Today while doing some routine maintenance I discovered that my internet-connected network adapter was using a 6to4 tunnel to connect to my ISP. Some self-eduction on Teredo seemed to indicate quite a few potential security vulnerabilities with using the protocol. I have disabled my network adapter from using Teredo and it doesn't seem to impact my gateway in any way. Is there anything I am missing that should encourage me to turn it back on?
-
2What security concerns do you think you have? – Chris S Jun 29 '10 at 02:14
2 Answers
For the most part, you'll probably never notice if you disable Teredo. You'll also probably never notice it's turned on.
- 77,337
- 11
- 120
- 212
-
5That is true today, but IPv6 is coming. Really, it is. Any day now. – Michael Graff Jun 29 '10 at 02:27
If you turn off Teredo you will not be able to access any IPv6-only websites when they appear in the next 6-12 months. Unless you have some other form of IPv6 connectivity you will be unable to access some parts of the internet.
There are no security vulnerabilities with IPv6 and/or Teredo. These facilities are no more (or less) secure that the existing IPv4 connectivity you have.
The issue that is frequently brought up is that when you have a Teredo tunnel you now have a real live IPv6 internet address. For example my (Teredo) address is 2001:0:53aa:64c:1037:73c3:bdd1:907d. You can ping it.
This is not less secure then a NAT'd machine two reasons ...
a) A gateway is less secure that people think. Every modern gateway has UPnP enabled by default and any application can request the port be opened to a particular machine.
b) When a server application (like a web server) open up a port they are not visible on a Teredo IP address. Any application that has never heard of Teredo will therefore not be exposed to the internet. (This is windows specific).
An application may explicitly request to be opened on the Teredo interface but this is not the default. It's an analog to requesting your Gateway open a port.
- 340
- 1
- 6
-
1You said, "There are no security vulnerabilities with IPv6 and/or Teredo." Um ... yes there is. I can't explain it nearly as good as this podcast does so I'll link it. It has a lot of IPv6 info. http://www.hak5.org/episodes/episode-810 is part 1 http://www.hak5.org/episodes/episode-812 is part 2 Remember, nothing is safe if you have an address of any kind. Its only less likely to be compromised. – Feb 09 '11 at 23:04