Re: Edits to Teredo Security concerns

[Rémi Denis-Courmont <rdenis@simphalempin.com>]

On Thu, 05 Jul 2007 19:21:53 -0700, Jim Hoagland

<jim_hoagland@symantec.com> wrote:

> 

> On 7/5/07 11:34 AM, "Suresh Krishnan" <suresh.krishnan@ericsson.com>

> wrote:

> 

>>    * It is easy to identify and filter Teredo packets

>>    Action: I will replace section 3 with a simple way of identifying and

>> filtering Teredo as follows

>>       Inbound traffic

>>       ===============

>>       src_port==3544 identifies Teredo packets

>>

>>       Outbound traffic

>>       ================

>>       dest_port==3544 identifies Teredo packets

> 

> This would only cover 3.2 (filtering).  As this does not find content

> packets (only Teredo overhead packets), this cannot cover 3.1

> (inspection).



True. But that matters only if inspection is aimed at monitoring rather

than

filtering. If port 3544 is blocked, no conforming client will ever send

outgoing or process incoming content packet.



And if that is not satisfactory, then it's all about "You cannot rely on

stateful firewalling to block tunnels", and it's not a Teredo protocol

issue.



-- 

Rémi Denis-Courmont

http://www.remlab.net/