Microsoft and Teredo

Nathan Ward nanog at daork.net
Thu May 31 12:09:49 UTC 2007


On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:

>
> On Thu, May 31, 2007, Sean Siler wrote:
>>
>> Nathan,
>>
>> While these are really good questions, I'm afraid I don't have  
>> really good answers to them yet.  We haven't made the bits  
>> available for customers to install their own Teredo Servers/Relays  
>> at this point, and because we haven't, we also don't have good  
>> deployment guidance to go along with that.
>>
>> I have my own feelings, but let me ask this: what do you all feel  
>> about installing a Teredo server in order to provide v6  
>> connectivity to your clients? Is this something that you are  
>> really interested in?
>
> I'd prefer to throw IPv6 network ranges at customer links, so they  
> can have
> "other" devices on IPv6. IPv6 isn't just for desktops.

Medium+ term, of course. I don't see Teredo as something that will be  
my primary way of getting IPv6 to end users forever. (I don't think  
anyone does.)

> How's Teredo servers tie into network security? Does the act of  
> tunneling
> from v4 to a v6 broker bypass firewalls, IDSes, etc?

In perfect time, this was published yesterday, to answer that very  
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- 
teredosecconcerns-00.txt
See also some comments from MS:
http://www.microsoft.com/technet/community/columns/cableguy/ 
cg1005.mspx#ERH

In short, yes. If you're concerned about hosts at your site getting  
to the world using Teredo, you can simply block 3544/UDP to prevent  
hosts bootstrapping - I'm not sure if already-bootstrapped hosts  
would continue to function, I'm guessing that they would.  
Alternatively, disabling Teredo with registry settings works fine,  
but obviously requires more than just control of a wire.

IDSs+firewalls probably need to become Teredo aware pretty quickly,  
along with anything that needs to do deep-packet inspection (P2P rate  
limiting boxes, for example). I'm not aware of any of these vendors  
supporting this, but then again, I haven't looked hard.

--
Nathan Ward



More information about the NANOG mailing list