Tuesday, February 22, 2011

Useful Windows 7 IPv6 netsh commands

I finally have taken time to gather together some useful netsh commands and their output that can be used in Windows 7 and Server 2008 for learning your IPv6 configuration information. This is partly inspired by Chris Vashel who kindly posted a comment on my previous IPv6 post regarding Windows 7 and Server 2008 R2 and provided some quick netsh commands to turn off some automatic tunneling behavior of Windows.

I want to cover a bit more then just turning off the IPv6 tunneling as Chris outlined (and I am including here again for reference) but also show the other fantastic IPv6 support that Microsoft has built into Windows 7 and Server 2008 R2. There is too much for one post so this will likely take a few, keep any eye out for updates.

So, what important netsh commands should you know about? I think the first ones would be "show" commands. You can get a lot of the basics from existing commands you already know like:
C:\Users\Ed>ipconfig /all
<... omitted for brevity...>
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
   Physical Address. . . . . . . . . : 00-16-41-E6-E9-C3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:db8:7:7:b9f7:e225:37d0:960f(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:db8:7:7:41b9:cf5b:e4d5:7392(Preferred)
   Link-local IPv6 Address . . . . . : fe80::b9f7:e225:37d0:960f%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.7.0.23(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
<... omitted for brevity...>
   Default Gateway . . . . . . . . . : fe80::215:63ff:fe88:4bdc%11
                                       10.7.0.1
   DHCP Server . . . . . . . . . . . : 10.7.0.1
   DNS Servers . . . . . . . . . . . : 10.7.0.10

   NetBIOS over Tcpip. . . . . . . . : Enabled
<... omitted for brevity...>

So first lets determine the actual interface ID's that are used, to see those use:
C:\Users\Ed>netsh interface ipv6 show interface

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 12          25        1500  connected     Wireless Network Connection
<... omitted for brevity...>
 11          20        1500  connected     Local Area Connection
 15          50        1280  disconnected  Teredo Tunneling Pseudo-Interface
<... omitted for brevity...>
 25          50        1280  disconnected  6TO4 Adapter
<... omitted for brevity...>
 29          50        1280  disconnected  Reusable Microsoft 6To4 Adapter
<... omitted for brevity...>

I highlighted the interface I am interested in getting more information about, my wired port which is ID 11. To get details from netsh for all interfaces we would issue:
C:\Users\Ed>netsh interface ipv6 show address
<... omitted for brevity...>
 Interface 11: Local Area Connection

Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Temporary  Preferred        3m16s      3m16s 2001:db8:7:7:41b9:cf5b:e4d5:7392
Public     Preferred        3m16s      3m16s 2001:db8:7:7:b9f7:e225:37d0:960f
Other      Preferred     infinite   infinite fe80::b9f7:e225:37d0:960f%11
<... omitted for brevity...>

To get details from netsh for a specific interface (11 is the wired port, we got that earlier) we would issue:
C:\Users\Ed>netsh interface ipv6 show address 11

Address 2001:db8:7:7:41b9:cf5b:e4d5:7392 Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.0
Valid Lifetime     : 4m18s
Preferred Lifetime : 4m18s
DAD State          : Preferred
Address Type       : Temporary

Address 2001:db8:7:7:b9f7:e225:37d0:960f Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.0
Valid Lifetime     : 4m18s
Preferred Lifetime : 4m18s
DAD State          : Preferred
Address Type       : Public

Address fe80::b9f7:e225:37d0:960f%11 Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.11
Valid Lifetime     : infinite
Preferred Lifetime : infinite
DAD State          : Preferred
Address Type       : Other

The next useful show command is to know how things are routing:
C:\Users\Ed>netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       11  fe80::215:63ff:fe88:4bdc
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    8    2001:db8:7:7::/64       11  Local Area Connection
No       Manual    256  2001:db8:7:7:41b9:cf5b:e4d5:7392/128   11  Local Area Connection
No       Manual    256  2001:db8:7:7:b9f7:e225:37d0:960f/128   11  Local Area Connection
No       Manual    256  fe80::/64                  15  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::/64                  11  Local Area Connection
<... omitted for brevity...>
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   15  Teredo Tunneling Pseudo-Interface
No       Manual    256  ff00::/8                   11  Local Area Connection
<... omitted for brevity...>

