Microsoft: Give Xbox One users IPv6 connectivity
Eric Vyncke (evyncke)
evyncke at cisco.com
Thu Mar 13 20:12:54 CET 2014
Jakob
What annoys me more if the fact that AVM (and they are not the only one --
see Technicolor & others) naively believes that NAT44 offered some
security by preventing inbound connections... This means that there is NO
open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box
has no choice and is smart enough to fall back in the legacy NAT44 mode
with a TURN (or in this case Teredo) to bypass NAT. A very nice
opportunity to run man-in-the-middle attack on a foreign ground.
I still wonder why people REALLY believe in the security of NAT (in the
sense of blocking inbound connections) in 2014 while most of the botnet
members are behind a NAT...
Christopher and others => you are RIGHT! Do not change your mind
-éric (see also
http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for
my point of view :-))
On 13/03/14 18:43, "Jakob Hirsch" <jh at plonk.de> wrote:
>Hi!
>
>Christopher Palmer, 2013-10-10 03:22:
>>
>>http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC
>>498F8732/Xbox%20One%20Technical%20Details.docx
>
>Nice, but why do you absolutely require Teredo even for boxes with
>native IPv6? Of course there's the advantage of direct client2client
>communication (less latency for clients and less traffic on Teredo
>relays), but the box should at least fall back to native IPv6 if Teredo
>is not available (quite odd to talk about native IPv6 being a fallback
>to Teredo, but anyway).
>
>There's at least one CPE manufacturer (quite prevalent in Europe or at
>least in Germany) that filters out Teredo if native IPv6 is available by
>default. They added an option to disable this filter, but that's not a
>good thing. See
>http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o
>nline-games-with-Xbox-One
>
>In the current state, the XBox One is doing more harm to IPv6 than good.
>People encounter problems after having IPv6 activated (there are forum
>posts which told people to disable IPv6 to fix this issue) and Network
>operators will see less increase in IPv6 traffic (which lowers the
>incentive to improve IPv6 support).
>
>
>Regards
>Jakob
>
More information about the ipv6-ops
mailing list