6to4 disabled by default on W7SP1

Bernhard Schmidt berni at birkenwald.de
Fri Sep 2 08:29:26 CEST 2011 

Am 01.09.2011 15:57, schrieb Phil Mayers:

Hi,

> On 01/09/11 13:26, Bernhard Schmidt wrote:
>> Hi,
>>
>>> This was my impression until recently too; I thought that, by default,
>>> AD members with "client" role had 6to4 disabled, with Teredo and ISATAP
>>> enabled.
>>
>> It's the other way around, Teredo is disabled in "Enterprise" clients,
>> 6to4 and ISATAP are enabled ("Enterprise" client meaning joined to an
>> AD). You have to do specific configuration to enable Teredo in this
>> environment.
>
> Interesting. Is this documented somewhere or are you going on observation?

Observation, but it appears I was wrong :-)

http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/21/directaccess-and-teredo-adapter-behavior.aspx

[...]
Teredo Clients and Managed Networks

Now the celebrity question is “how does the DirectAccess client 
determine is there is a domain controller on the network?” That’s a 
great question, and it’s not easy to find an answer to it. At least it 
wasn’t easy, until this article was published.

To determine if the DirectAccess client is on a “managed network”, the 
client performs a DNS query looking for SRV records in the path 
_ldap._tcp.dc._msdcs.DnsDomainName, where DnsDomainName is the name of 
the DNS suffix assigned to the current connection. If SRV records are 
located, the client assumes it is in a managed network, and Teredo is 
disabled. If no records are located, the Teredo interface is enabled.

What’s important to know here is that the detected domain can be any 
domain. It does not need to be the domain that the computer belongs to. 
Given this to be the case, a DirectAccess client that’s connected to a 
home network with a domain (a lot of us computer geeks have domains on 
our home networks) or to a customer’s network that has domain 
controllers on it, if a DNS query for that SRV record is successful, the 
Teredo adapter will disable itself when the “Client” state is enabled 
for the Teredo client. Another important thing to know is that the DA 
client doesn’t need to connect to the domain controller, it only needs 
to be able to resolve the name.
[...]

So it is not about the trust state, but about the DNS domain the system 
is configured to.

Since we have tons of AD clients using ISATAP in the default 
configuration and occasionally see a misconfigured server connecting via 
6to4, I'm pretty sure those are untouched.

Best Regards,
Bernhard

More information about the ipv6-ops mailing list