Microsoft and Teredo
Sean.Siler at microsoft.com
Thu May 31 18:32:25 UTC 2007
>If you're concerned about hosts at your site getting
>to the world using Teredo, you can simply block 3544/UDP to prevent
>hosts bootstrapping - I'm not sure if already-bootstrapped hosts
>would continue to function, I'm guessing that they would.
No, if you block 3544/UDP, the bubble packets are blocked, and Teredo ceases to function, even for those clients who are already configured.
Sean Siler|IPv6 Program Manager
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of Nathan Ward
Sent: Thursday, May 31, 2007 8:10 AM
Subject: Re: Microsoft and Teredo
On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:
> On Thu, May 31, 2007, Sean Siler wrote:
>> While these are really good questions, I'm afraid I don't have
>> really good answers to them yet. We haven't made the bits
>> available for customers to install their own Teredo Servers/Relays
>> at this point, and because we haven't, we also don't have good
>> deployment guidance to go along with that.
>> I have my own feelings, but let me ask this: what do you all feel
>> about installing a Teredo server in order to provide v6
>> connectivity to your clients? Is this something that you are
>> really interested in?
> I'd prefer to throw IPv6 network ranges at customer links, so they
> can have
> "other" devices on IPv6. IPv6 isn't just for desktops.
Medium+ term, of course. I don't see Teredo as something that will be
my primary way of getting IPv6 to end users forever. (I don't think
> How's Teredo servers tie into network security? Does the act of
> from v4 to a v6 broker bypass firewalls, IDSes, etc?
In perfect time, this was published yesterday, to answer that very
See also some comments from MS:
In short, yes. If you're concerned about hosts at your site getting
to the world using Teredo, you can simply block 3544/UDP to prevent
hosts bootstrapping - I'm not sure if already-bootstrapped hosts
would continue to function, I'm guessing that they would.
Alternatively, disabling Teredo with registry settings works fine,
but obviously requires more than just control of a wire.
IDSs+firewalls probably need to become Teredo aware pretty quickly,
along with anything that needs to do deep-packet inspection (P2P rate
limiting boxes, for example). I'm not aware of any of these vendors
supporting this, but then again, I haven't looked hard.
More information about the NANOG