I really do appreciate it when people dedicate time, energy and expertise to making sure we're all as informed as we can be about the potential for bad things to happen. Case in point, hat tip to Mitchell for pointing us to just such a helpful tip from a couple of guys submitting a draft to the IETF regarding the evils of tunneled traffic.
Specifically, the authors are commenting on the "feature" called Teredo in which IPv6 is tunneled in UDP IPv4 datagrams.
Here's the shocking revelation, sure to come as a complete surprise to anyone it IT/Security today...if you only look at SrcIP, DstIP, SrcPort, DstPort and Protocol, you'll miss the fact that nasty bits are traversing your networks in a tunneled/encapsulated death ray!
Seriously, welcome to 1995. If your security infrastructure relies upon technology that doesn't inspect "deeper" than the 5-tupule above, you're surely already aware of this problem as 90% of the traffic entering and leaving your network is probably "tunneled" within port 80/443.
Here's a practical example. I stuck a Palo Alto Networks box in front of my home network as part of an evaluation for a client I'm doing. Check out the application profile of the traffic leaving my network via my FIOS connection:
Check out that list of applications above. Care to tell me how many of them are tunneled over/via/through port 80/443? True, they're not IPv6 in IPv4, but it's really the same problem; obfuscating applications and protocols means you need to have much more precise fidelity and resolution in detecting what's going through your
By the way, I've got stuff going through SSH port forwarding, in ICMP payloads, via SSL VPN, via IPSec VPN...can't wait to see what happens when I shove 'em out using Fragrouter.
I'm all for raising awareness, but does this really require an IETF draft to update the Teredo specification?