On 2010-08-31 16:54, Mikael Abrahamsson wrote: > On Tue, 31 Aug 2010, Jack Bates wrote: > >> Teredo usage isn't common enough on our network to warrant the work. >> Very few apps will activate it is my guess. > > <http://ipv6.tele2.net/teredo_stats.php> > > As I stated, either your users are using your Teredo server, or they're > using someone elses. Not running one yourself doesn't mean your users > aren't running Teredo.
psssst it's relay not server :) I guess everybody mixes that up one day or another, it is also a reason why just having Microsoft's default server is not a huge issue. [..] >> Then there is the "customer is unaware" fact. If the customer is >> unaware that their NAT is being pierced for IPv6 communication, then >> we have contributed to decreasing their security. For this reason, it >> might not be completely unwarranted for an ISP to block teredo all >> together. 6to4 doesn't suffer from this as there is no NAT traversal. Jack: there are a lot more methods to infect a host than this as there are lots and lots of p2p protocols which are being used by C&C botnets. And never forgot about this very simple protocol called HTTP(S). > Blocking Teredo completely is a whole other discussion. > > Also, some NAT gateways will support a single device behind it doing > Proto 41, so saying 6to4 has no NAT traversal and thus won't work beind > NAT isn't true in all cases. Flaky but it works. Generally they just tag 'oh protocol 41 has to go to host X' thus when you enable a second all traffic either moves there or sticks at the first. It's the reason Teredo/AYIYA/etc exist ;) Greets, Jeroen
