On 2010-08-31 16:54, Mikael Abrahamsson wrote:
On Tue, 31 Aug 2010, Jack Bates wrote:
Teredo usage isn't common enough on our network to warrant the work. Very few apps will activate it is my guess.
<http://ipv6.tele2.net/teredo_stats.php>
As I stated, either your users are using your Teredo server, or they're using someone elses. Not running one yourself doesn't mean your users aren't running Teredo.
psssst it's relay not server :) I guess everybody mixes that up one day or another, it is also a reason why just having Microsoft's default server is not a huge issue. [..]
Then there is the "customer is unaware" fact. If the customer is unaware that their NAT is being pierced for IPv6 communication, then we have contributed to decreasing their security. For this reason, it might not be completely unwarranted for an ISP to block teredo all together. 6to4 doesn't suffer from this as there is no NAT traversal.
Jack: there are a lot more methods to infect a host than this as there are lots and lots of p2p protocols which are being used by C&C botnets. And never forgot about this very simple protocol called HTTP(S).
Blocking Teredo completely is a whole other discussion.
Also, some NAT gateways will support a single device behind it doing Proto 41, so saying 6to4 has no NAT traversal and thus won't work beind NAT isn't true in all cases.
Flaky but it works. Generally they just tag 'oh protocol 41 has to go to host X' thus when you enable a second all traffic either moves there or sticks at the first. It's the reason Teredo/AYIYA/etc exist ;) Greets, Jeroen