Please stop disabling IPv6 5


A recent Windows 10 update brought to light just how many people are disabling IPv6 as part of their normal process. Should you be doing that? Probably not.

But first things first. Since so many people are disabling IPv6, many readers are probably already jaded at the prospect of allowing IPv6 on their network. I’m going to argue that in most cases it is not necessary or desirable to disable IPv6 and, in fact, it is desirable not to. But before we get to that, if you just can’t stomach it or you have some serious legacy applications or hardware, here is Microsoft’s official recommendation: Keep IPv6 enabled but issue a policy that says to prefer IPv4.

To configure IPv6, modify the following registry value based on the this table.

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

Name: DisabledComponents

Type: REG_DWORD

Min Value: 0x00

IPv6 Functionality Registry value Comments
Prefer IPv4 over IPv6 Dec 32
Hex 0x20
Bin xx1x xxxx
Recommended instead of disabling

Moving right along

Now that we’ve gotten that out of the way, let’s take a look at how Windows uses IPv6 even when your DHCP server is providing it an IPv4 address and your Internet router doesn’t support it.

We all know that the world is running out of IPv4 addresses. I’m not going to bother to rehash that here other than to say that this doesn’t matter for your internal network. Your internal DHCP can still use IPv4 for compatibility reasons but you’ll end up using IPv6 to access the Internet. But that still doesn’t mean that you want to disable IPv6. You actually want to use both. You can use IPv4 for the ease of readability. But let Windows prefer IPv6 for the reasons I’m going to discuss now. I think that this is the best option.

IPv6 is core to the Windows operating system and Microsoft doesn’t do any testing with it turned off so they won’t guarantee that anything will work properly without IPv6. Of course, many things do but behind the scenes, Windows has to work hard and fall back to older protocols after it finds that IPv6 isn’t available. That waiting to fail can really be felt on the PC when you disable IPv6. Back in the Windows 7 days there was a condition where there would be a lag getting to the Internet when IPv6 was enabled and your router didn’t support it. But starting with Windows 8 and Server 2012, Windows detects that there is no route to the Internet in IPv6, remembers this, and then prefers IPv4 for this type of traffic. No configuration or disabling required.

What does IPv6 do for network traffic?

don't disable IPv6
IPv4 is one of the longest-lived pieces of technology in our computers today. When it was built, the population of computers were a lot smaller and there was no real need for security. In fact, there is no security built into IPv4. My, how things have changed! In IPv6 security is its top priority. IPSec is the default. Here are a few of the advantages of IPv6.

  • There’s no need for NAT. Every computer can have an address that allows it to get to the Internet using the same IP that allows it access to internal resources. We no longer have to try to keep those two networks separate through IP addressing. VOIP QoS is more robust because direct connections to the PC are possible.
  • IPv6 moves the handling of fragmentation to the device rather than the router. This makes everything faster because there is no handling of checksum.
  • IPv6 uses multicast rather than broadcast so hosts that don’t care about what you’re doing do not have to process the packets.
  • IPSec is no longer an add-in. It’s baked in, which means that information in the header and packets are secure by default.

There’s a persistent myth about IPv6 and that is that if you disable it you are reducing the attack surface. The truth is that your IPv6 traffic won’t get out if your router doesn’t support it and if it does support IPv6 then it will protect the internal traffic. Since IPv6 header information is encrypted, your internal network is actually safer.

Additional benefits that might seem scary

never disable ipv6
It’s an upside down world these days. Remember when IT departments used Group Policy to manage and control PCs? Remember when we had to maintain DHCP servers? Remember when your devices used non-routable addressing and had to NAT to get to the Internet? Remember when employees all worked in the office? Remember when we didn’t have VOIP phones? Remember when you didn’t have any IoT devices at all?

IPv6 doesn’t need a DHCP server because it doesn’t use NAT. The individual device is capable of assigning itself an address. It queries the network for the prefix and the automatically assigns the rest. What is so scary about that? It’s a loss of control. There no more GUI to look at and see which machines are using which addresses. You’ll have to query for that information. But if the computers are self-assigning and assuring that there are no duplicates automatically then why do we really need to care? It’s the letting go of past practices that is the scary part, not the technology itself.

Letting go of NAT is probably the scariest part for many IT admins. NAT gives you this illusion that your network is safe. And yet every day in a million ways each device makes a connection to the Internet and traffic directly routes to it from the Internet. If the device wants to allow an incoming connection it either makes the initial call or a port is opened in its local firewall. Guess what? The same thing happens when you use IPv6 except that the router doesn’t have to do all of those NAT calculations. NAT was never about security.

While Group Policy and DHCP servers might not be eliminated from your network yet, they will be eventually. While some businesses still have digital key phones and all of their employees work in the office they aren’t in the majority anymore. I dare say that there aren’t any businesses that don’t have some form of IoT on their network at this point. Even security cameras and network-connected time clocks count as IoT and many businesses have a lot more variety of IoT devices than that. The point is that the very definition of networking has changed as has the very definition of “the edge.”

You’ve probably read that “the edge” is the user credentials. It’s true. Now that users have access to corporate data from mobile phones, desktop phones, softphones, laptops, tablets, and so much more while on the road and in the office, the edge is getting pretty transparent. I mean, when you can take the desktop phone off your desk and plug into your home Internet and make a call with no additional configuration needed? The world of networking has changed. It’s not, your DNS, DHCP, your NAT scheme, or your firewall that is protecting the network. It’s the credentials on that phone that count. That’s our edge and it is where we need to focus on security.

Forget about the imagined pitfalls of IPv6. It’s small, more nimble, encrypted, and secure. We need to focus our efforts on modernization to make sure that we aren’t crippling our networks by hanging onto legacy networking technologies. The easiest way to adopt IPv6 is to simply stop disabling it.

_________________

Make your IT business better than the competition. IT Pro Helpdesk, TechYourBooks, Super Secret News,  Ransomware Prevention Kit and more. https://www.thirdtier.net


Leave a comment

Your email address will not be published. Required fields are marked *

5 thoughts on “Please stop disabling IPv6

  • Tim Long

    I’m not so convinced that admins are afraid of IPv6. THe problem is that there is a “chicken and egg” situation. Show me a program that takes a network address used to connect to a service, and most often you can type in a DNS name or an IPv4 address, but the chances are that program will not accept an IPv6 address. There is your barrier to adoption right there. It’s the developers, not the network admins.

    • Third Tier Post author

      This is a legit concern too. I agree on the adoption point but the disabling point is squarely on IT using outdated information.

  • Michael

    “While Group Policy and DHCP servers might not be eliminated from your network yet, they will be eventually.”
    How Will IPv6 remove the need for Group Policies?

    • Third Tier Post author

      These are unrelated concepts. Microsoft has begun to make a shift toward powershell and intune as policy sources over group policy. I’m just saying the writing is on the wall.

  • Andy Lee Robinson

    I wrote an adaptive firewall using iptables and ipset with a database of rulesets to ban and manage millions of malicious IPv4 addresses that attack the systems I’m responsible for. The duration of offence of an ip is monitored so it can be released after its “jail time”, which is a function of its target and number of times seen.
    The database is a few gigabytes in size with 32bit addresses, IPv6 will create enormous headaches for blocking, storing, indexing and parsing potentially trillions of addresses and combinations of cidr address ranges.
    How can I build or adapt such a system that can defend against malicious IPv6 addresses?
    IPv6 sounds great in theory, but none of the servers I manage make any use of it, but this may change.