Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)

Jeroen Massar jeroen at unfix.org
Tue Aug 31 17:40:26 UTC 2010

On 2010-08-31 19:32, Jack Bates wrote:
> Jeroen Massar wrote:
>> If you have one person setting up ICS on their machine and they have
>> enabled IPv6 voila the whole network gets IPv6, that thus does not solve
>> your problem either. Or are you monitoring IPv6 RAs etc?
> Setting up ICS with IPv6 is user knowledge in my opinion. In addition,
> the ICS will handle the firewall rules unless the user chooses to turn
> it off.
>> I think you have to move to better analyzing & monitoring your network
>> and more control over the hosts which participate in that network.
> My concern is as an ISP that has customers who are unaware that their
> little routers aren't filtering all of their packets. There are a
> million ways they might get infected or have security problems. However,
> teredo is obviously a circumvention of protection they *think* they
> have.

There is no circumvention here. Teredo is the same as having a P2P app
(take Skype as a random example) that connects to an outside host and
uses that to relay messages to something else. Allowing outside hosts to
use that network to connect to your inbound host.

Teredo does not enable more inbound connections than before, unless a an
App supports IPv6, but then that app was installed by the user thus they
want it to run.

Also note that XP/2k3/Vista/Seven/2k8 all have firewalls per default
that support IPv6 and that handle IPv4 and IPv6 exactly the same: ask
the user with an annoying popup. Vista/Seven/2k8 even (can) do that for
outbound connections.

The only thing you can do to help your users is to provide them with
proper education and to explain them to keep up to date and run the
right tools and not click anywhere they can.... and that is a mission
which is near impossible.

Teredo though is far from your worst worry. Just check how many
"Teredo", or heck, IPv6 related infections you have and how many you
have who have autodialers and the gazillion of other botnets on their hosts.

You can sleep very tight over your perceived "Teredo" problem ;)


More information about the NANOG mailing list