Comcast enables 6to4 relays

Jeroen Massar jeroen at unfix.org
Tue Aug 31 10:11:55 CDT 2010


On 2010-08-31 16:54, Mikael Abrahamsson wrote:
> On Tue, 31 Aug 2010, Jack Bates wrote:
> 
>> Teredo usage isn't common enough on our network to warrant the work.
>> Very few apps will activate it is my guess.
> 
> <http://ipv6.tele2.net/teredo_stats.php>
> 
> As I stated, either your users are using your Teredo server, or they're
> using someone elses. Not running one yourself doesn't mean your users
> aren't running Teredo.

psssst it's relay not server :)

I guess everybody mixes that up one day or another, it is also a reason
why just having Microsoft's default server is not a huge issue.

[..]
>> Then there is the "customer is unaware" fact. If the customer is
>> unaware that their NAT is being pierced for IPv6 communication, then
>> we have contributed to decreasing their security. For this reason, it
>> might not be completely unwarranted for an ISP to block teredo all
>> together. 6to4 doesn't suffer from this as there is no NAT traversal.

Jack: there are a lot more methods to infect a host than this as there
are lots and lots of p2p protocols which are being used by C&C botnets.
And never forgot about this very simple protocol called HTTP(S).

> Blocking Teredo completely is a whole other discussion.
> 
> Also, some NAT gateways will support a single device behind it doing
> Proto 41, so saying 6to4 has no NAT traversal and thus won't work beind
> NAT isn't true in all cases.

Flaky but it works. Generally they just tag 'oh protocol 41 has to go to
host X' thus when you enable a second all traffic either moves there or
sticks at the first. It's the reason Teredo/AYIYA/etc exist ;)

Greets,
 Jeroen






More information about the NANOG mailing list