RE: Microsoft and Teredo
Nathan, While these are really good questions, I'm afraid I don't have really good answers to them yet. We haven't made the bits available for customers to install their own Teredo Servers/Relays at this point, and because we haven't, we also don't have good deployment guidance to go along with that. I have my own feelings, but let me ask this: what do you all feel about installing a Teredo server in order to provide v6 connectivity to your clients? Is this something that you are really interested in? You feedback is welcome. Sean Siler|IPv6 Program Manager|Microsoft [EMAIL PROTECTED] | 703.485.1170 http://blogs.technet.com/ipv6 IPv6 is ready. Are you? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Ward Sent: Wednesday, May 30, 2007 6:44 PM To: Nanog Subject: Re: Microsoft and Teredo On 31/05/2007, at 5:40 AM, Sean Siler wrote: > I understand some questions recently arose regarding Microsoft and > Teredo. I tried reading through the archives but it has more twists > that Pacific Coast Highway. > > > > Are there some specific requests/questions that I can help with? Probably, yeah. From another post my Michael Dillon: > Since we are all collectively playing catchup at this point, it > would be > very useful for some clear guidance on who needs to deploy Teredo and > 6to4 and where it needs to be deployed. Also, the benefits of > deployment > versus the problems caused by not having it. Should this be in > every PoP > or just somewhere on your network? Are there things that can be > measured > to tell you whether or not lack of Teredo/6to4 is causing user > problems? Maybe you can provide operational experience from running the Teredo servers and relays that Microsoft host? Do you host them just at Microsoft or do you also have some inside ISPs? Have you done any work to help/advise on deploying Teredo servers/relays in to ISPs? Any learnings from that that you can share? What about corporate networks? That oughta get you started :-) -- Nathan Ward
RE: Microsoft and Teredo
>If you're concerned about hosts at your site getting >to the world using Teredo, you can simply block 3544/UDP to prevent >hosts bootstrapping - I'm not sure if already-bootstrapped hosts >would continue to function, I'm guessing that they would. No, if you block 3544/UDP, the bubble packets are blocked, and Teredo ceases to function, even for those clients who are already configured. Sean Siler|IPv6 Program Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Ward Sent: Thursday, May 31, 2007 8:10 AM To: Nanog Subject: Re: Microsoft and Teredo On 31/05/2007, at 11:41 PM, Adrian Chadd wrote: > > On Thu, May 31, 2007, Sean Siler wrote: >> >> Nathan, >> >> While these are really good questions, I'm afraid I don't have >> really good answers to them yet. We haven't made the bits >> available for customers to install their own Teredo Servers/Relays >> at this point, and because we haven't, we also don't have good >> deployment guidance to go along with that. >> >> I have my own feelings, but let me ask this: what do you all feel >> about installing a Teredo server in order to provide v6 >> connectivity to your clients? Is this something that you are >> really interested in? > > I'd prefer to throw IPv6 network ranges at customer links, so they > can have > "other" devices on IPv6. IPv6 isn't just for desktops. Medium+ term, of course. I don't see Teredo as something that will be my primary way of getting IPv6 to end users forever. (I don't think anyone does.) > How's Teredo servers tie into network security? Does the act of > tunneling > from v4 to a v6 broker bypass firewalls, IDSes, etc? In perfect time, this was published yesterday, to answer that very question: http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- teredosecconcerns-00.txt See also some comments from MS: http://www.microsoft.com/technet/community/columns/cableguy/ cg1005.mspx#ERH In short, yes. If you're concerned about hosts at your site getting to the world using Teredo, you can simply block 3544/UDP to prevent hosts bootstrapping - I'm not sure if already-bootstrapped hosts would continue to function, I'm guessing that they would. Alternatively, disabling Teredo with registry settings works fine, but obviously requires more than just control of a wire. IDSs+firewalls probably need to become Teredo aware pretty quickly, along with anything that needs to do deep-packet inspection (P2P rate limiting boxes, for example). I'm not aware of any of these vendors supporting this, but then again, I haven't looked hard. -- Nathan Ward
RE: IPv6 consumer perception
I'd really like to talk to the guy who presented this. Does anyone happen to have a contact for him? Feel free to send it privately if you do. Sean -Original Message- From: Marco Hogewoning [mailto:mar...@marcoh.net] Sent: Friday, June 18, 2010 10:48 AM To: na...@merit.edu Subject: Re: IPv6 consumer perception On 18 jun 2010, at 18:04, Zed Usser wrote: > With marketing campaigns like these, no consumer will want to use IPv6, if it > becomes associated with privacy problems. > > http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/ > > It is, of course, totally irrelevant whether the reporting is factually > correct or even based on real IPv6 issues or not, this is how public opinion > is formed. > > The only takeaway from this to a non-technical user is that IPv6 is bad and > the correct solution is to turn it off. Why do people still think consumers 'want IPv6', they want IPv6 as much as they want IPv4. They don't know what an IP addresses is, let alone will grasp the whole idea there are 2 kinds. All they want is their googles, facebooks, twitters and the occasional download to work (of course nobody would admit to filesharing). And it's our job to make it so, wether it's via IPv6 or CGN. In the end they won't have much choice and if we do our jobs correctly, 95 % of them won't even notice. Just my 2 cents, MarcoH
