>If you're concerned about hosts at your site getting >to the world using Teredo, you can simply block 3544/UDP to prevent >hosts bootstrapping - I'm not sure if already-bootstrapped hosts >would continue to function, I'm guessing that they would.
No, if you block 3544/UDP, the bubble packets are blocked, and Teredo ceases to function, even for those clients who are already configured. Sean Siler|IPv6 Program Manager -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Ward Sent: Thursday, May 31, 2007 8:10 AM To: Nanog Subject: Re: Microsoft and Teredo On 31/05/2007, at 11:41 PM, Adrian Chadd wrote: > > On Thu, May 31, 2007, Sean Siler wrote: >> >> Nathan, >> >> While these are really good questions, I'm afraid I don't have >> really good answers to them yet. We haven't made the bits >> available for customers to install their own Teredo Servers/Relays >> at this point, and because we haven't, we also don't have good >> deployment guidance to go along with that. >> >> I have my own feelings, but let me ask this: what do you all feel >> about installing a Teredo server in order to provide v6 >> connectivity to your clients? Is this something that you are >> really interested in? > > I'd prefer to throw IPv6 network ranges at customer links, so they > can have > "other" devices on IPv6. IPv6 isn't just for desktops. Medium+ term, of course. I don't see Teredo as something that will be my primary way of getting IPv6 to end users forever. (I don't think anyone does.) > How's Teredo servers tie into network security? Does the act of > tunneling > from v4 to a v6 broker bypass firewalls, IDSes, etc? In perfect time, this was published yesterday, to answer that very question: http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- teredosecconcerns-00.txt See also some comments from MS: http://www.microsoft.com/technet/community/columns/cableguy/ cg1005.mspx#ERH In short, yes. If you're concerned about hosts at your site getting to the world using Teredo, you can simply block 3544/UDP to prevent hosts bootstrapping - I'm not sure if already-bootstrapped hosts would continue to function, I'm guessing that they would. Alternatively, disabling Teredo with registry settings works fine, but obviously requires more than just control of a wire. IDSs+firewalls probably need to become Teredo aware pretty quickly, along with anything that needs to do deep-packet inspection (P2P rate limiting boxes, for example). I'm not aware of any of these vendors supporting this, but then again, I haven't looked hard. -- Nathan Ward
