Re: Comcast enables 6to4 relays

[Jeroen Massar <jeroen () unfix org>]

On 2010-08-31 16:54, Mikael Abrahamsson wrote:
> On Tue, 31 Aug 2010, Jack Bates wrote:
>
> > Teredo usage isn't common enough on our network to warrant the work.
> > Very few apps will activate it is my guess.
>
> <http://ipv6.tele2.net/teredo_stats.php>
>
> As I stated, either your users are using your Teredo server, or they're
> using someone elses. Not running one yourself doesn't mean your users
> aren't running Teredo.

psssst it's relay not server :)

I guess everybody mixes that up one day or another, it is also a reason
why just having Microsoft's default server is not a huge issue.

[..]
> > Then there is the "customer is unaware" fact. If the customer is
> > unaware that their NAT is being pierced for IPv6 communication, then
> > we have contributed to decreasing their security. For this reason, it
> > might not be completely unwarranted for an ISP to block teredo all
> > together. 6to4 doesn't suffer from this as there is no NAT traversal.

Jack: there are a lot more methods to infect a host than this as there
are lots and lots of p2p protocols which are being used by C&C botnets.
And never forgot about this very simple protocol called HTTP(S).

> Blocking Teredo completely is a whole other discussion.
>
> Also, some NAT gateways will support a single device behind it doing
> Proto 41, so saying 6to4 has no NAT traversal and thus won't work beind
> NAT isn't true in all cases.

Flaky but it works. Generally they just tag 'oh protocol 41 has to go to
host X' thus when you enable a second all traffic either moves there or
sticks at the first. It's the reason Teredo/AYIYA/etc exist ;)

Greets,
 Jeroen