Microsoft and Teredo

• Previous message (by thread): Microsoft and Teredo
• Next message (by thread): Microsoft and Teredo
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>If you're concerned about hosts at your site getting
>to the world using Teredo, you can simply block 3544/UDP to prevent
>hosts bootstrapping - I'm not sure if already-bootstrapped hosts
>would continue to function, I'm guessing that they would.


No, if you block 3544/UDP, the bubble packets are blocked, and Teredo ceases to function, even for those clients who are already configured.


Sean Siler|IPv6 Program Manager


-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of Nathan Ward
Sent: Thursday, May 31, 2007 8:10 AM
To: Nanog
Subject: Re: Microsoft and Teredo



On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:

>
> On Thu, May 31, 2007, Sean Siler wrote:
>>
>> Nathan,
>>
>> While these are really good questions, I'm afraid I don't have
>> really good answers to them yet.  We haven't made the bits
>> available for customers to install their own Teredo Servers/Relays
>> at this point, and because we haven't, we also don't have good
>> deployment guidance to go along with that.
>>
>> I have my own feelings, but let me ask this: what do you all feel
>> about installing a Teredo server in order to provide v6
>> connectivity to your clients? Is this something that you are
>> really interested in?
>
> I'd prefer to throw IPv6 network ranges at customer links, so they
> can have
> "other" devices on IPv6. IPv6 isn't just for desktops.

Medium+ term, of course. I don't see Teredo as something that will be
my primary way of getting IPv6 to end users forever. (I don't think
anyone does.)

> How's Teredo servers tie into network security? Does the act of
> tunneling
> from v4 to a v6 broker bypass firewalls, IDSes, etc?

In perfect time, this was published yesterday, to answer that very
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-
teredosecconcerns-00.txt
See also some comments from MS:
http://www.microsoft.com/technet/community/columns/cableguy/
cg1005.mspx#ERH

In short, yes. If you're concerned about hosts at your site getting
to the world using Teredo, you can simply block 3544/UDP to prevent
hosts bootstrapping - I'm not sure if already-bootstrapped hosts
would continue to function, I'm guessing that they would.
Alternatively, disabling Teredo with registry settings works fine,
but obviously requires more than just control of a wire.

IDSs+firewalls probably need to become Teredo aware pretty quickly,
along with anything that needs to do deep-packet inspection (P2P rate
limiting boxes, for example). I'm not aware of any of these vendors
supporting this, but then again, I haven't looked hard.

--
Nathan Ward

• Previous message (by thread): Microsoft and Teredo
• Next message (by thread): Microsoft and Teredo
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]