Subscribe via e-mail: 
IPv6 is on the rise; there is no doubt about it. Emerging countries, such as China, are pushing IPv6 because they don’t have enough IPv4 addresses. With DirectAccess, Microsoft has, for the first time, introduced an important feature that requires IPv6. In fact, the number of IPv6 packets in our networks is increasing every day. I think this is a good time to disable IPv6.
Do you find it hard to follow my argument? If so, I assume you are not the one who is in charge of your network’s security. More and more network providers are upgrading their equipment these days to support IPv6. It is only a matter of time before the first IPv6 packets from China knock on your firewall’s door. I hope you know IPv6 well enough to be sure that this won’t mean a threat to your network.The most important rule when it comes to security is to only run services that are really necessary in your environment. Now ask yourself, do you need IPv6 right now? …See!
There is another point to consider. If you haven’t disabled IPv6 in your network, it will sooner or later cross your way. If you haven’t yet found the time to learn IPv6, you will run into problems. I can give you an example. When I first installed Active Directory on Windows Server 2008, the installation wizard was complaining that my network card didn’t have a static IP. Since I had just assigned the IP a minute ago, I assumed the wizard didn’t really know what it was talking about. Only later did I realize that the wizard was, indeed, smarter than me. As usual, I ignored the IPv6 settings.
There are also downsides to turning off IPv6. It is enabled by default on Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Messing around with the default settings is usually not a good idea, especially if you do it on multiple machines. If you only have Windows XP and Windows Server 2003 machines in your network, you don’t have to worry anyway because IPv6 isn’t installed by default in those operating systems.
It is not possible to uninstall IPv6 on Vista and Server 2008. The command “netsh interface ipv6 uninstall” that worked in XP and Server 2003 is no longer supported in newer Windows versions. However, it is possible to disable IPv6. You can do it manually for each network interface through the Network and Sharing Center. If your network firewall runs on Windows, you can disable it just there. If security is a top priority in your network, you might want to disable it on all machines in your network.
To disable IPv6 on all network interfaces on a computer you must create a DWORD 32-bit registry value named “DisabledComponents” in the following registry key branch:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\
The value data for DisabledComponents must be set to 000000FF.
You will then have to reboot to activate the new setting. If you check the network interface properties after the reboot, you will notice that IPv6 has not disappeared and is still activated. This is not a sign that IPv6 is still enabled. To make sure that you’ve really gotten rid of IPv6, you will need to run ipconfig on a command prompt. If you don’t see an IPv6 address, then everything is alright (see screenshots).
Misha Hanin from the System Administrator blog has a little batch file that you can use if you want to disable IPv6 on multiple machines via a script. It is even more comfortable to use Group Policy for this purpose. Jeff Guillet created the corresponding admx template.
I always disable IP6. I’d like to say that it is because I’m a diligent sysadmin, but it really is because I can’t memorize those long IPv6 addresses and am a control freak.
These long addresses are indeed a big disadvantage of IPv6. I am often typing IP addresses, for example to ping a host. I can’t imagine doing this with an IPv6 address.
Greetings all,
When I upgraded my AD to Server 2008 AD, I found a great site that converts IPv4 addresses to IPv6 addresses.
http://www.subnetonline.com/pages/converters/ipv4-to-ipv6.php
Your logic is flawed, and if you understood a bit about IPv6, you might see it has a major advantage. Let’s go though the list, to help you understand:
1. IPv6 has big addresses to allow 2^128 devices to communicate to each other. You may have enough IPv4 addresses, but do your customer have enough addresses to communicate with your DMZ devices? How about your employees from every network in the world? Are you aware that many countries have don’t have enough IPv4 addresses, there for require up to 7 levels of NAT? Do you think that is going to kill you Web 2.0 application? IPSec? VOIP? Authentication system?
2. IPv6 windows devices have four addresses by default. One is a link local address, which can only be reaching on the local network if you know the address. The address is created randomly by Windows systems, there if discovery is hard. Scanning for such devices would take 2^64 or hundreds of years using a brute force discovery scanning such as nmap. But when used with Active directory, it allows devices on the local network to communicate with each other. The second address is a global address used for communicating into the device, if your network is properly configured. The next address is a privacy address used to communicate out of the device and used by application such as web browsers. This address is random address, which expires ever 7 days. The last is a multicast address.
3. RFC 1918 address have been replaced in IPv6 by Unique Local Addresses (ULA), allowing an administrator to allocation 65,525 network, with each network having /64 devices. These addresses are not globally routable, but are inside an organization.
4. Windows Vista and beyond, allows Stateful firewall on all hosts. Learn how to enable and configure them.
5. The one risk with IPv6, is not disabling 6to4, Teredo and ISATAP on each host. That is a simple registry setting to disable.
