Tuesday, February 02, 2010
How to prevent ipv6 tunneling across firewalls and routers
Perhaps it is a company policy or someone on your IT team feels it is important to block IPv6 tunneling across your network to 6to4 relays or Teredo relay servers or perhaps you only want internal folks using your delegated IPv6 address block. Do you have any options available to you to block this sort of traffic?
As it seems with all things tech related the answer is, it depends on what you want to do. Both 6to4 and ISATAP utilize IPv4 protocol 41 to tunnel their traffic. Therefore, it is easy enough to block IPv6 protocol 41 from traversing internally (which would stop ISATAP and 6to4) or at the edge firewall (which would stop 6to4 but might not stop ISATAP.) On Cisco IOS it might look like this on an internal router or switch:
access-list 100 deny 41 any any
access-list 100 permit any any (or whatever traffic you DO want to permit)
In addition, to this step you can blackhole the IPv4 route to 192.88.99.1 which is the IPv4 anycast address used for the 6to4 IPv4 relay. On Cisco IOS you could do:
ip route 192.88.99.1 255.255.255.255 null0
Teredo clients can be blocked in a simple method because by design it utilizes UDP over IPv4 to establish and build it's NAT traversal tunnel traffic. Simply blocking outbound UDP traffic solves the problem but certainly breaks a lot of other functions for end client machines.
If you are running a Microsoft Windows AD configuration with clients belonging to the domain you can poison the Teredo entry that is used by default on a Microsoft client machine. All Microsoft clients from Windows XP on up make use of the dns name teredo.ipv6.microsoft.com to resolve if they can utilize Teredo to build out an IPv6 connection. This likely isn't the best method but it can be effective and some might say required because from Windows Vista on up Teredo is enabled by default but is inactive. This means if an application gets installed that wants to make use of Teredo it activates the Teredo client and attempts to use it.
You can also use a GPO to change the registry keys to keep Teredo off. You can push firewall changes to the Windows clients (Vista and Windows 7) that would block Teredo or you could turn off IPv6 which would solve the problem also. Microsoft has documentation on all of those options, you can start looking here, here or here to find out more.
So, in those cases where you actually need to turn off IPv6 tunneling technologies there are options available. The next question is do you really want to block these technologies?
- Ed
As it seems with all things tech related the answer is, it depends on what you want to do. Both 6to4 and ISATAP utilize IPv4 protocol 41 to tunnel their traffic. Therefore, it is easy enough to block IPv6 protocol 41 from traversing internally (which would stop ISATAP and 6to4) or at the edge firewall (which would stop 6to4 but might not stop ISATAP.) On Cisco IOS it might look like this on an internal router or switch:
access-list 100 deny 41 any any
access-list 100 permit any any (or whatever traffic you DO want to permit)
In addition, to this step you can blackhole the IPv4 route to 192.88.99.1 which is the IPv4 anycast address used for the 6to4 IPv4 relay. On Cisco IOS you could do:
ip route 192.88.99.1 255.255.255.255 null0
Teredo clients can be blocked in a simple method because by design it utilizes UDP over IPv4 to establish and build it's NAT traversal tunnel traffic. Simply blocking outbound UDP traffic solves the problem but certainly breaks a lot of other functions for end client machines.
If you are running a Microsoft Windows AD configuration with clients belonging to the domain you can poison the Teredo entry that is used by default on a Microsoft client machine. All Microsoft clients from Windows XP on up make use of the dns name teredo.ipv6.microsoft.com to resolve if they can utilize Teredo to build out an IPv6 connection. This likely isn't the best method but it can be effective and some might say required because from Windows Vista on up Teredo is enabled by default but is inactive. This means if an application gets installed that wants to make use of Teredo it activates the Teredo client and attempts to use it.
You can also use a GPO to change the registry keys to keep Teredo off. You can push firewall changes to the Windows clients (Vista and Windows 7) that would block Teredo or you could turn off IPv6 which would solve the problem also. Microsoft has documentation on all of those options, you can start looking here, here or here to find out more.
So, in those cases where you actually need to turn off IPv6 tunneling technologies there are options available. The next question is do you really want to block these technologies?
- Ed
Labels: IPv6, Microsoft, Security
Monday, October 05, 2009
Why Microsoft should buy LifeSize and Shoretel
Cisco just announced their intent to aquire Tandberg last week. This cemented the number one and two players in enterprise video conferencing systems effectively. Cisco's Telepresence is still insanely expensive for even the most aggressive SMB's and I would argue even many Enterprise customers. Tandberg has an excellent solution and meets the mid tier space well but isn't know for being super in the design and user interface arena. The remaining vendors with any traction are Polycom and LifeSize.
So where does this this leave Microsoft in the OCS and Unified Communications area for larger scale video teleconferencing and telepresence solutions? Microsoft has a good solution for single laptop integration and a moderately acceptable solution with the RoundTable product. But I must admit, having that RoundTable device spinning around and having it stick up in the middle of the conference room table is incredibly annoying and distracting, two things you don't want in a meeting.
