Confining ICMPv6 Traffic to the Intranet
Updated: October 1, 2009
Applies To: Windows 7, Windows Server 2008 R2
|This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).|
By default, the DirectAccess Setup Wizard creates Group Policy objects for DirectAccess clients and servers for settings that allow the following behaviors:
Internet Control Message Protocol (ICMP) traffic, for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), is exempted from Internet Protocol security (IPsec) protection
Teredo discovery traffic does not travel within the IPsec tunnels between DirectAccess clients and servers
These default settings allow Teredo-based DirectAccess clients to perform Teredo discovery of intranet resources. However, these settings also allow the following:
Any computer with a Teredo or 6to4 client can send Internet Control Message Protocol for IPv6 (ICMPv6) traffic to intranet locations through the DirectAccess server to probe for valid intranet destination IPv6 addresses. The amount of this traffic is limited by the Denial of Service Protection (DoSP) component of the DirectAccess server.
A malicious user on the same subnet as a Teredo-based DirectAccess client can determine the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and Echo Reply message exchanges.
To prevent these possible security issues, you can modify the default configuration for the following:
Configure the global IPsec settings for the Group Policy object for DirectAccess clients to not exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).
Configure the global IPsec settings for the Group Policy object for the DirectAccess server to not exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).
For the Group Policy object for the DirectAccess server, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled from the DirectAccess server.
For the Group Policy object for DirectAccess clients, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled to the DirectAccess server.
The last two connection security rules allow unprotected ICMPv6 traffic to and from the IPv6 addresses of the DirectAccess client and server on the Internet to aid in troubleshooting. For example, you can use the Ping.exe tool from the DirectAccess client to test reachability to the DirectAccess server without IPsec protection.
With these modifications:
All ICMPv6 traffic sent through the DirectAccess server must be sent using a tunnel. Only DirectAccess clients can send ICMPv6 traffic to intranet locations.
Malicious users on the same subnet as the DirectAccess client will only be able to determine the IPv6 addresses of the DirectAccess client and the DirectAccess server. Intranet IPv6 addresses will be tunneled and encrypted with IPsec.
For the steps to configure the global IPsec settings and connection security rules, see Configure Settings to Confine ICMPv6 Traffic to the Intranet in the DirectAccess Deployment Guide.
Although these modifications address the security issues of the default configuration, Teredo discovery messages can no longer pass through the DirectAccess server and DirectAccess clients cannot use Teredo as a connectivity method. Therefore, if you make these changes, you must also do the following:
Disable Teredo client functionality on your DirectAccess clients
From the Group Policy object for DirectAccess clients, set Computer Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition Technologies\Teredo State to Disabled.
Disable Teredo server and relay functionality on your DirectAccess server
Type the netsh interface teredo set state state=disabled command from an administrator-level command prompt on your DirectAccess server.
If you previously added a packet filter on your Internet firewall to allow Teredo traffic to and from the DirectAccess server, remove it.
Without Teredo connectivity, DirectAccess clients that are located behind network address translators (NATs) will use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) for IPv6 connectivity to the DirectAccess server. However, IP-HTTPS-based connections have lower performance and higher overhead than Teredo-based connections.