Teredo only used as last resort after IPv4 (Was: ipv6-ops Digest, Vol 25, Issue 9)

Jeroen Massar jeroen at unfix.org
Mon Apr 9 21:54:56 CEST 2007

Andrius Kazimieras Kasparavic wrote:
> Jeroen Massar wrote:
>> Great that their network is large enough to DDoS *OTHER* sites indeed.
>> Maybe they should then kick those people to educate themselves.
>> Please point them at amongst others:
>> http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
>> http://csrc.nist.gov/fasp/FASPDocs/network-security/NISTSecuringDNS.htm
>> and there are a variety of other documents explaining the problem.
> 80% are still open, including i.e. ns[x].easynet.co.uk, let alone
> http://www.opendns.com/ . Will single closures save the internet? Maybe
> RIR's should scan their subnets now and again for open proxy/dns..,
> or/and ISP's redirect dns traffic locally including setting up local
> root mirrors.  But that is offtopic afaik.

opendns is supposed to be open and the folks there claim to have
implemented a method of avoiding recursion attacks to be made possible.

As for Easynet... spam to the people there is underway :)

Maybe time to raise this one on Nanog again.

> actually it works on WXP, but not on WV, as by
> http://msdn2.microsoft.com/en-us/library/aa965910.aspx:
> that would mean, that unless application insists AAAA, windows will not
> try to use teredo at all.. ? Both IE7 and FF2 on VW does not open your
> URL provided.

If www.ipv6.sixxs.net is not opened and you are sure that you are
supposed to have any kind of IPv6 connectivity then there definitely is
another issue at hand that you will need to debug. Try using
ping6/tracert6/wireshark to determine what is going on what not.

Btw that text might only apply to applications using WSAConnectByName()
will have this behavior, depending on patch level. The big question is,
if this convention is also followed by a getaddrinfo() and a later
connect(), which is what most cross-platform applications uses as they
simply use the BSD socket API and not the WSA functions that are Windows
specific. I would not be totally surprised if WSAConnectByName()
actually calls getaddrinfo() and connect() internally though, also if
done correctly the policy tables do apply to all functions and then
Teredo will always loose out unless the application itself does
reordering or separate getaddrinfo() calls etc.

Anyone know the definitive answer to that?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20070409/e1a118dc/signature-0001.bin

More information about the ipv6-ops mailing list