 12 zero bits • Deprecate Cone bit • The cone-bit divulges the security posture of the network. Avoid this • The new redefined flags field looks like this
Backward compatibility • Vista implementation of Teredo already randomizes the previously zero flag bits • Other implementations need to be updated if they need the reduced predictability • All implementations need to be modified to set the Cone bit to 0 • No interoperability issues between modified and unmodified clients
Further steps • Questions? • Accept as wg item? • Appropriate venue
Address Format +-------------+-------------+-------+------+-------------+ | Prefix | Server IPv4 | Flags | Port | Client IPv4 | +-------------+-------------+-------+------+-------------+