I understand some questions recently arose regarding Microsoft and Teredo. I tried reading through the archives but it has more twists that Pacific Coast Highway.
Are there some specific requests/questions that I can help with?
Best Regards,
Sean Siler
Sean Siler|IPv6 Program Manager|Microsoft
sean.siler@microsoft.com | 703.485.1170
IPv6 is ready. Are you?
I gotta say that until I saw your blog I had no idea my Windows Mobile phone spoke v6. Very cool.
Sean Siler wrote:
I understand some questions recently arose regarding Microsoft and Teredo. I tried reading through the archives but it has more twists that Pacific Coast Highway.
Are there some specific requests/questions that I can help with?
Probably, yeah.
From another post my Michael Dillon:
Since we are all collectively playing catchup at this point, it would be
very useful for some clear guidance on who needs to deploy Teredo and
6to4 and where it needs to be deployed. Also, the benefits of deployment
versus the problems caused by not having it. Should this be in every PoP
or just somewhere on your network? Are there things that can be measured
to tell you whether or not lack of Teredo/6to4 is causing user problems?
Maybe you can provide operational experience from running the Teredo servers and relays that Microsoft host? Do you host them just at Microsoft or do you also have some inside ISPs? Have you done any work to help/advise on deploying Teredo servers/relays in to ISPs? Any learnings from that that you can share? What about corporate networks?
That oughta get you started 
Hi Nathan,
I can probably talk about our own experience ...
We started running Teredo Server+Relay in the Windows 2003 implementation
around 3-4 years ago (not completely sure right now). Unfortunately, when
the Service Pack (SP1 I think) was released, stopped working.
Until then it was working perfectly, not any issue.
Then we moved to a Linux with Miredo, and it has been working since them,
first with the 6Bone prefix from Microsoft, then on 6/6/2006, we moved to
the RFC one, 2001::/32.
No issues at all.
Regards,
Jordi
Where does it live in your network, at each POP, or just in a datacenter somewhere? Infact, what kind of network are you? (content, transit, access)
How have you configured clients to talk to your Teredo server instead of the default MS one?
How do you get to the world? Native IPv6 or tunnels?
Has it improved reachability/reliability of dual stack or v6-only content? How do you know?
Any thoughts about how content providers could use Teredo servers/relays to improve their connectivity?
We have a single Linux box in a small in-house data center. This box is at
the same time a 6to4 relay, a Teredo Server and Teredo relay. It is also our
tunnel broker.
Is not our core business, but we could be considered a small "data center"
(all kind of customers and own contents, not just http, but also streaming)
and IPv6 "experimental" ISP, but we only provide connectivity via our tunnel
broker (in addition to the relays).
There is no need to change the Teredo server config at the clients. They use
it only to get the Teredo address at stack-boot time, so I will suggest no
need for that, in principle.
We see more and more Teredo (and 6to4) traffic every month. Special increase
since December, and we believe that it is due to the Vista clients being
enabled.
Our connection to the world is via IPv6 tunnels, with BGP to 3 upstreams. I
will prefer a native connection, but all this is non-funded/volunteer
effort, so can't move a a real data center, unless somebody volunteer to
host us
Only host/house dual-stack for all the customers (as a kind of experimental
service).
We see more traffic, but since we have been doing this for years, is
difficult to confirm if our "reachability" is better, but definitively don't
have complains from "customer" or customers of our "customers".
Definitively I'm convinced, if ISPs and content providers deploy 6to4 and
Relay servers, there will be less and less troubles (even if we don't see
any right now, but you never know if people is blaming us and not telling,
which I doubt). But also, improve client-to-server and peer-to-peer
performance among client/servers users/users of different transition
mechanisms (example 6to4 to Teredo) and with native/tunneled worlds.
(see my previous threads about showing the "how to do yourself" exercise
that I'm starting in the next days. Also my talk about The cost of NOT doing
IPv6 at the last RIPE meeting and why I want to encourage especially ISPs at
developing regions about doing this)
Regards,
Jordi
Nathan,
While these are really good questions, I'm afraid I don't have really good answers to them yet. We haven't made the bits available for customers to install their own Teredo Servers/Relays at this point, and because we haven't, we also don't have good deployment guidance to go along with that.
