Hi,
off the top of my head it's roughly as follows:
a) 6to4
Win7/Server 2008 generation and before: "if IPv4 address = Non-RFC 1918
address, automatically enable 6to4 and try to resolve 6to4.ipv6.microsoft.com
to get 'nearest relay'".
no idea as for Win8/Server 2012.
b) Teredo
Vista: enable by default.
Win7/Server 2008: perform the following decision logic:
1) if $SYSTEM member of AD domain, assume that $SYSTEM is "well managed" => no
need for SOHO tech called Teredo, hence disable it.
2) if $SYSTEM does _not_ have local firewall enabled, assume that $SYSTEM in
poor security state and it might be too risky to use Teredo, hence disable it.
3) if both above conditions _not_ met (read: not member of AD domain, but local
firewall enabled), then put Teredo into 'dormant' state and try to reach
teredo.ipv6.microsoft.com every 30 seconds to check if Teredo usable if needed.
once $APPLICATION asks for that, move from 'dormant' into 'qualified' state and
thereby 'enable' Teredo.
again, no idea as for Win8/Server 2012.
I can't support the above statements by any links, right now.
Maybe Chris Palmer can help with that...
Furthermore there's different ways of getting rid of Teredo (and the other
tunnel techs):
- there's a registry parameter 'DisabledComponents' that allows disabling
(native|tunnel|all) IPv6, based on a certain bit mask. see KB929852.
- (presumably) this parameter can be controlled by GPOs.
- the tunnel interfaces can be disabled individually by "netsh int $TUNNEL_INT
set state disabled" on individual systems (persistently, so setting stays after
reboot).
There's quite some debate which approach to use due to operational practices
and MS telling people "not to 'fully' disable IPv6 as you might lose support
for $SYSTEM". I've never been able to find any 'official source' for the latter
statement but heard it in pretty much all enterprise environments ("our Windows
people tell us we can't do that as the MS engineers tell them they will lose
support then").
best
Enno
On Wed, Jul 17, 2013 at 03:36:00PM +0200, Jens Link wrote:
> Jeroen Massar <[email protected]> writes:
>
> > Windows boxes that are in an Active Domain (which should match your
> > 'enterprise net') have Teredo and 6to4 disabled per default.
>
> Sure about that? IIRC this depends on the Windows version. And I think I
> have seen Win 2008R2 Servers within an AD, with at least 6to4
> enable. Right now I'm not sure about Teredo.
>
> > Next to that one can enforce that of course through AD policies.
>
> Okay, not a group policies, but for reference:
>
> http://lists.cluenet.de/pipermail/ipv6-ops/2010-March/003267.html
>
> Where are the Windows people on this list? ;-)
>
> Jens
> --
> -------------------------------------------------------------------------
> | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
> | http://blog.quux.de | jabber: [email protected] | ------------------- |
> -------------------------------------------------------------------------
--
Enno Rey
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
Troopers 2013 Videos online:
http://www.youtube.com/user/TROOPERScon?feature=watch
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================
