Can we block all IPv6 tunnels in our enterprise network?

Undesired/unexpected/hidden IPv6 tunnels should be blocked

A major IPv4 to IPv6 transition technique is the use of tunnels; this is encapsulating IPv6 packets into IPv4 packets that can then be transported over the IPv4-only parts of the Internet. Those tunnels can also be used within the enterprise network either on purpose (for example to traverse some legacy network devices not supporting IPv6) or not on purpose... The latter is of course welcomed neither by the network operation nor by the security team. The main reason is that tunnels hide the actual IPv6 packets and the associated layer-4-and-above information from Netflow analyzers, security ACL, QoS settings, and so on. There have been rumors about botnets using those IPv6 in IPv4 tunnels as a command and control channel. In short, if the tunnels are not on purpose, they should be banned from any enterprise network. Note: please note that the above assertion is only applicable to enterprise network because residential network users would probably be happy with their Mac OS and Windows Vista connecting transparently to the IPv6 Internet. So, the basic question to a network manager is how can we block all those tunnels? For some tunnels like 6to4 or ISATAP, it is easy: simply block all protocol 41 with an Access Control List (ACL) like

access-list deny 41 any any

The other kind of tunnel is Teredo, which relies on UDP encapsulation. The default port used by Teredo is 3544. A naïve approach would be to use an ACL like access-list deny udp any any eq 3544 access-list deny udp any eq 3544 any But, the above ACL could block by mistake normal (non tunneled) packets that just happen to use port 3544. Moreover, a malicious user (or a trojanized host) can change the UDP from the default setting. This is where the power and the flexibility of Cisco Flexible Pattern Matching (FPM) can be used: FPM is able to inspect any packet for any specific value at a specific offset. The caveat is that it is done in software on most platforms; this means that FPM is to be used only where applicable. The trick to spot a Teredo packet is to search all UDP packets for a Teredo IPv6 address that always starts with 2001::/32; please notice the /32 instead of the use /16, it actually means 2001:0::/32. A further check is done on the IP version number (value 0x60 at the first byte of the UDP payload). The complete FPM configuration is then:

class-map type stack match-all cm-ip-udp
     match field IP protocol eq 17 next UDP
class-map type access-control match-all cm-teredo1
      match start udp payload-start offset 0 size 1 eq 0x60 mask 15
      match start udp payload-start offset 8 size 4 eq 0x20010000
class-map type access-control match-all cm-teredo2
      match start udp payload-start offset 0 size 1 eq 0x60 mask 15
      match start udp payload-start offset 24 size 4 eq 0x20010000

policy-map type access-control pm-teredo
    class cm-teredo1
    class cm-teredo2
policy-map type access-control pm-udp-teredo
    class cm-ip-udp
        service-policy pm-teredo

The last step is to apply the service policy to the interface:

interface GigabitEthernet1/36
  service-policy type access-control in pm-udp-teredo

Final note, another way to block all those tunnels is by specific configuration on all network hosts (laptop, desktop, servers) to disable the tunnels. This is of course doable only for corporate assets. For example, here are the commands to be used on a Windows Vista machine:

netsh interface 6to4 set state state=disabled undoonstop=disabled
netsh interface isatap set state state=disabled
netsh interface teredo set state type=disabled
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.