Microsoft and Teredo

Nathan Ward nanog at
Thu May 31 12:09:49 UTC 2007

On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:

> On Thu, May 31, 2007, Sean Siler wrote:
>> Nathan,
>> While these are really good questions, I'm afraid I don't have  
>> really good answers to them yet.  We haven't made the bits  
>> available for customers to install their own Teredo Servers/Relays  
>> at this point, and because we haven't, we also don't have good  
>> deployment guidance to go along with that.
>> I have my own feelings, but let me ask this: what do you all feel  
>> about installing a Teredo server in order to provide v6  
>> connectivity to your clients? Is this something that you are  
>> really interested in?
> I'd prefer to throw IPv6 network ranges at customer links, so they  
> can have
> "other" devices on IPv6. IPv6 isn't just for desktops.

Medium+ term, of course. I don't see Teredo as something that will be  
my primary way of getting IPv6 to end users forever. (I don't think  
anyone does.)

> How's Teredo servers tie into network security? Does the act of  
> tunneling
> from v4 to a v6 broker bypass firewalls, IDSes, etc?

In perfect time, this was published yesterday, to answer that very  
See also some comments from MS: 

In short, yes. If you're concerned about hosts at your site getting  
to the world using Teredo, you can simply block 3544/UDP to prevent  
hosts bootstrapping - I'm not sure if already-bootstrapped hosts  
would continue to function, I'm guessing that they would.  
Alternatively, disabling Teredo with registry settings works fine,  
but obviously requires more than just control of a wire.

IDSs+firewalls probably need to become Teredo aware pretty quickly,  
along with anything that needs to do deep-packet inspection (P2P rate  
limiting boxes, for example). I'm not aware of any of these vendors  
supporting this, but then again, I haven't looked hard.

Nathan Ward

More information about the NANOG mailing list