In perfect time, this was published yesterday, to answer that very question: http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- teredosecconcerns-00.txt
Unfortunately, he doesn't say much in the way of solutions. For instance, if a company has internal IPv6 connectivity to their ISP, then presumably, Teredo is not needed. The problem then becomes one of firewall vendors supporting IPv6. He positions it as a problem that needs awkward workarounds such as blocking Teredo or patching Windows. He gives up on firewall vendors and only looks at their ability to do deep packet inspection by unencapsulating tunneled traffic. But plain ordinary IPv6 support from firewall vendors is not mentioned. In any case, this draft is directed at the enterprise which rigorously firewalls all ingress/egress traffic at the edge. --Michael Dillon