On 1/06/2007, at 2:24 AM, <michael.dillon@bt.com> <michael.dillon@bt.com> wrote:
In perfect time, this was published yesterday, to answer that very question: http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- teredosecconcerns-00.txt
Unfortunately, he doesn't say much in the way of solutions. For instance, if a company has internal IPv6 connectivity to their ISP, then presumably, Teredo is not needed. The problem then becomes one of firewall vendors supporting IPv6. He positions it as a problem that needs awkward workarounds such as blocking Teredo or patching Windows. He gives up on firewall vendors and only looks at their ability to do deep packet inspection by unencapsulating tunneled traffic. But plain ordinary IPv6 support from firewall vendors is not mentioned.
He doesn't mention native IPv6 as it's a Teredo document.
In any case, this draft is directed at the enterprise which rigorously firewalls all ingress/egress traffic at the edge.
Yes, I don't know if possible security concerns with Teredo are applicable to ISPs, unless you offer a firewalled service. Then those concerns are really the same as an enterprise. -- Nathan Ward