North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Microsoft and Teredo
On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:
Medium+ term, of course. I don't see Teredo as something that will be my primary way of getting IPv6 to end users forever. (I don't think anyone does.) How's Teredo servers tie into network security? Does the act of tunneling In perfect time, this was published yesterday, to answer that very question: http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- teredosecconcerns-00.txt See also some comments from MS: http://www.microsoft.com/technet/community/columns/cableguy/ cg1005.mspx#ERH In short, yes. If you're concerned about hosts at your site getting to the world using Teredo, you can simply block 3544/UDP to prevent hosts bootstrapping - I'm not sure if already-bootstrapped hosts would continue to function, I'm guessing that they would. Alternatively, disabling Teredo with registry settings works fine, but obviously requires more than just control of a wire. IDSs+firewalls probably need to become Teredo aware pretty quickly, along with anything that needs to do deep-packet inspection (P2P rate limiting boxes, for example). I'm not aware of any of these vendors supporting this, but then again, I haven't looked hard. -- Nathan Ward
|