I think Microsoft is missing a critical piece in the larger scale voice and video market space and I think they could easily scale up their Unified Communications platform with some strategic purchases. I think Microsoft should buy Shoretel for their voice capabilities and LifeSize for their video conferencing and telepresence solutions. It would instantly make them a much bigger player in both markets and cement Shoretel's ability to sell into larger enterprise shops while allowing LifeSize to capitalize their growth at a much faster rate.
To gain a foothold in the voice market that leverages their OCS platform a purchase of Shoretel would allow them to meet the needs of companies that require handset deployments (call centers, corporate and sales offices, help lines, etc.) but still support many of the OCS features they require while allowing more standards integrations. Plus, given the platform that the Shoretel solution is built on their is a high probability of doing a lot more integration work.
To gain a foothold in the video conferencing space picking up LifeSize (vs Polycom) would be a huge win. LifeSize has a better product portfolio (no question on that one), has a good partnership with Shoretel and does not have the valuation baggage that Polycom has currently. Even though Polycom is a Microsoft partner and is now building the RoundTable devices for Microsoft (which I think long term Microsoft should drop) LifeSize is a better match and more likely an easier acquisition given their size. They could also easily integrate the solution with their existing OCS solution and come up with something truly scalable and able to be packaged and sold for every sized company they sell too, that alone would be a huge differentiators.
Are their potential pitfalls in this? Sure, it could spoil Microsoft's ecosystem of voice partners - but given that Nortel is no longer a factor and Mitel/Intertel don't have enough value to justify a purchase they aren't a factor either. Altigen is much too small and can't even properly support QoS so Microsoft does not have to worry about them, they will continue to work with Microsoft no matter what they do. Avaya, Siemens and Toshiba and at the low end Panasonic are the other vendors who are left for the most part. All of them have to play nice with Microsoft as Cisco is crushing them in the voice space and they do not have a Unified Communications solution that anyone is really willing to buy.
Then again, Microsoft has always been a build it in software sort of company, I just think trying to address the video conferencing market without a good hardware solution is folly and given their options I think Shoretel and LifeSize are their best shots at catching up.
- Ed
So where does this this leave Microsoft in the OCS and Unified Communications area for larger scale video teleconferencing and telepresence solutions? Microsoft has a good solution for single laptop integration and a moderately acceptable solution with the RoundTable product. But I must admit, having that RoundTable device spinning around and having it stick up in the middle of the conference room table is incredibly annoying and distracting, two things you don't want in a meeting.
I think Microsoft is missing a critical piece in the larger scale voice and video market space and I think they could easily scale up their Unified Communications platform with some strategic purchases. I think Microsoft should buy Shoretel for their voice capabilities and LifeSize for their video conferencing and telepresence solutions. It would instantly make them a much bigger player in both markets and cement Shoretel's ability to sell into larger enterprise shops while allowing LifeSize to capitalize their growth at a much faster rate.
To gain a foothold in the voice market that leverages their OCS platform a purchase of Shoretel would allow them to meet the needs of companies that require handset deployments (call centers, corporate and sales offices, help lines, etc.) but still support many of the OCS features they require while allowing more standards integrations. Plus, given the platform that the Shoretel solution is built on their is a high probability of doing a lot more integration work.
To gain a foothold in the video conferencing space picking up LifeSize (vs Polycom) would be a huge win. LifeSize has a better product portfolio (no question on that one), has a good partnership with Shoretel and does not have the valuation baggage that Polycom has currently. Even though Polycom is a Microsoft partner and is now building the RoundTable devices for Microsoft (which I think long term Microsoft should drop) LifeSize is a better match and more likely an easier acquisition given their size. They could also easily integrate the solution with their existing OCS solution and come up with something truly scalable and able to be packaged and sold for every sized company they sell too, that alone would be a huge differentiators.
Are their potential pitfalls in this? Sure, it could spoil Microsoft's ecosystem of voice partners - but given that Nortel is no longer a factor and Mitel/Intertel don't have enough value to justify a purchase they aren't a factor either. Altigen is much too small and can't even properly support QoS so Microsoft does not have to worry about them, they will continue to work with Microsoft no matter what they do. Avaya, Siemens and Toshiba and at the low end Panasonic are the other vendors who are left for the most part. All of them have to play nice with Microsoft as Cisco is crushing them in the voice space and they do not have a Unified Communications solution that anyone is really willing to buy.
Then again, Microsoft has always been a build it in software sort of company, I just think trying to address the video conferencing market without a good hardware solution is folly and given their options I think Shoretel and LifeSize are their best shots at catching up.
- Ed
Labels: LifeSize, Microsoft, Shoretel
Unless otherwise expressly stated, all original material of whatever nature created by Ed Horley and included in this weblog and any related pages, including the weblog's archives, is licensed under a Creative Commons License.
