Windows Vista's implementation of a tunnelling protocol called Teredo can be added to the list of security problems posed by the operating system, according to recent research from Symantec Advanced Threat Research.

Teredo is one of the protocols introduced into Vista to support IPv6, but it also has unforseen side-effects, Symantec said, among them that it could allow attackers to evade organisations' security measures.

"Tunnelling methods can be used to evade security controls, and that is what Teredo does (though that was not the intent)," wrote Symantec's researchers in the report. "Unless network firewalls and IDSs are specifically aware of this protocol, they will not be applying the appropriate filtering to the IPv6 packet and its contents; this reduces defence-in-depth, and may result in a failure to apply important security controls."

The report (PDF), called "Windows Vista Network Attack Surface Analysis", was prepared by Dr. James Hoagland, Matt Conover, Tim Newsham and Ollie Whitehouse. The researchers noted that Vista introduces a completely rewritten network stack, which means Vista will behave differently than Windows XP - something network administrators need to be wary of, according to Symantec.

Teredo is designed as a temporary measure to allow devices with IPv6-unaware NAT devices to take advantage of IPv6 connectivity; it encapsulates IPv6 packets within IPv4 UDP datagrams.

One problem with this is that if administrators aren't aware Teredo is being used, it may help attackers gain access to targets on private internal networks, Symantec said. Many intrusion detection systems and firewalls are not currently aware of Teredo, researchers said.

"If left unhandled and unchecked, IPv6 and its accompanying transition technologies allow an attacker access to hosts on private internal networks without the administrator expecting this global accessibility," the report said.

They found that Teredo is enabled by default, though dormant, and "that it was readily used, despite Microsoft's apparently inaccurate statements that downplay its level of activity". The research found Vista in some cases switches on Teredo without any intervention from the user.

Vista requires a firewall to be running to activate Teredo, but this measure, while "sensible", "cannot compensate for all of Teredo's problematic security implications," Symantec said.

Microsoft has responded that the paper in fact validates Microsoft's design decisions in Vista, while acknowledging that improvements could be made.