Check Point Advisories

IPv6 In IPv4 Tunneling

Vulnerability
Protection

Check Point Reference:	SBP-2009-19
Date Published:	20 Oct 2009
Severity:	N/A
Last Updated:	Thursday 17 December, 2015
Source:
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	Internet Protocol version 6 (IPv6) is the next-generation Internet Protocol version designated as the successor to IPv4, the first implementation used in the Internet. Tunneling is used by computer networks when one network protocol encapsulates a different payload protocol. Via tunneling a user can carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network. Users can use tunneling to get past a firewall, using a protocol that the firewall would normally block, but wrapped inside a protocol that the firewall does not block. Also, tunneling communication between internal clients and servers outside the organization can leave the client that initiates the connection vulnerable to attacks sent through the tunnel. The client machine could infect other machines, and potentially jeopardizing the entire network. There are cases in which certain traffic, although not intended for malicious use, is very unsafe, since it may transfer shellcode which is undetectable by IPS.

Protection Overview

This protection will detect and block IPv6 tunneling inside IPv4 packets.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the IPv6 In IPv4 Tunneling protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: ICMP Protocol Violation.
Attack Information: IPv6 in IPv4 tunneling