RE: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)
1. I completely agree with Jeroen 2. Jack, if you have specific concerns that Jeroen hasn't answered, feel free to ping me off line. I own Teredo in Windows. Sean from "M$" -Original Message- From: Jeroen Massar [mailto:jer...@unfix.org] Sent: Tuesday, August 31, 2010 10:40 AM To: Jack Bates Cc: NANOG Subject: Re: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) On 2010-08-31 19:32, Jack Bates wrote: > Jeroen Massar wrote: >> >> If you have one person setting up ICS on their machine and they have >> enabled IPv6 voila the whole network gets IPv6, that thus does not >> solve your problem either. Or are you monitoring IPv6 RAs etc? > > Setting up ICS with IPv6 is user knowledge in my opinion. In addition, > the ICS will handle the firewall rules unless the user chooses to turn > it off. > >> >> I think you have to move to better analyzing & monitoring your >> network and more control over the hosts which participate in that network. >> > > My concern is as an ISP that has customers who are unaware that their > little routers aren't filtering all of their packets. There are a > million ways they might get infected or have security problems. > However, teredo is obviously a circumvention of protection they > *think* they have. There is no circumvention here. Teredo is the same as having a P2P app (take Skype as a random example) that connects to an outside host and uses that to relay messages to something else. Allowing outside hosts to use that network to connect to your inbound host. Teredo does not enable more inbound connections than before, unless a an App supports IPv6, but then that app was installed by the user thus they want it to run. Also note that XP/2k3/Vista/Seven/2k8 all have firewalls per default that support IPv6 and that handle IPv4 and IPv6 exactly the same: ask the user with an annoying popup. Vista/Seven/2k8 even (can) do that for outbound connections. The only thing you can do to help your users is to provide them with proper education and to explain them to keep up to date and run the right tools and not click anywhere they can and that is a mission which is near impossible. Teredo though is far from your worst worry. Just check how many "Teredo", or heck, IPv6 related infections you have and how many you have who have autodialers and the gazillion of other botnets on their hosts. You can sleep very tight over your perceived "Teredo" problem ;) Greets, Jeroen
RE: SLAAC(autoconfig) vs DHCPv6
Nope. XP does not support DHCPv6 - only Vista/Windows Server 2008 (and later) can do that. Sean -Original Message- From: TJ [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2008 2:42 PM To: [EMAIL PROTECTED] Subject: RE: SLAAC(autoconfig) vs DHCPv6 >-Original Message- >From: Charles Wyble [mailto:[EMAIL PROTECTED] >Sent: Monday, August 18, 2008 5:28 PM >To: [EMAIL PROTECTED] >Subject: Re: SLAAC(autoconfig) vs DHCPv6 > >Iljitsch van Beijnum wrote: >> On 18 aug 2008, at 22:23, Dale W. Carder wrote: >> >>> DHCPv6 >>> - doesn't ship w/ some OS's >> >> Forget about it on XP, > >Hmmm. MS says otherwise: >http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx Did you see somewhere on that site, that WinXP does DHCPv6? I don't. And it would be wrong, to boot. (Not just IPv6 support - that is one simple command ...) >> but it's in Vista. You can add it to BSD/Linux without too much >> trouble (are there good, bugfree implementations for those yet?) > >Bugfree? Nothing is bugfree :) >> but Mac is a problem for prospective DHCPv6 users because the network >> configuration mechanisms are fairly proprietary and DHCPv6 isn't >> likely to be supported any time soon. > >H. I have yet to play with the Mac Ipv6 support (typing this on a Mac >now I should try in my lab later). What auto configuration mechanisms are >you referring to? Bonjour? Isn't there an RFC or two for Zeroconf? No, I believe he is referring to the actual network configuration. Not the (almost) automatic/automated service/device discovery ... > >-- >Charles Wyble (818) 280 - 7059 /TJ
RE: SLAAC(autoconfig) vs DHCPv6
Yep - absolutely. I was referring to built-in support from the stack. Dibbler is the primary third party provider we have seen for DHCPv6 support on downlevel clients. Sean -Original Message- From: Charles Wyble [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2008 2:55 PM To: [EMAIL PROTECTED] Subject: Re: SLAAC(autoconfig) vs DHCPv6 Sean Siler wrote: > Nope. XP does not support DHCPv6 - only Vista/Windows Server 2008 (and later) > can do that. > > Sean http://internecine.eu/systems/windows_xp-ipv6.html and http://internecine.eu/software/dibbler_dhcpv6.html discuss how to deploy dhcpv6 on xp. It's 3rd party but doable.
