Re: teredo.ipv6.microsoft.com off?
Hello, On Tue, Jul 16, 2013 at 09:27:54PM +, Christopher Palmer wrote: I am acking this thread. If there is feedback on the ongoing experiment or our consideration of sunsetting Teredo, do let me know. So far people have been quite enthusiastic. Let me ask one thing... a couple of years ago, when I read the specification of Teredo, I was quite impressed by the details (If you accept the premise that you have to work around being jailed behind an IPv4 NAT) put into the protocol. One detail was that it is supposed to be lowest priority and so go automatically away (from the client end) as soon as some configued IPv6 is available on the link. Isn't that how it's implemented? Regards, -is
Windows 7 / IPv6 on PPP Adapter
What is your opinion about Windows 7 IPv6 over PPP behaviour that i'm going to describe below ? if the global IPv6 address of the PPP interface has the last 64 bits different from the last 64 bits of the IPv6 Link Local address (interface identifier negociated by IPv6CP), then IPv6 is not going to work on that machine. [this is working on Windows 7 Linux ...] PPP Adapter: IPv6 Address: 2a02:2f0b:503f:fff::50c:9a9b Link Local IPv6 Address: fe80::50c:9a9b Default Gateway: fe80::1 [...] [this is not working on Windows 7 but is working on Linux ...] PPP Adapter: IPv6 Address: 2a02:2f0b:503f:fff::50c:abcd Link Local IPv6 Address: fe80::50c:9a9b Default Gateway: fe80::1 [...] you might end up with this config on your PC if the BNG / PPPoE server is using RA with M flag (just for default route) and a DHCPv6 server for IPv6 global address. is there any RFC that refers this issue ? thanks, liviu.
Re: teredo.ipv6.microsoft.com off?
On 2013-07-17 15:09 , Ron Broersma wrote: On Jul 16, 2013, at 10:40 PM, Mikael Abrahamsson wrote: On Tue, 16 Jul 2013, Christopher Palmer wrote: If there is feedback on the ongoing experiment or our consideration of sunsetting Teredo, do let me know. So far people have been quite enthusiastic. I am too. I would really like to see 6to4 and teredo be default off everywhere, and people who want it can manually turn it on. If teredo went away completely, that would also be a good thing. Strongly concur here as well. One less thing I have to disable on all my systems in enterprise nets. Windows boxes that are in an Active Domain (which should match your 'enterprise net') have Teredo and 6to4 disabled per default. Next to that one can enforce that of course through AD policies. Greets, Jeroen
Re: teredo.ipv6.microsoft.com off?
Jeroen Massar jer...@massar.ch writes: Windows boxes that are in an Active Domain (which should match your 'enterprise net') have Teredo and 6to4 disabled per default. Sure about that? IIRC this depends on the Windows version. And I think I have seen Win 2008R2 Servers within an AD, with at least 6to4 enable. Right now I'm not sure about Teredo. Next to that one can enforce that of course through AD policies. Okay, not a group policies, but for reference: http://lists.cluenet.de/pipermail/ipv6-ops/2010-March/003267.html Where are the Windows people on this list? ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: teredo.ipv6.microsoft.com off?
Ron, I am too. I would really like to see 6to4 and teredo be default off everywhere, and people who want it can manually turn it on. If teredo went away completely, that would also be a good thing. Strongly concur here as well. One less thing I have to disable on all my systems in enterprise nets. Windows boxes that are in an Active Domain (which should match your 'enterprise net') have Teredo and 6to4 disabled per default. Next to that one can enforce that of course through AD policies. A number of my enterprise nets support many OSs and are not AD-centric. That's why I qualified my enterprise nets as heterogeneous. But yes, if you are homogeneous on Windows and everything is in AD, you can disable those things through GPO. For me, we have to tell each of our users to disable teredo, disable 6to4, disable privacy/temporary addresses, etc., and in many cases beg them to upgrade to OSs that support DHCPv6. what if they use Android based systems? is there support for DHCPv6 in the interim? best Enno -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch === Blog: www.insinuator.net || Conference: www.troopers.de ===
Re: teredo.ipv6.microsoft.com off?