I have my own feelings, but let me ask this: what do you all feel about installing a Teredo server in order to provide v6 connectivity to your clients? Is this something that you are really interested in?
You feedback is welcome.
Sean Siler|IPv6 Program Manager|Microsoft
sean.siler@microsoft.com | 703.485.1170
http://blogs.technet.com/ipv6
IPv6 is ready. Are you?
I'd prefer to throw IPv6 network ranges at customer links, so they can have
"other" devices on IPv6. IPv6 isn't just for desktops.
How's Teredo servers tie into network security? Does the act of tunneling
from v4 to a v6 broker bypass firewalls, IDSes, etc?
Adrian
Considering that Teredo <-> (6to4|native) connectivity requires going through at least a relay, and that hosts behind NAT who get AAAA records will use Teredo, then yes, absolutely, it appears as though as a service provider, I don't have much choice.
I'd also prefer to put at least one server (or group of servers) in to my network, to remove reliance on third parties to bootstrap the protocol.
While Teredo through public servers/relays may perform OK right now for people in North America and Europe who are topologically (on a global scale) near to Teredo servers/relays, for people like myself in New Zealand for example, we get 150ms-ish RTT to the nearest publicly available server/relay. As such, if I turn v6 on on my content, then a non-zero (and currently increasing!) amount of visitors to my pages will see their traffic go to the US and back, which means a performance/user experience hit.
In addition, as more and more people become Teredo clients, those public relays need to do more and more. I'd prefer to be able to give a better chance of good network service quality, by bringing that in-house.
Nathan,
While these are really good questions, I'm afraid I don't have really good answers to them yet. We haven't made the bits available for customers to install their own Teredo Servers/Relays at this point, and because we haven't, we also don't have good deployment guidance to go along with that.
I have my own feelings, but let me ask this: what do you all feel about installing a Teredo server in order to provide v6 connectivity to your clients? Is this something that you are really interested in?
I'd prefer to throw IPv6 network ranges at customer links, so they can have
"other" devices on IPv6. IPv6 isn't just for desktops.
Medium+ term, of course. I don't see Teredo as something that will be my primary way of getting IPv6 to end users forever. (I don't think anyone does.)
How's Teredo servers tie into network security? Does the act of tunneling
from v4 to a v6 broker bypass firewalls, IDSes, etc?
In perfect time, this was published yesterday, to answer that very question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-teredosecconcerns-00.txt
See also some comments from MS:
http://www.microsoft.com/technet/community/columns/cableguy/cg1005.mspx#ERH
In short, yes. If you're concerned about hosts at your site getting to the world using Teredo, you can simply block 3544/UDP to prevent hosts bootstrapping - I'm not sure if already-bootstrapped hosts would continue to function, I'm guessing that they would. Alternatively, disabling Teredo with registry settings works fine, but obviously requires more than just control of a wire.
IDSs+firewalls probably need to become Teredo aware pretty quickly, along with anything that needs to do deep-packet inspection (P2P rate limiting boxes, for example). I'm not aware of any of these vendors supporting this, but then again, I haven't looked hard.
Hi Sean,
Most of the access providers, can't quickly move to dual-stack. It may be a
problem of existing equipment or even L2 technology (as the cable/DOCSIS 2.0
case).
The bigger issue is upgrading the CPEs. Lack of plans in the last years,
didn't helped the low cost vendors to deliver them with dual-stack. Yes,
there are open source alternatives, but they don't work so easily for all,
as not all the users are able to do that upgrade, and otherwise it may mean
a hard support cost. Obviously this will be challenged by those ISPs that
want to start providing new services based on IPv6 (surveillance, home
automation, IPTV, etc.).
So having a CPE typically means either the user has a single PC and the CPE
may be configured as bridge and then the user PC has the public IPv4 address
(case for 6to4), or the user PCs are behind NAT (caser for Teredo).
The alternative will be softwires (L2TP), but is not yet fully supported
(I'm not even sure if Vista support it form Microsoft, for XP I think not
yet).
