[129271] in North American Network Operators' Group
Re: Comcast enables 6to4 relays
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Aug 31 13:07:15 2010
Date: Tue, 31 Aug 2010 12:02:56 -0500
From: Jack Bates <jbates@brightok.net>
To: Jeroen Massar <jeroen@unfix.org>
In-Reply-To: <4C7D2E45.7020704@unfix.org>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Jeroen Massar wrote:
> just remember that a lot of people have VPN software, connect from home
> to that VPN and do other weird setups (Skype for instance, BitTorrent)
> where there are possibilities to bypass your "firewall".
>
I agree. My concern here is that we are dealing with improper firewalls.
We are dealing with ignorance, and we have M$ enabling teredo by default
(though not active until they install the appropriate app). Creating
what is essentially a public vpn through a firewall without the user
being aware of it is insecure. For all the wonderful popups that vista+
gives, it amazes me that teredo isn't one of them.
6to4 doesn't suffer the same issues. Primarily because RFC1918
addressing can't be used in 6to4. This means that at a minimum, the
router has to participate or the host behind it must be manually
configured with a 6to4 address (for the proto 41 pass through to work).
Neither is an automatic traversal of the router's policies without user
knowledge.
Jack
