On Jun 4, 2007, at 09:51, Templin, Fred L wrote:
From: JORDI PALET MARTINEZ [mailto:jordi.palet@consulintel.es]From Rémi Denis-Courmont <rdenis@simphalempin.com>Le vendredi 1 juin 2007, james woodyatt a écrit:I think the worry here is about the Teredo implementations that might be integrated into malware for the purpose of escaping network perimeter policy enforcement. In particular, I'd think that enterprises interested in controlling Skype would be concerned that Teredo might present an otherwise uncontrolled communication vector.I respectfully disagree. [...] You are blaming Teredo instead of the poorly managed network here.Fully agree. It is a matter of properly managing a "managed network".I agree with this too, [...]
I should have mentioned that I didn't think security was a particularly important concern here. As an implementor of security capabilities, my objectives are to stay current with best current practice. My impression is that "best" remains an open topic of discussion. I'm getting buffeted from both sides on this topic, and I don't want to hold myself out as an expert on security mechanisms.
My main concern with Teredo is trying to keep it from being anything more than transition mechanism. To that end, I'm very sensitive to any cases where security perimeter enforcement makes the utility of Teredo higher from the perspective of an end user than the use of native IPv6, where both are available. If Teredo is a method for bypassing security policies at firewalls, then Teredo becomes more than merely a transition mechanism. No?
-- james woodyatt <jhw@apple.com> member of technical staff, communications engineering