teredo.ipv6.microsoft.com off?

Enno Rey erey at ernw.de
Wed Jul 17 16:23:45 CEST 2013


Hi,

off the top of my head it's roughly as follows:

a) 6to4

Win7/Server 2008 generation and before: "if IPv4 address = Non-RFC 1918 address, automatically enable 6to4 and try to resolve 6to4.ipv6.microsoft.com to get 'nearest relay'".

no idea as for Win8/Server 2012.

b) Teredo

Vista: enable by default.
Win7/Server 2008: perform the following decision logic:

1) if $SYSTEM member of AD domain, assume that $SYSTEM is "well managed" => no need for SOHO tech called Teredo, hence disable it.
2) if $SYSTEM does _not_ have local firewall enabled, assume that $SYSTEM in poor security state and it might be too risky to use Teredo, hence disable it.
3) if both above conditions _not_ met (read: not member of AD domain, but local firewall enabled), then put Teredo into 'dormant' state and try to reach teredo.ipv6.microsoft.com every 30 seconds to check if Teredo usable if needed.
once $APPLICATION asks for that, move from 'dormant' into 'qualified' state and thereby 'enable' Teredo.

again, no idea as for Win8/Server 2012. 

I can't support the above statements by any links, right now.
Maybe Chris Palmer can help with that...

Furthermore there's different ways of getting rid of Teredo (and the other tunnel techs):
- there's a registry parameter 'DisabledComponents' that allows disabling (native|tunnel|all) IPv6, based on a certain bit mask. see KB929852.
- (presumably) this parameter can be controlled by GPOs.
- the tunnel interfaces can be disabled individually by "netsh int $TUNNEL_INT set state disabled" on individual systems (persistently, so setting stays after reboot).

There's quite some debate which approach to use due to operational practices and MS telling people "not to 'fully' disable IPv6 as you might lose support for $SYSTEM". I've never been able to find any 'official source' for the latter statement but heard it in pretty much all enterprise environments ("our Windows people tell us we can't do that as the MS engineers tell them they will lose support then").




best

Enno




On Wed, Jul 17, 2013 at 03:36:00PM +0200, Jens Link wrote:
> Jeroen Massar <jeroen at massar.ch> writes:
> 
> > Windows boxes that are in an Active Domain (which should match your
> > 'enterprise net') have Teredo and 6to4 disabled per default.
> 
> Sure about that? IIRC this depends on the Windows version. And I think I
> have seen Win 2008R2 Servers within an AD, with at least 6to4
> enable. Right now I'm not sure about Teredo. 
> 
> > Next to that one can enforce that of course through AD policies.
> 
> Okay, not a group policies, but for reference: 
> 
> http://lists.cluenet.de/pipermail/ipv6-ops/2010-March/003267.html
> 
> Where are the Windows people on this list? ;-) 
> 
> Jens
> -- 
> -------------------------------------------------------------------------
> | Foelderichstr. 40   | 13595 Berlin, Germany    | +49-151-18721264     |
> | http://blog.quux.de | jabber: jenslink at guug.de | -------------------  | 
> -------------------------------------------------------------------------

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================



More information about the ipv6-ops mailing list