The Unanticipated Consequences of IPv6

Dec 11 2006

By Kurt Seifried (kurt@seifried.org)

This is a short entry, I’m going to be spending all weekend helping with a course (so I won’t have much time to write an article) and I’m basically feeling lazy right now.

In a nutshell: IPv6 is finally starting to be deployed in North America and on corporate networks. This means that IPv4 and IPv6 will have to co-exist, not only on the networks, but on the end host systems. So basically you can either tunnel IPv4 over IPv6, or tunnel IPv6 over IPv4. Chances are you have an IPv4 network deployed so you’ll be choosing IPv6 tunneled over IPv4 (this seems almost … obvious in hindsight).

So in order to assist this some helpful companies, like Microsoft Corp. have implemented a protocol called “Teredo” which implements IPv6 tunneling over IPv4. Essentially endpoints that are Teredo capable send Router Solicitation messages to Teredo servers, some more stuff happens (it’s a pretty bog standard negotiation protocol) that is described nicely in the Microsoft link below.

Now the problem is: you end up with a lot of IPv6 traffic, being tunneled over IPv4. Not all devices understand Teredo traffic.

Oh.

I’m also willing to bed that you ahve a lot of equipment that will never be Teredo capable. I’m even willing to step out on a limb and bet that some of it provides critical network security functionality. To prove what a gutsy risk-taker I am I’ll even make a third bet: that a lot sites end up deploying Teredo on end hosts and servers prior to upgrading all their network security devices. So to prove me wrong I’d like everyone reading this to plan their Teredo deployment sanely and make sure the network, and it’s security is Teredo capable prior to actually deploying it.

Microsoft Teredo Overview

Wikipedia - Teredo tunneling

The Teredo Protocol: Tunneling Past Network Security and Other Security Implications

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.