Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)

Jack Bates jbates at brightok.net
Tue Aug 31 12:32:46 CDT 2010


Jeroen Massar wrote:
> 
> If you have one person setting up ICS on their machine and they have
> enabled IPv6 voila the whole network gets IPv6, that thus does not solve
> your problem either. Or are you monitoring IPv6 RAs etc?

Setting up ICS with IPv6 is user knowledge in my opinion. In addition, 
the ICS will handle the firewall rules unless the user chooses to turn 
it off.

> 
> I think you have to move to better analyzing & monitoring your network
> and more control over the hosts which participate in that network.
> 

My concern is as an ISP that has customers who are unaware that their 
little routers aren't filtering all of their packets. There are a 
million ways they might get infected or have security problems. However, 
teredo is obviously a circumvention of protection they *think* they 
have. Corporate networks can secure their own networks (or not, but they 
are held to a higher standard than average home user and failure to 
protect is their own fault).


Jack




More information about the NANOG mailing list