Internet Protocol (IP) is a packet-based communication protocol in which addressed packets are forwarded by packet routers through a communication network between network access devices. Internet Protocol version 4 (IPv4) utilizes a 32-bit addressing scheme and is currently the most dominant IP version. In 1998 the Internet Engineering Task Force (IETF) designated IPv6 as the successor to IPv4 through the publication of a new Standards Track Specification RFC 2460. IPv6 utilizes a 128-bit address that provides greater flexibility in allocating addresses and routing traffic and eliminates the need for NAT, which has been widely deployed to alleviate IPv4 address exhaustion.
FIG. 1 is a high-level schematic of an illustrative prior art IP network 100 including a legacy IPv4 network 102 interconnected by gateways to IPv6 networks 104 and 106. IPv4 network 102 supports a plurality of nodes (i.e., network access devices) 108, 110, 112. IPv6 networks 104 and 106 likewise support nodes 112 and 114, respectively. The network access devices are connected to the respective IP networks in several ways, including via an Internet Service Provider (ISP) or a Local Area Network (LAN) such as LAN 116, though which network access device 108 accesses network 102. Network access device 108 is disposed behind a NAT 124 in a manner well known to those skilled in the art.
To facilitate routing across the various IP networks, tunnel protocols are utilized to define paths for IP traffic as is well known. Similarly, tunnel protocols have been established for IPv6 to permit tunnels to be set up across the IPv4 and IPv6 networks. The latter are dynamically set up by tunnel servers, i.e., 120 and 122 that reside between IPv4 and IPv6 networks. When a network access device (e.g., 108) resides behind a NAT 124, an application establishes a special open-ended tunnel through the NAT 124 to a dual-stacked network access device on the Internet. IPv6 packets are tunneled through a single User Datagram Protocol (UDP) port on the NAT 124 and thus each IPv6 packet resides inside a UDP header, which in turn is encapsulated inside an IPv4 header. An example of such a tunneling protocol is known as Teredo, which was developed by Microsoft® and typically enabled by default in Windows Vista and Longhorn, and available in earlier versions such as Windows XP and the like. The Teredo framework comprises clients, relays and servers. A Teredo client executing on a network access device utilizes the Teredo protocol to reach another peer on the IPv6 network. The clients are dual-stack (IPv4 and IPv6 nodes) that may be disposed behind one or more IPv4 NATs (e.g., 124). The Teredo client thus always sends and receives Teredo IPv6 traffic tunneled in UDP over IPv4.
Tunneling protocols such as Teredo have serious security implications for those network access devices that are situated behind a NAT. The open-ended tunnel can bypass pre-existing IPv4 based network filters such as firewalls and the like. This is an obvious concern for those who set-up and maintain network security since such controls are generally focused on protecting the internal network and/or enforcing access policies. Although NATs are generally not considered security devices, the restrictions they impose on traffic traversing the box provide a security benefit. Thus, when such network security controls on an IPv4 NAT are bypassed in this manner, the security burden shifts to the client host.
In view of the above, it would be advantageous to provide a mechanism whereby filtering rules on a NAT can be applied to tunneled IPv6 packets.