So if you want to see your specific routes per interface you can do that using:
C:\Users\Ed>netsh interface ipv6 show route verbose

Destination Prefix:     ::/0
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: fe80::215:63ff:fe88:4bdc
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           1755
PreferredLifeTime       1755

Destination Prefix:     ::1/128
Source Prefix:          ::/0
Interface Index:        1
Gateway/Interface Name: Loopback Pseudo-Interface 1
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite

Destination Prefix:     2001:db8:7:7::/64
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 8
SitePrefixLength        0
ValidLifeTime           255
PreferredLifeTime       255

Destination Prefix:     2001:db8:7:7:41b9:cf5b:e4d5:7392/128
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite

Destination Prefix:     2001:db8:7:7:b9f7:e225:37d0:960f/128
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite
 <... omitted for brevity...>

 To check if you have a working IPv6 DNS server you would issue:
C:\Users\Ed>netsh interface ipv6 show dns
 <... omitted for brevity...>
Configuration for interface "Local Area Connection"
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only
<... omitted for brevity...>

So in this particular case I am not being provided any IPv6 DNS name servers via DHCPv6 or statically on that interface. Alternately, as an example output if you had an IPv6 DNS server statically entered (like with the gogoClient) it would show:
<... omitted for brevity...>
    Statically Configured DNS Servers:    2001:5c0:1000:11::2
    Register with which suffix:           Primary only
<... omitted for brevity...>

From the above information I can determine that I am getting my IPv6 address via SLAAC, no DHCPv6 is running and I am getting an RA from the router and it is providing me with a default gateway that is using its link local address and not it's global unicast prefix address, which is the default behavior expected.

Now lets actually do something interesting next and use Chris' examples of netsh to shutoff Windows from doing 6to4 automatic tunneling. To do this you would issue:
C:\Users\Ed>netsh interface ipv6 6to4 set state state=disabled
Ok.

The netsh command provides confirmation that the command worked so if you are scripting you can parse the output to validate the change. Remember that 6to4 tunnel only happens if the Windows platform has a public IPv4 address assigned to it's interface and no other native IPv6 option is available. You will most commonly see 6to4 traffic in cases where servers are in a public DMZ with public IPv4 addresses and in cases where Windows clients are in "guest" networks where they are also provided public IPv4 addresses.

A more common scenario is wanting to disable Teredo tunneling since it is explicitly designed to work on devices that have IPv4 addresses behind a NAT device and with an RFC 1918 IP address. The majority of SMB and Enterprise networks are built this way today so the concern is valid.

Teredo can also be a problem for Windows 2008 deployments if the servers are in the DMZ or Inside network and functioning as stand alone devices that are not joined to an Active Directory domain. When Windows 7 and Server 2008 are NOT domain joined and have a valid RFC 1918 IPv4 address only, the OS's will attempt to run IPv6 on ISATAP first, if no DNS entry exist for ISATAP then they will attempt to use Teredo. So, Teredo is enabled by default but not necessarily active. Furthermore, if Teredo is the only IPv6 available the OS will NOT send AAAA queries in DNS by default - a good default protection behavior as it is unlikely the Teredo server you are connecting to is also a Teredo relay server which will forward traffic to the bigger IPv6 Internet on your behalf.

So, to keep your non-domain joined OS from randomly joining teredo.ipv6.microsoft.com (the default Teredo server entry in the OS) and happily exchanging traffic with others who do the same you can simply turn Teredo off with the following command:
C:\Users\Ed>netsh interface ipv6 set teredo disable
Ok.