Hi, off the top of my head it's roughly as follows: a) 6to4 Win7/Server 2008 generation and before: if IPv4 address = Non-RFC 1918 address, automatically enable 6to4 and try to resolve 6to4.ipv6.microsoft.com to get 'nearest relay'. no idea as for Win8/Server 2012. b) Teredo Vista: enable by default. Win7/Server 2008: perform the following decision logic: 1) if $SYSTEM member of AD domain, assume that $SYSTEM is well managed = no need for SOHO tech called Teredo, hence disable it. 2) if $SYSTEM does _not_ have local firewall enabled, assume that $SYSTEM in poor security state and it might be too risky to use Teredo, hence disable it. 3) if both above conditions _not_ met (read: not member of AD domain, but local firewall enabled), then put Teredo into 'dormant' state and try to reach teredo.ipv6.microsoft.com every 30 seconds to check if Teredo usable if needed. once $APPLICATION asks for that, move from 'dormant' into 'qualified' state and thereby 'enable' Teredo. again, no idea as for Win8/Server 2012. I can't support the above statements by any links, right now. Maybe Chris Palmer can help with that... Furthermore there's different ways of getting rid of Teredo (and the other tunnel techs): - there's a registry parameter 'DisabledComponents' that allows disabling (native|tunnel|all) IPv6, based on a certain bit mask. see KB929852. - (presumably) this parameter can be controlled by GPOs. - the tunnel interfaces can be disabled individually by netsh int $TUNNEL_INT set state disabled on individual systems (persistently, so setting stays after reboot). There's quite some debate which approach to use due to operational practices and MS telling people not to 'fully' disable IPv6 as you might lose support for $SYSTEM. I've never been able to find any 'official source' for the latter statement but heard it in pretty much all enterprise environments (our Windows people tell us we can't do that as the MS engineers tell them they will lose support then). best Enno On Wed, Jul 17, 2013 at 03:36:00PM +0200, Jens Link wrote: Jeroen Massar jer...@massar.ch writes: Windows boxes that are in an Active Domain (which should match your 'enterprise net') have Teredo and 6to4 disabled per default. Sure about that? IIRC this depends on the Windows version. And I think I have seen Win 2008R2 Servers within an AD, with at least 6to4 enable. Right now I'm not sure about Teredo. Next to that one can enforce that of course through AD policies. Okay, not a group policies, but for reference: http://lists.cluenet.de/pipermail/ipv6-ops/2010-March/003267.html Where are the Windows people on this list? ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | - -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch === Blog: www.insinuator.net || Conference: www.troopers.de ===
RE: teredo.ipv6.microsoft.com off?
Jeroen AFAIK, only Teredo is disabled when the Windows host detects AD -éric -Original Message- From: ipv6-ops-bounces+evyncke=cisco@lists.cluenet.de [mailto:ipv6-ops- bounces+evyncke=cisco@lists.cluenet.de] On Behalf Of Jeroen Massar Sent: mercredi 17 juillet 2013 15:20 To: Ron Broersma Cc: Christopher Palmer; ipv6-ops@lists.cluenet.de; Mikael Abrahamsson Subject: Re: teredo.ipv6.microsoft.com off? On 2013-07-17 15:09 , Ron Broersma wrote: On Jul 16, 2013, at 10:40 PM, Mikael Abrahamsson wrote: On Tue, 16 Jul 2013, Christopher Palmer wrote: If there is feedback on the ongoing experiment or our consideration of sunsetting Teredo, do let me know. So far people have been quite enthusiastic. I am too. I would really like to see 6to4 and teredo be default off everywhere, and people who want it can manually turn it on. If teredo went away completely, that would also be a good thing. Strongly concur here as well. One less thing I have to disable on all my systems in enterprise nets. Windows boxes that are in an Active Domain (which should match your 'enterprise net') have Teredo and 6to4 disabled per default. Next to that one can enforce that of course through AD policies. Greets, Jeroen
Re: teredo.ipv6.microsoft.com off?
On Jul 17, 2013, at 6:20 AM, Jeroen Massar wrote: On 2013-07-17 15:09 , Ron Broersma wrote: On Jul 16, 2013, at 10:40 PM, Mikael Abrahamsson wrote: On Tue, 16 Jul 2013, Christopher Palmer wrote: If there is feedback on the ongoing experiment or our consideration of sunsetting Teredo, do let me know. So far people have been quite enthusiastic. I am too. I would really like to see 6to4 and teredo be default off everywhere, and people who want it can manually turn it on. If teredo went away completely, that would also be a good thing. Strongly concur here as well. One less thing I have to disable on all my systems in enterprise nets. Windows boxes that are in an Active Domain (which should match your 'enterprise net') have Teredo and 6to4 disabled per default. Next to that one can enforce that of course through AD policies. A number of my enterprise nets support many OSs and are not AD-centric. That's why I qualified my enterprise nets as heterogeneous. But yes, if you are homogeneous on Windows and everything is in AD, you can disable those things through GPO. For me, we have to tell each of our users to disable teredo, disable 6to4, disable privacy/temporary addresses, etc., and in many cases beg them to upgrade to OSs that support DHCPv6. smime.p7s Description: S/MIME cryptographic signature
Re: teredo.ipv6.microsoft.com off?