6. Go ensure your current firewall allow you to allow/deny IPv6 and IPv6 tunnels. If it does not, then all an attacker need to do it turn on IPv6 and tunnels, now you have a problem!
7. The cost of disabling, then later re-enabling all the system for IPv6, will cast you 2x the operational cost. Are you justifying this to your boss, or just doing it?
There are many new network and security features, in IPv6 to make it easier and faster to implement and manage your infrastructure. Go out and learn IPv6!
Joe Klein
Security SME, North American IPv6 Task Force
TeamTerry, thanks!
Joe, thanks a lot for sharing your opinion in such a long comment. I can understand very well that it is part of your job to defend IPv6. I would do the same if I worked for the IPv6 Task Force.
I am sorry, but your arguments didn’t convince me. I am quite aware of the advantages of IPv6. My point is that most western companies don’t benefit of supporting IPv6 at the moment. I am quite sure that those organizations who use IPv6 now will make certain that they can reach IPv4 networks for a very long time. The costs of disabling/enabling IPv6 are close to zero if using Group Policy. I also strongly disagree with your arguments concerning IPv6 security. It is an additional service. Therefore it certainly enlarges your network’s attack surface. Administrators are busy people. It doesn’t make sense to invest time in configuring and securing IPv6 properly if your employer doesn’t benefit from it right now.
Hi Guys…
Forgot to add that IPv6 is CRITICAL in Exchange 07.
I have migrated my home domain from Server03 with Exchange 03 to Server08 with Exchange 07 and forgot how critical IPv6 really is for Exchange 07. Yesterday I used VMWare converter (new version released a few days ago kicks A$$) to create a VM of my home AD / Exchange server for testing. I *stupidly* unchecked IPv6 (memories of this article) when setting the NIC. Upon boot Event Viewer was full of major AD errors. Googling the errors pointed to major issues with A.D.
I tried running ADPrep (the Exchange 07 equivalent) with no change. I eventually stumbled on a comment that mentioned IPv6 needed for Exchange 07.
I created a new VM dump from scratch, set IPv6 and my test of the VM is now perfect !!
Sometimes you need to embrace new technology kicking and screaming !!
Cheers,
Terry
Terry, where did you read this? I doubt somehow that Exchange 2007 requires IPv6. Even Microsoft writes: “If you are not using IPv6 in the Exchange environment, we recommend that you disable it.” My guess is that you had a DNS problem. Did you disable IPv6 on a server with the DNS server role installed? If so, then you have to restart the DNS Server service.
Hi Michael,
In my situation I cloned (P2V via VMWare converter) an existing server with Server 2008 and Exchange 2007 SP1.
I then unchecked IPv6 on the NIC of the VM while keeping IPv4. So obviously in this scenario it died horribly.
Here is the link I saw that reminded me. I haven’t read in detail.
http://technet.microsoft.com/en-us/library/bb629624.aspx
Cheers,
Terry
We have a W2k Server(Exchange 2003), XP/Vista client environment. Based on the arguments presented (no default installation of IPv6, our firewall allows for the “control” of IPv6 tunnels), would it be prudent to disable IPv6 on the Vista (10-15) clients?
Ronin, if you are unsure if you have services that require IPv6, you could just disable it on one machine and see whether everything still works.
[...] Hallo Rakli, IPv6 auf dem Netzwerkadapter aktiv? Das Problem tritt auch auf wenn auf irgendwelchen Tunneling Schnittstellen (z.B. Teredo) ebenfalls IPv6 aktiv ist. Wenn du IPv6 nicht benötigst kannst du es komplett deaktivieren 4sysops – Disable IPv6 on multiple Windows Vista and Server 2008 PCs [...]
Hi Michael and Terry
The issue with Exchange Server 2007 and unchecked IPv6 is known. If you don’t want to use the new protocol, you have to use the registry to disable it (leache IPv6 checked). More details are written in this blog post: http://www.server-talk.eu/2008/10/17/exchange-server-2007-installations-fehler/
Cheers
Michel
According to KB929852 the value should be 0xFFFFFFFF.
I dispute IPv6 being required for exchange 2007. I run an exchange environment for a multi-million dollar company and I have IPv6 disabled on every exchange 2007 server we run. Exchange 2007 can also be installed on Windows 2003, and IPv6 isn’t even installed on that OS by default. In fact, until SP1 for exchange 2007, you HAD to install it in a x64 2003 server as 2008 wasn’t supported yet. That shoots down the IPv6 requirement for that app.
Also i don’t really care if China doesn’t have enough IPv4 addresses. The way I see it is IPv6 is a WAN technology. I will always have a sufficient number of IPv4 addresses to service my private network and if/when we go IPv6 on the WAN side I can just translate it via my gateway/router to an internal IPv4 address in my DMZ….
So why would i need IPv6 on my LAN again? that’s right… I don’t…