As a final measure you can turn off ISATAP. This will prevent the OS from building out an IPv6 tunnel utilizing ISATAP which would be advertised in DNS. The alternate way of controlling this is by poisoning the isatap. entry in your DNS. Remember, ISATAP is typically deployed for a transition service so the nice thing about having ISATAP enabled in the network is that it prevents Teredo from running as ISATAP is preferred.
C:\Users\Ed>netsh interface ipv6 isatap set state state=disabled
Ok.

As a final thought, the nice thing about doing these commands is that you can still leave IPv6 enabled on the OS. This allows for supporting native IPv6 in a dual stack configuration in the future without breaking IPv6 completely. So when the time comes to start turning on IPv6 (Global or ULA) in your network the servers will behave properly. Remember, the rule of thumb for IPv6 is go native where you can, tunnel where you must. Take a look at Scott Hogg's blog post for a great write up on why going "Native" is important. Plus his daughter's artwork is awesome!
- Ed

Friday, February 18, 2011

IPv6 meet up at Microsoft 2011 MVP Summit

For those Microsoft MVP's attending the 2011 Summit who are interested in IPv6 I have scheduled a meet up. It is planned for Monday, Feb 28th from 12-2 in building 37 on the Redmond campus. I know many of you already have sessions scheduled for your specific MVP tracks but if you are interested in IPv6 please consider joining us.

The goal is the give MVP's and Microsoft blue badges a chance to chat about what is happening with IPv6, the road map Microsoft has planned for products and resources, challenges and opportunities IPv6 is presenting in the market place and events that are happening throughout 2011. A preliminary list of topics include:

Quick introductions - interest and involvement in IPv6, etc.

Current state of IPv6
    Service Provider
    Enterprise
    Consumer
    Gov / Ed

How are Enterprise professional learning about IPv6?
    Media
    Search (Bing/Google/Yahoo!)
    Task Force
    Conferences
      Upcoming important IPv6 conferences and events, and/or meetings? - wdix
      World IPv6 Day plans? What can MVPs do? - wdix
    Other
      Is there going to be an IPv6-specific MVP? Should there be one? - wdix
      How is Microsoft in general or the Microsoft partner program support IPv6 training for partners?
      Will there be an IPv6 training solution, or infrastructure solutions for partners? - wdix

Do consumers have to learn about IPv6?
   The sad state of consumer/soho ipv6 router support and the coming pain - barb

Points of interest around Microsoft:
    Matrix of products supporting IPv6 - roadmap of support would be nice too - mark
    What are Microsoft Windows product status in NIST IPV6 testing/certification? - wdix
    How is MS set up internally - who do I contact within MS about IPv6?
    Deployment guides - current and those in the works
    Labs - Tom and Joe
    Design and recommendations for migration to IPv6
    Specific transition technology options being supported by Microsoft
    What will be Microsoft's preferred recommendations around IPv6 be (if any)

If you are interested in participating (You have to be a current MVP or Microsoft Blue Badge) please comment below and I will add you to the list. We have limited space available for the room and we are almost full so please make sure you are willing to actually attend to participate. You will likely miss one of your sessions so check your schedule to see if it is one you are willing to forgo.

It is unlikely that most of the topic material will even get discussed given it is only 2 hours but having a large list of topics allows for people to break up and address specific topics offline after the meeting. If you have other suggestions of topic items to add to my list please comment and I will add them in.
- Ed

Thursday, February 17, 2011

IPv6 tunnel mode licensing in Cisco IOS

As part of the out reach I am trying to do on behalf of the CAv6TF a couple of friends and I set up the wired/wireless network for the Security B-Sides SF event which happened Feb 14-15 at the Zeum in San Francisco, CA. It was a lot of fun helping out and hopefully people who attended found it useful and perhaps interesting that they were getting IPv6 in addition to IPv4.

