In the past we've written about the risks involved in using Teredo (like e.g. Microsoft's Vista does). It effectively makes machines behind a NAT gateway addressable from the Internet. Proponents will say that Vista doesn't start it until needed, and that the IPv6 address space is too big to scan. Well, all it takes is a hit on a IPv6 web server to both start it and to know where the client is.

It seems this opinion is now propagated and elaborated in an internet draft over at the IETF:

http://www.ietf.org/internet-drafts/draft-ietf-v6ops-teredo-security-concerns-01.txt

Recommended reading material.

Just a reminder: block UDP port 3544 on your IPv4 perimeter to stop the tunnels from being created.

--
Swa Frantzen -- Gorilla Security