So providing a combination of 6to4 relay and Teredo server+relay, is a
simple way to offer IPv6 connectivity at a very low cost and improve
performance vs. using relays somewhere else.
Of course, this will be more obvious as more applications use IPv6, and in
fact, my suggestion will be, once we have some more relays across all
Internet, that XP and Vista get one of those updated changing the setup of
the address selection table, so Teredo and 6to4 become preferred to IPv4
In fact, it will be quite easy to, at boot time, do a quick test (ICMPv6 +
ICMPv4) of the "availability" of a good relay, to decide if the policy table
prefers by default Teredo/6to4 instead of IPv4.
Of course all this is assuming that you can't provide native IPv6 !
Also one very important issue will be to make sure that Windows 2003 (which
runs lots of websites with IIS), is updated with Teredo Server/Relay
function or at least that Teredo host-specific relay functionality works by
default.
Regards,
Jordi
PS: What it will be good is to get at least some of the MS servers
dual-stacked and you know, if help is needed, I don't mind to spare some
time for that !
In windows, you have IPv6 firewall, so even if Teredo traverses the "IPv4
security", there is still something there.
A good description of all this is available at:
http://www.microsoft.com/technet/network/ipv6/teredo.mspx
Regards,
Jordi
I've read that; but again enterprise and ISPs may impose restrictions
on the types of traffic to/from end users, and this circumvents that.
Host-based firewalls are not the be all or end all of network security.
Adrian
Agree, and indeed one of the issues for the transition is to make sure that
border firewalls and other security stuff get updated.
Regards,
Jordi
Thus spake "Adrian Chadd" <adrian@creative.net.au>
In windows, you have IPv6 firewall, so even if Teredo traverses
the "IPv4 security", there is still something there.A good description of all this is available at:
http://www.microsoft.com/technet/network/ipv6/teredo.mspxI've read that; but again enterprise and ISPs may impose restrictions
on the types of traffic to/from end users, and this circumvents that.
Host-based firewalls are not the be all or end all of network security.
The simplistic answer is that a site with IPv4-only security devices has to choose whether they're going to allow or block all Teredo/6to4 traffic. If they want finer control, they need to upgrade to a native v6 network and native v6 security devices.
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
In perfect time, this was published yesterday, to answer that very
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-
teredosecconcerns-00.txt
Unfortunately, he doesn't say much in the way of solutions. For
instance, if a company has internal IPv6 connectivity to their ISP, then
presumably, Teredo is not needed. The problem then becomes one of
firewall vendors supporting IPv6. He positions it as a problem that
needs awkward workarounds such as blocking Teredo or patching Windows.
He gives up on firewall vendors and only looks at their ability to do
deep packet inspection by unencapsulating tunneled traffic. But plain
ordinary IPv6 support from firewall vendors is not mentioned.
In any case, this draft is directed at the enterprise which rigorously
firewalls all ingress/egress traffic at the edge.
--Michael Dillon
If you're concerned about hosts at your site getting
to the world using Teredo, you can simply block 3544/UDP to prevent
hosts bootstrapping - I'm not sure if already-bootstrapped hosts
would continue to function, I'm guessing that they would.
No, if you block 3544/UDP, the bubble packets are blocked, and Teredo ceases to function, even for those clients who are already configured.
Sean Siler|IPv6 Program Manager
In perfect time, this was published yesterday, to answer that very
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-
teredosecconcerns-00.txtUnfortunately, he doesn't say much in the way of solutions. For
instance, if a company has internal IPv6 connectivity to their ISP, then
presumably, Teredo is not needed. The problem then becomes one of
firewall vendors supporting IPv6. He positions it as a problem that
needs awkward workarounds such as blocking Teredo or patching Windows.
He gives up on firewall vendors and only looks at their ability to do
deep packet inspection by unencapsulating tunneled traffic. But plain
ordinary IPv6 support from firewall vendors is not mentioned.
He doesn't mention native IPv6 as it's a Teredo document.
In any case, this draft is directed at the enterprise which rigorously
firewalls all ingress/egress traffic at the edge.
Yes, I don't know if possible security concerns with Teredo are applicable to ISPs, unless you offer a firewalled service. Then those concerns are really the same as an enterprise.