Comcast enables 6to4 relays
Jack Bates
jbates at brightok.net
Tue Aug 31 17:02:56 UTC 2010
Jeroen Massar wrote:
> just remember that a lot of people have VPN software, connect from home
> to that VPN and do other weird setups (Skype for instance, BitTorrent)
> where there are possibilities to bypass your "firewall".
>
I agree. My concern here is that we are dealing with improper firewalls.
We are dealing with ignorance, and we have M$ enabling teredo by default
(though not active until they install the appropriate app). Creating
what is essentially a public vpn through a firewall without the user
being aware of it is insecure. For all the wonderful popups that vista+
gives, it amazes me that teredo isn't one of them.
6to4 doesn't suffer the same issues. Primarily because RFC1918
addressing can't be used in 6to4. This means that at a minimum, the
router has to participate or the host behind it must be manually
configured with a 6to4 address (for the proto 41 pass through to work).
Neither is an automatic traversal of the router's policies without user
knowledge.
Jack
More information about the NANOG
mailing list