Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)
Sean.Siler at microsoft.com
Tue Aug 31 13:01:43 CDT 2010
1. I completely agree with Jeroen
2. Jack, if you have specific concerns that Jeroen hasn't answered, feel free to ping me off line. I own Teredo in Windows.
Sean from "M$"
From: Jeroen Massar [mailto:jeroen at unfix.org]
Sent: Tuesday, August 31, 2010 10:40 AM
To: Jack Bates
Subject: Re: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)
On 2010-08-31 19:32, Jack Bates wrote:
> Jeroen Massar wrote:
>> If you have one person setting up ICS on their machine and they have
>> enabled IPv6 voila the whole network gets IPv6, that thus does not
>> solve your problem either. Or are you monitoring IPv6 RAs etc?
> Setting up ICS with IPv6 is user knowledge in my opinion. In addition,
> the ICS will handle the firewall rules unless the user chooses to turn
> it off.
>> I think you have to move to better analyzing & monitoring your
>> network and more control over the hosts which participate in that network.
> My concern is as an ISP that has customers who are unaware that their
> little routers aren't filtering all of their packets. There are a
> million ways they might get infected or have security problems.
> However, teredo is obviously a circumvention of protection they
> *think* they have.
There is no circumvention here. Teredo is the same as having a P2P app (take Skype as a random example) that connects to an outside host and uses that to relay messages to something else. Allowing outside hosts to use that network to connect to your inbound host.
Teredo does not enable more inbound connections than before, unless a an App supports IPv6, but then that app was installed by the user thus they want it to run.
Also note that XP/2k3/Vista/Seven/2k8 all have firewalls per default that support IPv6 and that handle IPv4 and IPv6 exactly the same: ask the user with an annoying popup. Vista/Seven/2k8 even (can) do that for outbound connections.
The only thing you can do to help your users is to provide them with proper education and to explain them to keep up to date and run the right tools and not click anywhere they can.... and that is a mission which is near impossible.
Teredo though is far from your worst worry. Just check how many "Teredo", or heck, IPv6 related infections you have and how many you have who have autodialers and the gazillion of other botnets on their hosts.
You can sleep very tight over your perceived "Teredo" problem ;)
More information about the NANOG