nanog mailing list archives

RE: Microsoft and Teredo

From: Sean Siler <Sean.Siler () microsoft com>
Date: Thu, 31 May 2007 11:32:25 -0700

If you're concerned about hosts at your site getting
to the world using Teredo, you can simply block 3544/UDP to prevent
hosts bootstrapping - I'm not sure if already-bootstrapped hosts
would continue to function, I'm guessing that they would.



No, if you block 3544/UDP, the bubble packets are blocked, and Teredo ceases to function, even for those clients who 
are already configured.


Sean Siler|IPv6 Program Manager


-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Nathan Ward
Sent: Thursday, May 31, 2007 8:10 AM
To: Nanog
Subject: Re: Microsoft and Teredo



On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:


On Thu, May 31, 2007, Sean Siler wrote:


Nathan,

While these are really good questions, I'm afraid I don't have
really good answers to them yet.  We haven't made the bits
available for customers to install their own Teredo Servers/Relays
at this point, and because we haven't, we also don't have good
deployment guidance to go along with that.

I have my own feelings, but let me ask this: what do you all feel
about installing a Teredo server in order to provide v6
connectivity to your clients? Is this something that you are
really interested in?


I'd prefer to throw IPv6 network ranges at customer links, so they
can have
"other" devices on IPv6. IPv6 isn't just for desktops.


Medium+ term, of course. I don't see Teredo as something that will be
my primary way of getting IPv6 to end users forever. (I don't think
anyone does.)

How's Teredo servers tie into network security? Does the act of
tunneling
from v4 to a v6 broker bypass firewalls, IDSes, etc?


In perfect time, this was published yesterday, to answer that very
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-
teredosecconcerns-00.txt
See also some comments from MS:
http://www.microsoft.com/technet/community/columns/cableguy/
cg1005.mspx#ERH

In short, yes. If you're concerned about hosts at your site getting
to the world using Teredo, you can simply block 3544/UDP to prevent
hosts bootstrapping - I'm not sure if already-bootstrapped hosts
would continue to function, I'm guessing that they would.
Alternatively, disabling Teredo with registry settings works fine,
but obviously requires more than just control of a wire.

IDSs+firewalls probably need to become Teredo aware pretty quickly,
along with anything that needs to do deep-packet inspection (P2P rate
limiting boxes, for example). I'm not aware of any of these vendors
supporting this, but then again, I haven't looked hard.

--
Nathan Ward

Current thread:

Re: Microsoft and Teredo, (continued)
- Re: Microsoft and Teredo matthew zeier (May 30)
- Re: Microsoft and Teredo Nathan Ward (May 30)
  - Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 30)
    - Re: Microsoft and Teredo Nathan Ward (May 30)
    - Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 30)
  - RE: Microsoft and Teredo Sean Siler (May 31)
    - Re: Microsoft and Teredo Adrian Chadd (May 31)
    - Re: Microsoft and Teredo Nathan Ward (May 31)
    - RE: Microsoft and Teredo michael.dillon (May 31)
    - Re: Microsoft and Teredo Nathan Ward (May 31)
    - RE: Microsoft and Teredo Sean Siler (May 31)
    - Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 31)
    - Re: Microsoft and Teredo Adrian Chadd (May 31)
    - Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 31)
    - Re: Microsoft and Teredo Stephen Sprunk (May 31)
    - Re: Microsoft and Teredo Nathan Ward (May 31)
    - Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 31)