One of the items I noticed when setting up the IPv6 tunnel service to Hurricane Electric was that in the IP Base license the command to get the tunnel working was NOT available. Specifically you could not do:
tunnel mode ipv6ip

I had to change the license on the routing platform to include the "Data" license. This is on a newer Cisco IOS devices running 15.1(3)T code release. Granted the license showed a lifetime of some crazy number of years but I still don't understand why this feature would NOT be included in IP Base license. Given the fact that transition to IPv6 is going to become more and more important for everyone I find it surprising Cisco did this. It will make tunneling IPv6 across IPv4 only service networks a lot harder. Perhaps the plan is to recommend only have a single public tunnel endpoint and use IPv6 DMVPN instead? I'm not sure what the logic is but I will ask someone in the Cisco channel team and see if they know. Yet another annoying reason I had to reload the router.
- Ed

Monday, February 07, 2011

Why you should NOT disable IPv6 for Windows 7 or Server 2008R2

I was reviewing some Microsoft materials related to IPv6 for some presentations I am putting together and ran across some great material by Joseph Davies again that goes over some very specific reasons why it is bad to disable IPv6 on Windows Vista and Windows Server 2008 which of course also applies to Windows 7 and Server 2008R2.

In summary, you have the potential to break features in Remote Assistance, HomeGroup, DirectAccess, and Windows Mail. I would add BranchCache, Exchange Server 2007 and 2010, Microsoft Outlook and several of the tunneling methods.

I do believe there are legitimate reasons for wanting to control the IPv6 traffic that Windows 7 or Server 2008R2 is generating on your network. I would also argue that the way to do this is by having IPv6 deployed in your network so that you can have a consistent policy that matches much of what you do today for IPv4. Obviously there are different ways to deploy IPv6 but I think that a dual stack/native IPv6 deployment makes for the best solution long term. It allows the flexibility of getting to IPv6 resources and allows for a longer transition windows for IT groups to migrate all services to IPv6.

One of the surprises for many people deploying Windows Server with Exchange and using the recommended deployment practices from Microsoft is that you could have stand alone servers in a DMZ or outside your network that are NOT AD domain joined. They are in "workgroup" mode and this means that if they have a public IPv4 address they will generate a 6to4 tunnel automatically and if they are using RFC 1918 IPv4 addresses they will make use of teredo tunnels automatically. This behavior isn't desirable for most enterprises and can easily be resolved by either turning off IPv6 on those specific servers or by setting up a dual stack configuration for the server with appropriate firewall rules. Obviously you need a network firewall that can do IPv6 or rely on the Windows Firewall to do this function.

So for those that reference my earlier blog entry about turning off IPv6 tunneling - seriously consider if you really need to do that or not. You need to evaluate your scenario and determine what is right but if there is a chance you might need the OS to do one of the tunnels then doing some of the network blocking methods I mentioned might cause more work in the end.
- Ed

Thursday, February 03, 2011

Final /8 allocations from IANA to all RIR's happened this morning

IANA finally allocated out the last five /8 IPv4 address blocks this morning in a formal ceremony in Florida. So the free pool of IPv4 address block is done - there is nothing left to hand out to regional registries at all. I guess we are starting off the Chinese New Year with a bang. Silly little rabbit - IPv4 addresses are for kids!

Now I wondering how the IPv4 address request rates are doing at all the RIR's for this month. ARIN has their press release up on the event here.
- Ed

Wednesday, February 02, 2011

Upcoming IPv6 events for 2011

If you happen to be in France the days of Feb 8 - 11th then you can attend the v6 World Congress event happening in Paris. I would not be surprised to see some announcements coming out of the event. Though at this point I am not sure if IANA is going to wait much longer to announce the IPv4 pool is officially depleted and it is down to the RIR pools only. Given the run rate that APNIC is going through addresses they might not make it before reporting 0 /24's out of their current allocation. I suspect that IANA has already given them their /8 block if not two and they are all waiting for the right moment to announce things for maximum media effect.

If you are in the US and want to attend one of the premier IPv6 events stateside then check out the Rocky Mountain IPv6 Task Force 2011 IPv6 Summit. Scott Hogg puts on a wonderful event and has an impressive line up of material and sessions.

In addition, later in 2011 will be events from the California IPv6 Task Force, the Texas IPv6 Task Force and others. I will post more when those dates get closer.
- Ed