Educause Security Discussion mailing list archives
Re: outrageous DNS queries of isatap.mshome. from Residential Network.
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Wed, 4 Mar 2009 11:38:42 -0800
On 03/04/09 10:51, Ken Connelly wrote:
Michael Sinatra wrote:On 03/04/09 08:10, John Ladwig wrote:A quick Google exercise suggests "Microsoft Teredo Tunneling Pseudo-Interface " For those not aware of Teredo (nee Shipworm - funny, renaming didn't actually change the meaning), it's Microsoft's IPv6-in-IPv4 tunneling protocol, enabled (by default?) in Vista. MS has stood up relay servers as part of their path to IPv6, and Vista machines can use them to conect to v6-only Internet resources. Of which there are few, but more and more. You *are* watching your local wires for IPv6 exploits, aren't you? Look up Teredo; it definitely has potential for local impacts. That said, the v6 operational threat situation doesn't seem extreme. Yet.The hope is that the v6 operational threat will become as extreme as is the case with IPv4. :-) It's not Teredo per se. (And BTW, ISATAP is a completely different transition mechanism from Teredo.) It's actually a serious bug in Windows Vista and it's fixed in SP1. The solution is to run SP1 on your Vista machines. The URL that Ken posted in his message points that out. (I am still not sure why he interpreted that message from Doug Pearson as "turn off IPv6"--that's not what the message says.)Doug's fourth bullet point after the lead paragraph... And disabling IPv6 might not be the ultimate solution, but it can and will happen *WAY* faster than getting a student to upgrade their personal machine to SP1. I stand by my recommendations.
Well, I'll stand by my friendly disagreement then. The bug is a serious one, and I'd be much more concerned about not getting people to upgrade to the latest service pack. I am also, of course, very concerned about IPv4 run-out (as are the organizations that give us--and have the ability to take away--our IPv4 addresses). In *some* organizations, turning off IPv6 may be a reasonable short term solution, but it's really sweeping a couple of problems under the rug. We have generally had good luck in getting folks participating in these events to upgrade to SP1. michael
Current thread:
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Ken Connelly (Mar 04)
- <Possible follow-ups>
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. John Ladwig (Mar 04)
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Joe St Sauver (Mar 04)
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Michael Sinatra (Mar 04)
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Michael Sinatra (Mar 04)
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Ken Connelly (Mar 04)
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Michael Sinatra (Mar 04)
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Gary Flynn (Mar 04)
- Re: outrageous DNS queries of isatap.mshome. from Residential Network. Michael Sinatra (Mar 04)