Comcast enables 6to4 relays
jeroen at unfix.org
Tue Aug 31 15:11:55 UTC 2010
On 2010-08-31 16:54, Mikael Abrahamsson wrote:
> On Tue, 31 Aug 2010, Jack Bates wrote:
>> Teredo usage isn't common enough on our network to warrant the work.
>> Very few apps will activate it is my guess.
> As I stated, either your users are using your Teredo server, or they're
> using someone elses. Not running one yourself doesn't mean your users
> aren't running Teredo.
psssst it's relay not server :)
I guess everybody mixes that up one day or another, it is also a reason
why just having Microsoft's default server is not a huge issue.
>> Then there is the "customer is unaware" fact. If the customer is
>> unaware that their NAT is being pierced for IPv6 communication, then
>> we have contributed to decreasing their security. For this reason, it
>> might not be completely unwarranted for an ISP to block teredo all
>> together. 6to4 doesn't suffer from this as there is no NAT traversal.
Jack: there are a lot more methods to infect a host than this as there
are lots and lots of p2p protocols which are being used by C&C botnets.
And never forgot about this very simple protocol called HTTP(S).
> Blocking Teredo completely is a whole other discussion.
> Also, some NAT gateways will support a single device behind it doing
> Proto 41, so saying 6to4 has no NAT traversal and thus won't work beind
> NAT isn't true in all cases.
Flaky but it works. Generally they just tag 'oh protocol 41 has to go to
host X' thus when you enable a second all traffic either moves there or
sticks at the first. It's the reason Teredo/AYIYA/etc exist ;)
More information about the NANOG