Sounds as if there are a long list of reasons to be wary about Teredo. Here is a document from Microsoft that gives step-by-step instructions for turning it off. The story says: "With Teredo, IPv6 packets are sent as IPv4-based User Datagram Protocol messages to go through IPv4 NATs. Teredo provides IPv6 traffic with address assignment and host-to-host automatic tunneling. A network using Teredo requires Teredo clients, Teredo host-specific relays, Teredo servers and Teredo relays. ... Symantec and Ericsson security experts say they are concerned that Teredo bypasses network security through such devices as firewalls."
More Microsoft Subnet blog posts
Is IE more secure than Firefox?
December giveaways from the Microsoft and Cisco Subnets
Research indicates Windows Server 2008 could flop
Microsoft's new robot plays soccer
VoIP Security Lessons Microsoft OCS Can Learn From Vonage and OthersVisit Microsoft Subnet for more news, blogs, opinion from around the Web.
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, managed by editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.
(OS community) (Microsoft RSS feed)
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
These are flaws in the IETF standard and not in Vista
There seems nothing specific about Vista Teredo implementation here. ALl the issues mentioned are "by design" of the standard which, ironically, is ratified by IETF. Why, then, does the heading attempt to point Vista? Just to sensationalize? Not many people would care to read "Teredo standard defintion issues" but everyone would pay, at least cursory, attention to anything sensitive about Vista. Cheap tactics.
Flow in how Microsoft Spec'ed Teredo
All,
Actually there are two problems. The first is RFC 4380, written by C. Huitema, from Microsoft has design flaws as noted by the news item above.
The second problem is implementation. At BlackHat 2007, Jim Hoagland spoke on "Vista Network Attack Surface Analysis and Teredo Security Implications" (https://www.blackhat.com/presentations/bh-usa-07/Hoagland/Presentation/bh-usa-07-Hoagland.pdf).
In that speak, he discussed that testing performed demonstrated that implementation of Teredo in Vista was in fact not to RFC 4380 spec. In addition, he discovered several interesting security flaws in that implementation. The flaws included: The ability to more easily identify a specific endpoint, endpoints allows scanning and inbound traffic, Teredo bypassed the host firewall, and the random number generator is not always working.
Please note, there are no published document with the same security study performed on XP, 2000 or Miredo, the Linux/BDS implementation of Teredo.
Lastly, Teredo has is place and value. When used in a home/coffee shop/hotel environment, it works great. But, it should never be used in an enterprise.
Microsoft Glut at it's best.
Why in the world would the software giant enable an IPv6 feature at this point in time by default? Who in Redmond is smoking what??? I am certain that mr and mrs joe america are hopping right on the IPv6 over IPv4 train as it comes down the track. the same people who cannot get wireless to work are now the tech gurus of the day, using the bright shiny new protocol. Come on Microsoft, the issue is not Potato security....oops Teredo security, it is applicability. No wonder Vista runs so slow.
Microsoft's response
Microsoft provided us with this response to the Teredo report:
It is our understanding that the Symantec report is not final yet, and we are providing the company with our feedback. To be clear, Teredo is primarily designed for consumers to provide global IPv6 connectivity over the Internet and enable peer to peer applications, such as Windows Meeting Space over Internet, Skype, Bit-torrent, etc., that might be blocked by the NAT function of home routers. Teredo provides a way for these applications to communicate over the internet without having to do special router configuration. Teredo gets disabled automatically for enterprises when a domain environment is detected. For enterprises, there are more business-focused IPv6 transition technologies available from Microsoft and other network vendors, including 6to4 and ISATAP that enable enterprises to deploy IPv6 over current IPv4 networks. More information on these technologies can be found at http://www.microsoft.com/technet/network/ipv6/ipv6coexist.mspx .
lan on internet
Technology is double edged sword..Check this application it uses teredo to connect two or more PC's peer to peer safely over internet..this application disable teredo after usage.. only person with invitation file can access the inviter system..http://www.lanoninternet.com
Please read the below, as it answers all of the questions raised
Please read the below, as it answers all of the questions raised in the above article.
http://blogs.technet.com/ipv6/archive/2007/12/14/teredo-in-windows-vista-designed-with-security-in-mind.aspx
Post new comment