Le jeudi 31 mai 2007, Jim Hoagland a écrit : > Hello, > > Some months ago, when he was reviewing a version of [1], Christian > Huitema suggested that I submit my Teredo security concerns to the > v6ops working group as an Internet Draft. You now see the result of > this, documenting what I feel are security concerns not mentioned in > RFC 4380. I hope this proves useful. > > http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-teredoseccon >cerns-0 0.txt Comments specific to some sections: 2.2) I do not really understand the problem statement; Teredo tunnel perform return routability checks on any incoming non-Teredo address (something, say 6to4 does not do at all), and match incoming Teredo addresses to the underlying IPv4 address. 2.3) This is an issue indeed. But there is now strong consensus on the ipv6 WG to deprecate RH0, and require that IPv6 nodes do not process RH0 by default. 3.2) Already up Teredo clients will loose Teredo connectivity within the Teredo refresh interval + retransmission delay. That is to say typically 30+4*3=42 seconds. I feel that is not relevant compared to the lifetime of human-made firewall rulesets. -- Rémi Denis-Courmont http://www.remlab.net/
Attachment:
signature.asc
Description: This is a digitally signed message part.