After takin' a swig o' grog, nessuno@xxxxxxxxxxxxxxxxxxx belched out this bit o' wisdom:
> I mean, really, some things they have
> done regarding security have been deliberately stupid and backward,
> and they didn't help anything even from their standpoint.
http://www.microsoft.com/technet/network/ipv6/teredo.mspx
Is this typical? Talk up the benefits, but not the downside?
http://en.wikipedia.org/wiki/Teredo_tunneling
Exposure
In a sense, Teredo increases the attack surface by assigning a
globally routable IPv6 addresses to network host behind NAT devices,
which are otherwise mostly unreachable from the Internet. By doing
so, Teredo namely exposes any IPv6-enabled application with an open
port to the outside. It also exposes the IPv6 stack and the Teredo
tunneling software themselves to attacks should any they have any
remotely exploitable vulnerability.
Microsoft IPv6 stack has a "protection level" socket option. It
allows applications to specify whether they are willing to handle
traffic coming from the Teredo tunnel, anything except Teredo (the
default), or only from the local Intranet.
Firewalling
For a Teredo (pseudo-)tunnel to operate properly, outgoing UDP
packets must not be filtered. Moreover, replies to these packets
(i.e. "solicited traffic") must also not be filtered. This
corresponds to the typical setup of a NAT and its limited stateful
firewall functionality.
Blocking
Teredo tunneling software will detect a fatal error and stop if
outgoing IPv4 UDP traffic is blocked.
> Microsoft
> is frequently credited with "getting it right on the third try", for
> example, with IE (getting it right meant producing something
> technically comparable to Netscape, in that case), and they may
> eventually do something similar with Vista, at least insofar as things
> like drivers, copying files etc are concerned (I'm sure the DRM will
> remain).
Ironically:
http://en.wikipedia.org/wiki/Teredo
Teredo may refer to:
* Teredo, a genus of shipworm that bores holes in the wood of ships.
* Teredo wood, a form of fossilized wood showing marks of
shipworm damage
* The Teredo tunneling protocol for transmission of IPv6
datagrams through network address translation devices.
--
Tux rox!
|
|
