Microsoft and Teredo

I gotta say that until I saw your blog I had no idea my
Windows Mobile 
phone spoke v6.  Very cool.

Sean Siler wrote:
> I understand some questions recently arose regarding
Microsoft and 
> Teredo. I tried reading through the archives but it has
more twists that 
> Pacific Coast Highway.
> 
>  
> 
> Are there some specific requests/questions that I can
help with?
> 
>  
> 
>  
> 
>  
> 
> Best Regards,
> 
>  
> 
> Sean Siler
> 
>  
> 
> Sean Siler|IPv6 Program Manager|Microsoft
> 
> sean.silermicrosoft.com <mailto:sean.silermicrosoft.com> | 703.485.1170
> 
> http://blogs.technet.co
m/ipv6
> 
> IPv6 is ready. Are you?
> 
>  
> 

On 31/05/2007, at 5:40 AM, Sean Siler wrote:
> I understand some questions recently arose regarding
Microsoft and  
> Teredo. I tried reading through the archives but it has
more twists  
> that Pacific Coast Highway.
>
>
>
> Are there some specific requests/questions that I can
help with?
Probably, yeah.

 From another post my Michael Dillon:

> Since we are all collectively playing catchup at this
point, it  
> would be
> very useful for some clear guidance on who needs to
deploy Teredo and
> 6to4 and where it needs to be deployed. Also, the
benefits of  
> deployment
> versus the problems caused by not having it. Should
this be in  
> every PoP
> or just somewhere on your network? Are there things
that can be  
> measured
> to tell you whether or not lack of Teredo/6to4 is
causing user  
> problems?

Maybe you can provide operational experience from running
the Teredo  
servers and relays that Microsoft host? Do you host them
just at  
Microsoft or do you also have some inside ISPs? Have you
done any  
work to help/advise on deploying Teredo servers/relays in to
ISPs?  
Any learnings from that that you can share? What about
corporate  
networks?
That oughta get you started 

--
Nathan Ward

Nathan,

While these are really good questions, I'm afraid I don't
have really good answers to them yet.  We haven't made the
bits available for customers to install their own Teredo
Servers/Relays at this point, and because we haven't, we
also don't have good deployment guidance to go along with
that.

I have my own feelings, but let me ask this: what do you all
feel about installing a Teredo server in order to provide v6
connectivity to your clients? Is this something that you are
really interested in?

You feedback is welcome.



Sean Siler|IPv6 Program Manager|Microsoft
sean.silermicrosoft.com | 703.485.1170
http://blogs.technet.co
m/ipv6
IPv6 is ready. Are you?

-----Original Message-----
From: owner-nanogmerit.edu [mailto:owner-nanogmerit.edu] On Behalf Of Nathan Ward
Sent: Wednesday, May 30, 2007 6:44 PM
To: Nanog
Subject: Re: Microsoft and Teredo


On 31/05/2007, at 5:40 AM, Sean Siler wrote:
> I understand some questions recently arose regarding
Microsoft and
> Teredo. I tried reading through the archives but it has
more twists
> that Pacific Coast Highway.
>
>
>
> Are there some specific requests/questions that I can
help with?
Probably, yeah.

 From another post my Michael Dillon:

> Since we are all collectively playing catchup at this
point, it
> would be
> very useful for some clear guidance on who needs to
deploy Teredo and
> 6to4 and where it needs to be deployed. Also, the
benefits of
> deployment
> versus the problems caused by not having it. Should
this be in
> every PoP
> or just somewhere on your network? Are there things
that can be
> measured
> to tell you whether or not lack of Teredo/6to4 is
causing user
> problems?

Maybe you can provide operational experience from running
the Teredo
servers and relays that Microsoft host? Do you host them
just at
Microsoft or do you also have some inside ISPs? Have you
done any
work to help/advise on deploying Teredo servers/relays in to
ISPs?
Any learnings from that that you can share? What about
corporate
networks?
That oughta get you started 

--
Nathan Ward

On Thu, May 31, 2007, Sean Siler wrote:
> 
> Nathan,
> 
> While these are really good questions, I'm afraid I
don't have really good answers to them yet.  We haven't made
the bits available for customers to install their own Teredo
Servers/Relays at this point, and because we haven't, we
also don't have good deployment guidance to go along with
that.
> 
> I have my own feelings, but let me ask this: what do
you all feel about installing a Teredo server in order to
provide v6 connectivity to your clients? Is this something
that you are really interested in?

