Mitigating Nat Holes Vulnerability in Teredo Clients

Abstract

Tunneling is one of the key mechanisms which can help in the transition from the current IPv4 to IPv6 protocol. The function of automatic tunneling process is to encapsulate IPv6 packets into IPv4 packets. The main components involved in the tunelling mechanism are: Teredo, ISATAP, and 6to4. In some cases, however, these components have ceratain issues related to source routing, neighbor discovery and NAT holes problems. This paper aims to demonstrate how a serious problem related to the Teredo mechanism, called “Teredo NAT Holes” can be solved. The problem NAT Holes problem increases the attack surface in Teredo and thus causes the NAT service to become vulnerable to attacks. This research work proposes an approach called the Packet Authentication and Integrity Services (PAIS) that takes advantage of the Certificate Authentication (CA) that is combined with the Diffie-Hellman key exchange and Hash Message Authentication Code (HMAC) algorithms to provide a suitable solution for the problem. Here it is suggested that the proposed method needs to create the PAIS at the Tunnel’s starting point first, and then needs to verify it at the end point of the Tunnel, by recreating the value of md , which is subsequently inserted into the md field and compared against the md’ field in the packet. The proposed methodology adds md field in order to replace the next header in the packet header structure. The Diffie-Hellman algorithm is used for the key exchange. The IPv6 protocol supports loopback virtual network, and is used in the experimental test bed to validate the efficiency of the method. The experimental results show that the method offers good performance and is able to adequately mitigate NAT Holes issues in Teredo clients