[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
For me the point is if you have a managed network and a managed border
firewall, you either block Teredo UDP port, and setup native IPv6, or may be
allow Teredo until you can deploy IPv6.
And if you want to go further, as the network is managed may be you want to
change the policy in all the hosts in order to disable Teredo.
So Teredo it is really used for what is designed, just a transition
mechanism, nothing else.
Regards,
Jordi
> De: james woodyatt <jhw@apple.com>
> Responder a: <owner-v6ops@ops.ietf.org>
> Fecha: Mon, 4 Jun 2007 11:32:54 -0700
> Para: V6OPS WG <v6ops@ops.ietf.org>
> Asunto: Re: New I-D: Teredo Security Concerns Beyond What Is In RFC 4380
>
> On Jun 4, 2007, at 09:51, Templin, Fred L wrote:
>> From: JORDI PALET MARTINEZ [mailto:jordi.palet@consulintel.es]
>>> From Rémi Denis-Courmont <rdenis@simphalempin.com>
>>>> Le vendredi 1 juin 2007, james woodyatt a écrit:
>>>>>
>>>>> I think the worry here is about the Teredo implementations that
>>>>> might be integrated into malware for the purpose of escaping
>>>>> network perimeter policy enforcement. In particular, I'd think
>>>>> that enterprises interested in controlling Skype would be
>>>>> concerned that Teredo might present an otherwise uncontrolled
>>>>> communication vector.
>>>>
>>>> I respectfully disagree. [...] You are blaming Teredo instead of
>>>> the poorly managed network here.
>>>
>>> Fully agree. It is a matter of properly managing a "managed
>>> network".
>>
>> I agree with this too, [...]
>
> I should have mentioned that I didn't think security was a
> particularly important concern here. As an implementor of security
> capabilities, my objectives are to stay current with best current
> practice. My impression is that "best" remains an open topic of
> discussion. I'm getting buffeted from both sides on this topic, and
> I don't want to hold myself out as an expert on security mechanisms.
>
> My main concern with Teredo is trying to keep it from being anything
> more than transition mechanism. To that end, I'm very sensitive to
> any cases where security perimeter enforcement makes the utility of
> Teredo higher from the perspective of an end user than the use of
> native IPv6, where both are available. If Teredo is a method for
> bypassing security policies at firewalls, then Teredo becomes more
> than merely a transition mechanism. No?
>
>
> --
> james woodyatt <jhw@apple.com>
> member of technical staff, communications engineering
>
>
>
**********************************************
The IPv6 Portal: http://www.ipv6tf.org
Bye 6Bone. Hi, IPv6 !
http://www.ipv6day.org
This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.