RE: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays)
1. I completely agree with Jeroen 2. Jack, if you have specific concerns that Jeroen hasn't answered, feel free to ping me off line. I own Teredo in Windows. Sean from M$ -Original Message- From: Jeroen Massar [mailto:jer...@unfix.org] Sent: Tuesday, August 31, 2010 10:40 AM To: Jack Bates Cc: NANOG Subject: Re: Teredo and 'firewalls' (Re: Comcast enables 6to4 relays) On 2010-08-31 19:32, Jack Bates wrote: Jeroen Massar wrote: If you have one person setting up ICS on their machine and they have enabled IPv6 voila the whole network gets IPv6, that thus does not solve your problem either. Or are you monitoring IPv6 RAs etc? Setting up ICS with IPv6 is user knowledge in my opinion. In addition, the ICS will handle the firewall rules unless the user chooses to turn it off. I think you have to move to better analyzing monitoring your network and more control over the hosts which participate in that network. My concern is as an ISP that has customers who are unaware that their little routers aren't filtering all of their packets. There are a million ways they might get infected or have security problems. However, teredo is obviously a circumvention of protection they *think* they have. There is no circumvention here. Teredo is the same as having a P2P app (take Skype as a random example) that connects to an outside host and uses that to relay messages to something else. Allowing outside hosts to use that network to connect to your inbound host. Teredo does not enable more inbound connections than before, unless a an App supports IPv6, but then that app was installed by the user thus they want it to run. Also note that XP/2k3/Vista/Seven/2k8 all have firewalls per default that support IPv6 and that handle IPv4 and IPv6 exactly the same: ask the user with an annoying popup. Vista/Seven/2k8 even (can) do that for outbound connections. The only thing you can do to help your users is to provide them with proper education and to explain them to keep up to date and run the right tools and not click anywhere they can and that is a mission which is near impossible. Teredo though is far from your worst worry. Just check how many Teredo, or heck, IPv6 related infections you have and how many you have who have autodialers and the gazillion of other botnets on their hosts. You can sleep very tight over your perceived Teredo problem ;) Greets, Jeroen
RE: IPv6 consumer perception
I'd really like to talk to the guy who presented this. Does anyone happen to have a contact for him? Feel free to send it privately if you do. Sean -Original Message- From: Marco Hogewoning [mailto:mar...@marcoh.net] Sent: Friday, June 18, 2010 10:48 AM To: na...@merit.edu Subject: Re: IPv6 consumer perception On 18 jun 2010, at 18:04, Zed Usser wrote: With marketing campaigns like these, no consumer will want to use IPv6, if it becomes associated with privacy problems. http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/ It is, of course, totally irrelevant whether the reporting is factually correct or even based on real IPv6 issues or not, this is how public opinion is formed. The only takeaway from this to a non-technical user is that IPv6 is bad and the correct solution is to turn it off. Why do people still think consumers 'want IPv6', they want IPv6 as much as they want IPv4. They don't know what an IP addresses is, let alone will grasp the whole idea there are 2 kinds. All they want is their googles, facebooks, twitters and the occasional download to work (of course nobody would admit to filesharing). And it's our job to make it so, wether it's via IPv6 or CGN. In the end they won't have much choice and if we do our jobs correctly, 95 % of them won't even notice. Just my 2 cents, MarcoH
RE: SLAAC(autoconfig) vs DHCPv6
Nope. XP does not support DHCPv6 - only Vista/Windows Server 2008 (and later) can do that. Sean -Original Message- From: TJ [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2008 2:42 PM To: [EMAIL PROTECTED] Subject: RE: SLAAC(autoconfig) vs DHCPv6 -Original Message- From: Charles Wyble [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2008 5:28 PM To: [EMAIL PROTECTED] Subject: Re: SLAAC(autoconfig) vs DHCPv6 Iljitsch van Beijnum wrote: On 18 aug 2008, at 22:23, Dale W. Carder wrote: DHCPv6 - doesn't ship w/ some OS's Forget about it on XP, Hmmm. MS says otherwise: http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx Did you see somewhere on that site, that WinXP does DHCPv6? I don't. And it would be wrong, to boot. (Not just IPv6 support - that is one simple command ...) but it's in Vista. You can add it to BSD/Linux without too much trouble (are there good, bugfree implementations for those yet?) Bugfree? Nothing is bugfree :) but Mac is a problem for prospective DHCPv6 users because the network configuration mechanisms are fairly proprietary and DHCPv6 isn't likely to be supported any time soon. H. I have yet to play with the Mac Ipv6 support (typing this on a Mac now I should try in my lab later). What auto configuration mechanisms are you referring to? Bonjour? Isn't there an RFC or two for Zeroconf? No, I believe he is referring to the actual network configuration. Not the (almost) automatic/automated service/device discovery ... -- Charles Wyble (818) 280 - 7059 /TJ
RE: SLAAC(autoconfig) vs DHCPv6
Yep - absolutely. I was referring to built-in support from the stack. Dibbler is the primary third party provider we have seen for DHCPv6 support on downlevel clients. Sean -Original Message- From: Charles Wyble [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2008 2:55 PM To: [EMAIL PROTECTED] Subject: Re: SLAAC(autoconfig) vs DHCPv6 Sean Siler wrote: Nope. XP does not support DHCPv6 - only Vista/Windows Server 2008 (and later) can do that. Sean http://internecine.eu/systems/windows_xp-ipv6.html and http://internecine.eu/software/dibbler_dhcpv6.html discuss how to deploy dhcpv6 on xp. It's 3rd party but doable.
