[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Edits to Teredo Security concerns
I have been away from e-mail for the past week, but my
initial reaction is that perhaps some of the concerns are
already address in scenario/analysis documents published
by this wg, e.g, RFCs 3750, 3904, 4057, and 4852. (Also,
RFC4864 - Local Network Protection for IPv6.) I was under
the impression that these documents already clarify use
cases and address security concerns?
Thanks - Fred
fred.l.templin@boeing.com
> -----Original Message-----
> From: Christian Huitema [mailto:huitema@windows.microsoft.com]
> Sent: Sunday, July 08, 2007 5:07 PM
> To: Rémi Denis-Courmont; JimHoagland; Suresh Krishnan;
> v6ops@ops.ietf.org
> Subject: RE: Edits to Teredo Security concerns
>
> > > I think perhaps I should say what the goal is with
> inspection: to be
> > > able to apply the same content inspection as is done for
> native IPv4
> > > or IPv6 to Teredo. This content inspection could be done in a
> > > firewall, IDS, router, etc. Content in this case meaning
> the layer
> > > 3+ part of the communication (as opposed to tunnel overhead).
> > >
> > > This inspection requires the ability to find the content. That is
> > > straightforward for native IPv4 or IPv6, but is expensive
> to do for
> > > Teredo tunneled content.
> >
> > Thanks for the clarification. I think my confusion is a testimony to
> > the need to clarify the document anyway.
>
> If an organization wants to provide IPv6 connectivity while
> monitoring the IPv6 traffic, then Teredo is definitely not
> the right tool. As you note, the best way to achieve that is
> to provide native IPv6 connectivity. If the organization's
> internal network cannot be upgraded to support native IPv6,
> then it should consider other transition technologies like
> ISATAP, rather than Teredo.
>
> -- Christian Huitema
>
>
>
>