On killing IPv6 transition mechanisms
John Payne
john at sackheads.org
Fri Mar 19 22:46:38 CET 2010
On Mar 19, 2010, at 5:31 PM, Gert Doering wrote:
> Hi,
>
> On Fri, Mar 19, 2010 at 02:15:33PM -0400, John Payne wrote:
>>> "From Microsoft's perspective, IPv6 is a mandatory part of the Windows
>>> operating system [...] Therefore, Microsoft recommends that you leave
>>> IPv6 enabled, even if you do not have an IPv6-enabled network, either
>>> native or tunneled."
> [..]
>> Unfortunately, read this from an enterprise security perspective.
>> Home group I do not care about.
>> DirectAccess == "Please put my enterprise security 100% in the hands of my Windows Admins"
>
> No need to use DirectAccess (and *that* can be turned off just fine,
> or specifically, not installed in the first place).
>
> But given the sad state of "commercial VPN clients on client OSes", I
> rather like DirectAccess. (Not that there is nothing that prevents
> putting the DA Server in a well-controlled firewall DMZ zone, and
> have IPv6 firewalling in place between the DA server and the rest of
> the enterprise network).
>
>> Teredo == "Please disregard any access controls I have in place at my network perimeter"
>
> Teredo can be turned off as well.
>
> The point is: IPv6 in Windows Land is there to stay. So for a prudent
> enterprise network admin, the way forward is: accept life, accept IPv6,
> and integrate it in your security concepts. Turn off Teredo and 6to4
> on the machines, give them native IPv6, and control native IPv6 on the
> firewalls the same way IPv4 is controlled.
>
> If said network admin choses to ignore IPv6, and pretend it doesn't
> exist, Teredo etc. are going to bite him in the back side.
My point was mostly that the article saying is saying don't turn of IPv6 because it breaks these things. However all those things are things that enterprises _want_ broken :p
Teredo is a royal PITA. The people running the firewalls often don't care about the client OS. The end users have been instructed not to tunnel. The windows admins don't care about IPv6, so why would they notice this auto tunneling thing?
Ah well... at least we had some warning about Teredo and the likes a couple of years ago. Enough to block at the firewall regardless.
More information about the ipv6-ops
mailing list