Apologies for the staggered reply. Another note, RFC 6092 is about IPv6 behavior. If our Teredo traffic is de-encapsulated, one will notice the traffic carries IPsec, which unambiguously should be allowed by section 3.2.4.
That's a theoretical point really, I don't expect (or necessarily even want) middle boxes to bust open Teredo and apply RFC 6092. Recommendations for IPv4 NAT behavior and UDP, including discussion of UNSAF NAT traversal, falls closer to RFC 4787 IMHO. Sent from my Windows Phone ________________________________ From: Christopher Palmer<mailto:[email protected]> Sent: 3/13/2014 8:39 PM To: Eric Vyncke (evyncke)<mailto:[email protected]>; Marco Sommani<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: RE: Microsoft: Give Xbox One users IPv6 connectivity The relevant excerpt on Teredo usage: """ Even for users that do have native IPv6 - Teredo will be used to interact with IPv4-only peers, or in cases where IPv6 connectivity between peers is not functioning. In general, Xbox One will dynamically assess and use the best available connectivity method (Native IPv6, Teredo, and even IPv4). The implementation is similar in sprit to RFC 6555. """ This is from our online documentation. I have a tentative work item sitting in my queue to do something more proper for the IETF (like a draft). http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC498F8732/Xbox%20One%20Technical%20Details.docx The feedback about Teredo has been hard to digest. Our platform multiplayer solution uses standards for connectivity (Teredo/IPv6) and security (IPsec) - would it be better for the community to encourage opaque non-standard techniques instead? (this is a rhetorical question, not a call for discussion :P) What is the "intent" of a CPE configuration that blocks an UNSAF NAT traversal mechanism using ports 3544 and 3074 (Xbox + Teredo), but allows other ports to be used for open NAT traversal? That just seems like a very vendor-targeted blockage, like they dislike Xbox, but they're fine with other devices doing unknown things over UDP. I know this isn't the intent, but a deeply negative person could look at this and say the policy is: "block Microsoft products because they had the audacity to standardize their network behavior and use documented ports." If a home router generally blocks NAT traversal, then I "get it." I disagree with that default configuration and think it's the wrong thing for users, but at least is something I can understand on principle. -----Original Message----- From: ipv6-ops-bounces+christopher.palmer=microsoft....@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft....@lists.cluenet.de] On Behalf Of Eric Vyncke (evyncke) Sent: Thursday, March 13, 2014 11:09 PM To: Marco Sommani; [email protected] Subject: Re: Microsoft: Give Xbox One users IPv6 connectivity On 14/03/14 00:21, "Marco Sommani" <[email protected]> wrote: >AVM is not alone in its choices: they just do what is suggested in RFC >6092 - "Recommended Simple Security Capabilities in Customer Premises >Equipment (CPE) for Providing Residential IPv6 Internet Service". I >don't like what they do, but maybe we should blame IETF. Marco I agree and disagree :-) Agreement on the fact that AVM is not the only CPE vendor doing this (and also blaming ISP -- notably in my country 15% of broken IPv6 connectivity = Belgium)... Disagreement: RFC 6092 has TWO settings: one close and one open and the choice should be given to the end-user. As you may know, there have been heated discussion at the IETF on this topic -éric >
