On killing IPv6 transition mechanisms

Gert Doering gert at space.net
Fri Mar 19 22:31:25 CET 2010


On Fri, Mar 19, 2010 at 02:15:33PM -0400, John Payne wrote:
> > "From Microsoft's perspective, IPv6 is a mandatory part of the Windows
> > operating system [...] Therefore, Microsoft recommends that you leave
> > IPv6 enabled, even if you do not have an IPv6-enabled network, either
> > native or tunneled."
> Unfortunately, read this from an enterprise security perspective.   
> Home group I do not care about.
> DirectAccess == "Please put my enterprise security 100% in the hands of my Windows Admins"

No need to use DirectAccess (and *that* can be turned off just fine, 
or specifically, not installed in the first place).

But given the sad state of "commercial VPN clients on client OSes", I
rather like DirectAccess.  (Not that there is nothing that prevents
putting the DA Server in a well-controlled firewall DMZ zone, and
have IPv6 firewalling in place between the DA server and the rest of
the enterprise network).

> Teredo == "Please disregard any access controls I have in place at my network perimeter"

Teredo can be turned off as well.

The point is: IPv6 in Windows Land is there to stay.  So for a prudent
enterprise network admin, the way forward is: accept life, accept IPv6,
and integrate it in your security concepts.  Turn off Teredo and 6to4 
on the machines, give them native IPv6, and control native IPv6 on the
firewalls the same way IPv4 is controlled.

If said network admin choses to ignore IPv6, and pretend it doesn't
exist, Teredo etc. are going to bite him in the back side.

Gert Doering
        -- NetMaster
Total number of prefixes smaller than registry allocations:  150584

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100319/29e5ab77/attachment.bin 

More information about the ipv6-ops mailing list