[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [secdir] SECDIR review: draft-ietf-v6ops-tunnel-concerns
On 2008-11-05 02:29, Sam Hartman wrote:
>>>>>> "Brian" == Brian E Carpenter <brian.e.carpenter@gmail.com> writes:
> >> Operating a Teredo server on site does not help unfortunately.
> >>
> >> It helps an administrator filter outbound packets when sent to
> >> an IPv6 address outside 2001::/32. It does not help an
> >> administrator filter inbound packets, or packets to/from other
> >> Teredo hosts.
>
> Brian> As far as I can see, there's a general problem in
> Brian> attempting to detect and block Teredo packets (I mean
> Brian> UDP/IPv4 packets in Teredo format). But it seems to me that
> Brian> by running an internal Teredo server, a site is much better
> Brian> placed to track and trace Teredo users. This is important
> Brian> as Teredo users really need to be running an IPv6-savvy
> Brian> host firewall.
>
> Only if you can convince the users to use that teredo server rather
> than say the teredo server that is configured by default in their OS.
Agreed, most users will not spontaneously type
netsh interface ipv6 set teredo server foobar.
You could inject a /32 route into the local IGP.
> Unfortunately, by the time you've already reconfigured the computer
> you are probably in a position to either disable Teredo if you don't
> like it or install a reasonable firewall.
Agreed, for sites where the management has that much control
over hosts.
Brian