zaterdag 28 november 2009

IPv6 anytime

Having IPv6 connectivity is really sweet, at times. The preferred way would be a native connection, but since there are hardly any ISP offering IPv6 on their networks, one needs to tunnel.

Tunneling is basically accepting IPv6 traffic on a local interface, putting it into an IPv4 packet, sending it to a host in the Internet that does have IPv6 connectivity, unpacking the IPv6 packet out of the IPv4 container, and letting it go via the IPv6 network. Tunnel brokers like SiXXs & HE are really good for this. They offer free connectivity, clients, instructions and what have you not, to setup a nice Any to Any tunnel.

But when you are in a network that is somehow blocking tunneled IPv6, easily detectable by firewalls because it is marked as a protocol 41, you will not be able to setup your elegant tunnel. Public WiFi, hotels, companies, all sorts block protocol 41.

Luckily there are more options. One of the more stealthy methods is implemented in the Teredo tunnel. It is specifically designed to work behind NAT'ed devices, something the ISATAP router does not handle since it needs public IP connectivity. "Nice' thing about ISATAP is that Vista, 7 and windows 2008 machines will automatically configure an ISATAP interface when the name isatap is resolvable in the local domain [hint]. So if the record isatap.example.com IN A 1.1.1.100 exists, you're in business. But I digress.

Teredo is also implemented for free and automagically on your windows machines... IF they are not member of an Active Directory [hint]. It is also available for linux & BSD and there is a [old] implementation that runs on OSX [including Snow Leopard] too.

The name is not an incident either. As on WikiPedia: "The initial nickname of the Teredo tunneling protocol was shipworm. The idea was that the protocol would pierce holes through NAT devices, much like the shipworms bore tunnels through wood. Shipworms are responsible for the loss of very many wooden hulls, but Christian Huitema in the original draft noted that "the animal only survives in relatively clean and unpolluted water; its recent comeback in several Northern American harbors is a testimony to their newly retrieved cleanliness. Similarly, by piercing holes through NAT, the service would contribute to a newly retrieved transparency of the Internet."
Christian Huitema quickly changed the name to Teredo to avoid confusion with computer worms[2]. Teredo navalis is the Latin name of one of the best known species of shipworm."

The 'self healing capabilities' of 'the Internet' and the features in IPv6 especially, called Neighbor Discovery, open a whole class of challenges themselves. Initially for the network designers and operators but soon for malware writers too. Luckily the part of the RFC for IPv6's Type 0 Routing Header has already been depreciated. It made possible the good ol' source routing but then 88-fold amplification. It has been demonstrated at CanSecWest07 by Philippe Biondi & Arnaud Ebalard, they are the developers of 'scapy' a powerful interactive packet manipulation program.

Have fun and good luck getting packets flowing the way you like it.