North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Microsoft and Teredo

  • From: Nathan Ward
  • Date: Thu May 31 20:42:15 2007



On 1/06/2007, at 2:24 AM, <[email protected]> <[email protected]> wrote:


In perfect time, this was published yesterday, to answer that very
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-
teredosecconcerns-00.txt

Unfortunately, he doesn't say much in the way of solutions. For
instance, if a company has internal IPv6 connectivity to their ISP, then
presumably, Teredo is not needed. The problem then becomes one of
firewall vendors supporting IPv6. He positions it as a problem that
needs awkward workarounds such as blocking Teredo or patching Windows.
He gives up on firewall vendors and only looks at their ability to do
deep packet inspection by unencapsulating tunneled traffic. But plain
ordinary IPv6 support from firewall vendors is not mentioned.

He doesn't mention native IPv6 as it's a Teredo document.


In any case, this draft is directed at the enterprise which rigorously
firewalls all ingress/egress traffic at the edge.

Yes, I don't know if possible security concerns with Teredo are applicable to ISPs, unless you offer a firewalled service. Then those concerns are really the same as an enterprise.


--
Nathan Ward