Teredo only used as last resort after IPv4 (Was: ipv6-ops
Digest, Vol 25, Issue 9)
Jeroen Massar
jeroen at unfix.org
Mon Apr 9 16:24:06 CEST 2007
Andrius Kazimieras Kasparavic wrote:
> Jeroen Massar wrote:
>> For BBC folks and people who know how to get to them:
>>
>> Does anybody have a contact at the BBC who can disable that open
>> recursive DNS server (212.58.224.21)? Some nice DDoS attacks can be done
>> with it. CC'ing their abuse@ just in case. Please close it up and
>> restrict it only for your OWN customers usage. Thank you.
>>
> Couple weeks ago I have been there in Maiden H. talking to one of their
> technology managers mentioned that, but they however been convinced that
> their cluster is large enough to deal with the possible problem. Maybe
> they are still considering that suggestion.. otherwise, you never know
> what technology and products stay behind the scene.
>
> BBC's network is outsourced to Siemens BS since 2004.
Great that their network is large enough to DDoS *OTHER* sites indeed.
Maybe they should then kick those people to educate themselves.
Please point them at amongst others:
http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
http://csrc.nist.gov/fasp/FASPDocs/network-security/NISTSecuringDNS.htm
and there are a variety of other documents explaining the problem.
>> When you have native or tunneled IPv6 connectivity thatwill be
>> preferred. See the discussion on Teredo from last week or so.
>>
>> If you try www.ipv6.sixxs.net, which only has a IPv6 address, then you
>> should be reaching it using IPv6.
>>
>
> that works, thanks!
[..]
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0206.mspx>,
> the February 2006 The Cable Guy article.
Which is an old article from a year ago before they changed this.
[..]
> Enabling IPv6 by default and preferring of IPv6 traffic does not impair
> IPv4 connectivity. For example, on networks without IPv6 records in the
> DNS infrastructure, communications using IPv6 addresses are not
> attempted unless the user or application specifies the destination IPv6
> address.
The reasoning that M$ used is very valid: Native IPv4 outperforms
Teredo'd IPv6 always. Thus when IPv4 is possible, use that.
Any serious person requiring IPv6 connectivity will get IPv6 from a
direct upstream provider, be it native or a tunnel, and won't be using
mechanisms like 6to4 or Teredo which are very difficult to debug (due to
their anycast and p2p designs) and for the latter causing a lot of
overhead and latency as most of the time one is sending packets over a
far-far-away relay, next to one not even knowing what the path might be
at all, let alone being able to figure it out.
Greets,
Jeroen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20070409/d1bcda80/signature.bin
More information about the ipv6-ops
mailing list