nanog mailing list archives

RE: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)

From: Sean Siler <Sean.Siler () microsoft com>
Date: Tue, 31 Aug 2010 18:01:43 +0000

1. I completely agree with Jeroen 
2. Jack, if you have specific concerns that Jeroen hasn't answered, feel free to ping me off line. I own Teredo in 
Windows.

Sean from "M$"

-----Original Message-----
From: Jeroen Massar [mailto:jeroen () unfix org] 
Sent: Tuesday, August 31, 2010 10:40 AM
To: Jack Bates
Cc: NANOG
Subject: Re: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)

On 2010-08-31 19:32, Jack Bates wrote:

Jeroen Massar wrote:


If you have one person setting up ICS on their machine and they have 
enabled IPv6 voila the whole network gets IPv6, that thus does not 
solve your problem either. Or are you monitoring IPv6 RAs etc?


Setting up ICS with IPv6 is user knowledge in my opinion. In addition, 
the ICS will handle the firewall rules unless the user chooses to turn 
it off.


I think you have to move to better analyzing & monitoring your 
network and more control over the hosts which participate in that network.


My concern is as an ISP that has customers who are unaware that their 
little routers aren't filtering all of their packets. There are a 
million ways they might get infected or have security problems. 
However, teredo is obviously a circumvention of protection they 
*think* they have.


There is no circumvention here. Teredo is the same as having a P2P app (take Skype as a random example) that connects 
to an outside host and uses that to relay messages to something else. Allowing outside hosts to use that network to 
connect to your inbound host.

Teredo does not enable more inbound connections than before, unless a an App supports IPv6, but then that app was 
installed by the user thus they want it to run.

Also note that XP/2k3/Vista/Seven/2k8 all have firewalls per default that support IPv6 and that handle IPv4 and IPv6 
exactly the same: ask the user with an annoying popup. Vista/Seven/2k8 even (can) do that for outbound connections.


The only thing you can do to help your users is to provide them with proper education and to explain them to keep up to 
date and run the right tools and not click anywhere they can.... and that is a mission which is near impossible.

Teredo though is far from your worst worry. Just check how many "Teredo", or heck, IPv6 related infections you have and 
how many you have who have autodialers and the gazillion of other botnets on their hosts.

You can sleep very tight over your perceived "Teredo" problem ;)

Greets,
 Jeroen

Current thread:

Re: Comcast enables 6to4 relays, (continued)
- - - Re: Comcast enables 6to4 relays Jeroen Massar (Aug 31)
    - Re: Comcast enables 6to4 relays Jack Bates (Aug 31)
    - Re: Comcast enables 6to4 relays Jeroen Massar (Aug 31)
    - Re: Comcast enables 6to4 relays Jack Bates (Aug 31)
    - Re: Comcast enables 6to4 relays Valdis . Kletnieks (Aug 31)
    - Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) Jeroen Massar (Aug 31)
    - Re: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) Jack Bates (Aug 31)
    - Re: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) Jeroen Massar (Aug 31)
    - RE: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) Nathan Eisenberg (Aug 31)
    - Re: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) Jeroen Massar (Aug 31)
    - RE: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) Sean Siler (Aug 31)
- Re: Comcast enables 6to4 relays Mitchell Warden (Aug 30)
  - Re: Comcast enables 6to4 relays Jeroen Massar (Aug 30)
    - Re: Comcast enables 6to4 relays Franck Martin (Aug 31)
  - Re: Comcast enables 6to4 relays Mark Andrews (Aug 31)