I'd prefer to throw IPv6 network ranges at customer links,
so they can have
"other" devices on IPv6. IPv6 isn't just for
desktops.

How's Teredo servers tie into network security? Does the act
of tunneling
from v4 to a v6 broker bypass firewalls, IDSes, etc?





Adrian

On 31/05/2007, at 11:27 PM, Sean Siler wrote:

> While these are really good questions, I'm afraid I
don't have  
> really good answers to them yet.  We haven't made the
bits  
> available for customers to install their own Teredo
Servers/Relays  
> at this point, and because we haven't, we also don't
have good  
> deployment guidance to go along with that.
>
> I have my own feelings, but let me ask this: what do
you all feel  
> about installing a Teredo server in order to provide v6
 
> connectivity to your clients? Is this something that
you are really  
> interested in?

Considering that Teredo <-> (6to4|native) connectivity
requires going  
through at least a relay, and that hosts behind NAT who get
AAAA  
records will use Teredo, then yes, absolutely, it appears as
though  
as a service provider, I don't have much choice.
I'd also prefer to put at least one server (or group of
servers) in  
to my network, to remove reliance on third parties to
bootstrap the  
protocol.

While Teredo through public servers/relays may perform OK
right now  
for people in North America and Europe who are topologically
(on a  
global scale) near to Teredo servers/relays, for people like
myself  
in New Zealand for example, we get 150ms-ish RTT to the
nearest  
publicly available server/relay. As such, if I turn v6 on on
my  
content, then a non-zero (and currently increasing!) amount
of  
visitors to my pages will see their traffic go to the US and
back,  
which means a performance/user experience hit.

In addition, as more and more people become Teredo clients,
those  
public relays need to do more and more. I'd prefer to be
able to give  
a better chance of good network service quality, by bringing
that in- 
house.

--
Nathan Ward

On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:

>
> On Thu, May 31, 2007, Sean Siler wrote:
>>
>> Nathan,
>>
>> While these are really good questions, I'm afraid I
don't have  
>> really good answers to them yet.  We haven't made
the bits  
>> available for customers to install their own Teredo
Servers/Relays  
>> at this point, and because we haven't, we also
don't have good  
>> deployment guidance to go along with that.
>>
>> I have my own feelings, but let me ask this: what
do you all feel  
>> about installing a Teredo server in order to
provide v6  
>> connectivity to your clients? Is this something
that you are  
>> really interested in?
>
> I'd prefer to throw IPv6 network ranges at customer
links, so they  
> can have
> "other" devices on IPv6. IPv6 isn't just for
desktops.

Medium+ term, of course. I don't see Teredo as something
that will be  
my primary way of getting IPv6 to end users forever. (I
don't think  
anyone does.)

> How's Teredo servers tie into network security? Does
the act of  
> tunneling
> from v4 to a v6 broker bypass firewalls, IDSes, etc?

In perfect time, this was published yesterday, to answer
that very  
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6op
s- 
teredosecconcerns-00.txt
See also some comments from MS:
http://www.microsoft.com/technet/community/columns/c
ableguy/ 
cg1005.mspx#ERH

In short, yes. If you're concerned about hosts at your site
getting  
to the world using Teredo, you can simply block 3544/UDP to
prevent  
hosts bootstrapping - I'm not sure if already-bootstrapped
hosts  
would continue to function, I'm guessing that they would.  
Alternatively, disabling Teredo with registry settings works
fine,  
but obviously requires more than just control of a wire.

IDSs+firewalls probably need to become Teredo aware pretty
quickly,  
along with anything that needs to do deep-packet inspection
(P2P rate  
limiting boxes, for example). I'm not aware of any of these
vendors  
supporting this, but then again, I haven't looked hard.

