Comcast enables 6to4 relays

Jack Bates jbates at brightok.net
Tue Aug 31 12:02:56 CDT 2010


Jeroen Massar wrote:
> just remember that a lot of people have VPN software, connect from home
> to that VPN and do other weird setups (Skype for instance, BitTorrent)
> where there are possibilities to bypass your "firewall".
> 

I agree. My concern here is that we are dealing with improper firewalls. 
We are dealing with ignorance, and we have M$ enabling teredo by default 
(though not active until they install the appropriate app). Creating 
what is essentially a public vpn through a firewall without the user 
being aware of it is insecure. For all the wonderful popups that vista+ 
gives, it amazes me that teredo isn't one of them.

6to4 doesn't suffer the same issues. Primarily because RFC1918 
addressing can't be used in 6to4. This means that at a minimum, the 
router has to participate or the host behind it must be manually 
configured with a 6to4 address (for the proto 41 pass through to work). 
Neither is an automatic traversal of the router's policies without user 
knowledge.



Jack




More information about the NANOG mailing list