[97086] in North American Network Operators' Group
Re: Microsoft and Teredo
daemon@ATHENA.MIT.EDU (Nathan Ward)
Thu May 31 20:41:47 2007
In-Reply-To: <D03E4899F2FB3D4C8464E8C76B3B68B071BFCD@E03MVC4-UKBR.domain1.systemhost.net>
From: Nathan Ward <nanog@daork.net>
Date: Fri, 1 Jun 2007 12:40:56 +1200
To: Nanog <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
On 1/06/2007, at 2:24 AM, <michael.dillon@bt.com>
<michael.dillon@bt.com> wrote:
>
>> In perfect time, this was published yesterday, to answer that very
>> question:
>> http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-
>> teredosecconcerns-00.txt
>
> Unfortunately, he doesn't say much in the way of solutions. For
> instance, if a company has internal IPv6 connectivity to their ISP,
> then
> presumably, Teredo is not needed. The problem then becomes one of
> firewall vendors supporting IPv6. He positions it as a problem that
> needs awkward workarounds such as blocking Teredo or patching Windows.
> He gives up on firewall vendors and only looks at their ability to do
> deep packet inspection by unencapsulating tunneled traffic. But plain
> ordinary IPv6 support from firewall vendors is not mentioned.
He doesn't mention native IPv6 as it's a Teredo document.
> In any case, this draft is directed at the enterprise which rigorously
> firewalls all ingress/egress traffic at the edge.
Yes, I don't know if possible security concerns with Teredo are
applicable to ISPs, unless you offer a firewalled service. Then those
concerns are really the same as an enterprise.
--
Nathan Ward