Jens Link li...@quux.de writes: as I like to talk to myself There's quite some debate which approach to use due to operational practices and MS telling people not to 'fully' disable IPv6 as you might lose support for $SYSTEM. I'm still looking for a source too. http://technet.microsoft.com/en-us/network/cc987595.aspx (Q. What are Microsoft's recommendations about disabling IPv6?) I'm not sure if that is official enough or not. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: teredo.ipv6.microsoft.com off?
There's quite some debate which approach to use due to operational practices and MS telling people not to 'fully' disable IPv6 as you might lose support for $SYSTEM. I'm still looking for a source too. Rumors have it that the Windows 7 roll out here (large enterprise customer) will be with IPv6 disabled. I guess that why they hired me to do the IPv6 planing (on the network side). Most of the talks that I've seen from Sean Siler (IPv6 guy at Microsoft) have a slide on best practices, where his point #1 is Leave Windows in the default configuration (IPv6 enabled), and he describes how disabling IPv6 comes with risk because you will be operating the OS in an untested configuration. We translate that into a security issue, and therefore make is a security violation to disable IPv6 in Windows7 and later. I know that is somewhat inconsistent with the DoD STIG, but IMHO the STIG is wrong. smime.p7s Description: S/MIME cryptographic signature
Re: teredo.ipv6.microsoft.com off?
Enno Rey e...@ernw.de writes: Hi, There's quite some debate which approach to use due to operational practices and MS telling people not to 'fully' disable IPv6 as you might lose support for $SYSTEM. I'm still looking for a source too. Rumors have it that the Windows 7 roll out here (large enterprise customer) will be with IPv6 disabled. I guess that why they hired me to do the IPv6 planing (on the network side). Disabling IPv6 will lead to some problems: http://support.microsoft.com/kb/2549656 (DNS Server service randomly cannot resolve external names and returns a Server Failure error if IPv6 is disabled in Windows Server 2008 and Windows Server 2008 R2) This is an actual problem for a customer where I helped implementing IPv6 last year. They dont use Windows but they are running a large dual stacked website. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: teredo.ipv6.microsoft.com off?
Hi, thanks for that link. big questions is: what means disabling IPv6 in those contexts? unchecking IPv6 in GUI based interface properties? setting DisabledComponents to 0xfff? using some netsh-based approach? from what I hear: as long as you can successfully ping ::1, IPv6 is considered enabled and MS regards this as a 'supported configuration'. best Enno On Wed, Jul 17, 2013 at 04:45:58PM +0200, Jens Link wrote: Enno Rey e...@ernw.de writes: Hi, There's quite some debate which approach to use due to operational practices and MS telling people not to 'fully' disable IPv6 as you might lose support for $SYSTEM. I'm still looking for a source too. Rumors have it that the Windows 7 roll out here (large enterprise customer) will be with IPv6 disabled. I guess that why they hired me to do the IPv6 planing (on the network side). Disabling IPv6 will lead to some problems: http://support.microsoft.com/kb/2549656 (DNS Server service randomly cannot resolve external names and returns a Server Failure error if IPv6 is disabled in Windows Server 2008 and Windows Server 2008 R2) This is an actual problem for a customer where I helped implementing IPv6 last year. They dont use Windows but they are running a large dual stacked website. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | - -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch === Blog: www.insinuator.net || Conference: www.troopers.de ===
Re: teredo.ipv6.microsoft.com off?
On 17/07/2013 19:13, Ignatios Souvatzis wrote: ... Let me ask one thing... a couple of years ago, when I read the specification of Teredo, I was quite impressed by the details (If you accept the premise that you have to work around being jailed behind an IPv4 NAT) put into the protocol. One detail was that it is supposed to be lowest priority and so go automatically away (from the client end) as soon as some configued IPv6 is available on the link. Isn't that how it's implemented? Yes, but the result is that the host tries to use Teredo preferentially even if the IPv4 path is better; and if the Teredo path is broken the result is user pain (as with 6to4). I think the idea of deprecating Teredo is that now that native IPv6 is a serious option, the costs of Teredo outweigh the benefits,on average. (Unfortunately nobody ever wrote the Teredo equivalent of RFC6343.) Brian