On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:
On Thu, May 31, 2007, Sean Siler wrote:
Nathan,
While these are really good questions, I'm afraid I don't have really good answers to them yet. We haven't made the bits available for customers to install their own Teredo Servers/Relays at this point, and because we haven't, we also don't have good deployment guidance to go along with that.
I have my own feelings, but let me ask this: what do you all feel about installing a Teredo server in order to provide v6 connectivity to your clients? Is this something that you are really interested in?
I'd prefer to throw IPv6 network ranges at customer links, so they can have "other" devices on IPv6. IPv6 isn't just for desktops.
Medium+ term, of course. I don't see Teredo as something that will be my primary way of getting IPv6 to end users forever. (I don't think anyone does.)
How's Teredo servers tie into network security? Does the act of tunneling from v4 to a v6 broker bypass firewalls, IDSes, etc?
In perfect time, this was published yesterday, to answer that very question: http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- teredosecconcerns-00.txt See also some comments from MS: http://www.microsoft.com/technet/community/columns/cableguy/ cg1005.mspx#ERH In short, yes. If you're concerned about hosts at your site getting to the world using Teredo, you can simply block 3544/UDP to prevent hosts bootstrapping - I'm not sure if already-bootstrapped hosts would continue to function, I'm guessing that they would. Alternatively, disabling Teredo with registry settings works fine, but obviously requires more than just control of a wire. IDSs+firewalls probably need to become Teredo aware pretty quickly, along with anything that needs to do deep-packet inspection (P2P rate limiting boxes, for example). I'm not aware of any of these vendors supporting this, but then again, I haven't looked hard. -- Nathan Ward