RE: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380

[Christian Huitema <huitema@windows.microsoft.com>]

> > There is something terribly wrong if one tries to use Teredo in a
> > typical controlled corporate network. Teredo is not an "internal"
> > transition mechanism; IETF has specified ISATAP for that purpose.
> 
> Yes.  That's why there is a security concern that Teredo might be
> used to escape policy enforcement at the network perimeter.  This
> draft explains how traffic in Teredo tunnels can be made subject to
> the same policy enforcement as everything else.  That's a good thing,
> isn't it?

Frankly, I am not really concerned that someone will use Teredo to
"escape policy enforcement" in managed network. Teredo has a very
visible signature, using a fixed port for its signaling traffic.
Firewalls can very easily control that. If I want to escape the local
policy, I would much rather use some less visible tunnel solution, e.g.
tunneling IP over some random UDP port.

-- Christian Huitema