Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)

Jeroen Massar jeroen at unfix.org
Tue Aug 31 12:23:37 CDT 2010


On 2010-08-31 19:02, Jack Bates wrote:
> Jeroen Massar wrote:
>> just remember that a lot of people have VPN software, connect from home
>> to that VPN and do other weird setups (Skype for instance, BitTorrent)
>> where there are possibilities to bypass your "firewall".
>>
> 
> I agree. My concern here is that we are dealing with improper firewalls.

Then fix your firewall, next to those administrators. You seem to love
managing things centrally, but you forget that if you do things the MS
way: Active Directory / Domains, that Teredo&6to4 are automatically
turned off unless you turn the policy switch on. MS thus takes care of this.

> We are dealing with ignorance, and we have M$ enabling teredo by default
> (though not active until they install the appropriate app).

No, Teredo & 6to4 (and ISATAP) are enabled per default on Vista/Win7 and
also XP if you install IPv6, if the host has native it will use that, if
is in non-RFC1918 space it will try 6to4, if it is in RFC1918 space it
will try Teredo.

This is great for getting IPv6 connectivity going. It is 'bad' for a
corporate network. You can work around it two ways: enable native IPv6
or use active directory and voila the moment that a host is in the
domain it does not do this automatically.

If you do not administer the hosts then you don't have anything that you
can do anyway as there will be software on those hosts which you will
not like and which will easily pierce through your puny firewall.

DNS tunnels near always work for that matter.

> Creating what is essentially a public vpn through a firewall without
> the user being aware of it is insecure. For all the wonderful popups
that vista+
> gives, it amazes me that teredo isn't one of them.

As there are no listening ports being opened and only outbound traffic
is permitted, just the same as the IPv4 adapter, how is this 'dangerous'
? (unless the IPv6 stack is breakable)

> 6to4 doesn't suffer the same issues. Primarily because RFC1918
> addressing can't be used in 6to4. This means that at a minimum, the
> router has to participate or the host behind it must be manually
> configured with a 6to4 address (for the proto 41 pass through to work).
> Neither is an automatic traversal of the router's policies without user
> knowledge.

If you have one person setting up ICS on their machine and they have
enabled IPv6 voila the whole network gets IPv6, that thus does not solve
your problem either. Or are you monitoring IPv6 RAs etc?

I think you have to move to better analyzing & monitoring your network
and more control over the hosts which participate in that network.

Greets,
 Jeroen




More information about the NANOG mailing list