Le vendredi 1 juin 2007, james woodyatt a écrit : > I think the worry here is about the Teredo implementations that might > be integrated into malware for the purpose of escaping network > perimeter policy enforcement. In particular, I'd think that > enterprises interested in controlling Skype would be concerned that > Teredo might present an otherwise uncontrolled communication vector. I respectfully disagree. There is no concern that Teredo might be integrated implemented by malware. If there is a concern, it might be that it might be enabled by default in Vista^Wsome hosts within a managed network. There is something terribly wrong with a managed network that: - allows its users to upgrade to Vista unsupervised and/or without ensuring that Teredo is blocked; OR - relies on NAT for perimeter security. You are blaming Teredo instead of the poorly managed network here. Besides, as you say, it's not like there's not already Skype and other P2P protocols that have already broken out of such network perimeters, and are much more firewall-unfriendly. Now back to the malware issue, take a network that can be "broken out of" with Teredo today. Disable every single Teredo client, relay and server on the whole Internet tomorrow. The only difference for a malware in that network tomorrow will be that it cannot contact a native IPv6 host directly. Any host that was reachable yesterday, including any public IPv4 host, is still reachable without Teredo, and any other NATed malware host can still use a similar hole punching mechanism. I doubt the native IPv6 reachability is much of a problem for malware authors. -- Rémi Denis-Courmont http://www.remlab.net/
Attachment:
signature.asc
Description: This is a digitally signed message part.