--
Nathan Ward

> In perfect time, this was published yesterday, to
answer that very
> question:
> http://www.ietf.org/internet-drafts/draft-hoagland-v6op
s-
> teredosecconcerns-00.txt

Unfortunately, he doesn't say much in the way of solutions.
For
instance, if a company has internal IPv6 connectivity to
their ISP, then
presumably, Teredo is not needed. The problem then becomes
one of
firewall vendors supporting IPv6. He positions it as a
problem that
needs awkward workarounds such as blocking Teredo or
patching Windows.
He gives up on firewall vendors and only looks at their
ability to do
deep packet inspection by unencapsulating tunneled traffic.
But plain
ordinary IPv6 support from firewall vendors is not
mentioned.

In any case, this draft is directed at the enterprise which
rigorously
firewalls all ingress/egress traffic at the edge. 

--Michael Dillon

>If you're concerned about hosts at your site getting
>to the world using Teredo, you can simply block 3544/UDP
to prevent
>hosts bootstrapping - I'm not sure if
already-bootstrapped hosts
>would continue to function, I'm guessing that they
would.


No, if you block 3544/UDP, the bubble packets are blocked,
and Teredo ceases to function, even for those clients who
are already configured.


Sean Siler|IPv6 Program Manager


-----Original Message-----
From: owner-nanogmerit.edu [mailto:owner-nanogmerit.edu] On Behalf Of Nathan Ward
Sent: Thursday, May 31, 2007 8:10 AM
To: Nanog
Subject: Re: Microsoft and Teredo



On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:

>
> On Thu, May 31, 2007, Sean Siler wrote:
>>
>> Nathan,
>>
>> While these are really good questions, I'm afraid I
don't have
>> really good answers to them yet.  We haven't made
the bits
>> available for customers to install their own Teredo
Servers/Relays
>> at this point, and because we haven't, we also
don't have good
>> deployment guidance to go along with that.
>>
>> I have my own feelings, but let me ask this: what
do you all feel
>> about installing a Teredo server in order to
provide v6
>> connectivity to your clients? Is this something
that you are
>> really interested in?
>
> I'd prefer to throw IPv6 network ranges at customer
links, so they
> can have
> "other" devices on IPv6. IPv6 isn't just for
desktops.

Medium+ term, of course. I don't see Teredo as something
that will be
my primary way of getting IPv6 to end users forever. (I
don't think
anyone does.)

> How's Teredo servers tie into network security? Does
the act of
> tunneling
> from v4 to a v6 broker bypass firewalls, IDSes, etc?

In perfect time, this was published yesterday, to answer
that very
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6op
s-
teredosecconcerns-00.txt
See also some comments from MS:
http://www.microsoft.com/technet/community/columns/c
ableguy/
cg1005.mspx#ERH

In short, yes. If you're concerned about hosts at your site
getting
to the world using Teredo, you can simply block 3544/UDP to
prevent
hosts bootstrapping - I'm not sure if already-bootstrapped
hosts
would continue to function, I'm guessing that they would.
Alternatively, disabling Teredo with registry settings works
fine,
but obviously requires more than just control of a wire.

IDSs+firewalls probably need to become Teredo aware pretty
quickly,
along with anything that needs to do deep-packet inspection
(P2P rate
limiting boxes, for example). I'm not aware of any of these
vendors
supporting this, but then again, I haven't looked hard.

--
Nathan Ward

On 1/06/2007, at 2:24 AM, <michael.dillonbt.com>  
<michael.dillonbt.com> wrote:

>
>> In perfect time, this was published yesterday, to
answer that very
>> question:
>> http://www.ietf.org/internet-drafts/draft-hoagland-v6op
s-
>> teredosecconcerns-00.txt
>
> Unfortunately, he doesn't say much in the way of
solutions. For
> instance, if a company has internal IPv6 connectivity
to their ISP,  
> then
> presumably, Teredo is not needed. The problem then
becomes one of
> firewall vendors supporting IPv6. He positions it as a
problem that
> needs awkward workarounds such as blocking Teredo or
patching Windows.
> He gives up on firewall vendors and only looks at their
ability to do
> deep packet inspection by unencapsulating tunneled
traffic. But plain
> ordinary IPv6 support from firewall vendors is not
mentioned.

He doesn't mention native IPv6 as it's a Teredo document.

> In any case, this draft is directed at the enterprise
which rigorously
> firewalls all ingress/egress traffic at the edge.

Yes, I don't know if possible security concerns with Teredo
are  
applicable to ISPs, unless you offer a firewalled service.
Then those  
concerns are really the same as an enterprise.

--
Nathan Ward