I want to cover a bit more then just turning off the IPv6 tunneling as Chris outlined (and I am including here again for reference) but also show the other fantastic IPv6 support that Microsoft has built into Windows 7 and Server 2008 R2. There is too much for one post so this will likely take a few, keep any eye out for updates.
So, what important netsh commands should you know about? I think the first ones would be "show" commands. You can get a lot of the basics from existing commands you already know like:
C:\Users\Ed>ipconfig /all
<... omitted for brevity...>
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
Physical Address. . . . . . . . . : 00-16-41-E6-E9-C3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:db8:7:7:b9f7:e225:37d0:960f(Preferred)
Temporary IPv6 Address. . . . . . : 2001:db8:7:7:41b9:cf5b:e4d5:7392(Preferred)
Link-local IPv6 Address . . . . . : fe80::b9f7:e225:37d0:960f%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.7.0.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
<... omitted for brevity...>
Default Gateway . . . . . . . . . : fe80::215:63ff:fe88:4bdc%11
10.7.0.1
DHCP Server . . . . . . . . . . . : 10.7.0.1
DNS Servers . . . . . . . . . . . : 10.7.0.10
NetBIOS over Tcpip. . . . . . . . : Enabled
<... omitted for brevity...>
So first lets determine the actual interface ID's that are used, to see those use:
C:\Users\Ed>netsh interface ipv6 show interface
Idx Met MTU State Name
--- ---------- ---------- ------------ ---------------------------
1 50 4294967295 connected Loopback Pseudo-Interface 1
12 25 1500 connected Wireless Network Connection
<... omitted for brevity...>
11 20 1500 connected Local Area Connection
15 50 1280 disconnected Teredo Tunneling Pseudo-Interface
<... omitted for brevity...>
25 50 1280 disconnected 6TO4 Adapter
<... omitted for brevity...>
29 50 1280 disconnected Reusable Microsoft 6To4 Adapter
<... omitted for brevity...>
I highlighted the interface I am interested in getting more information about, my wired port which is ID 11. To get details from netsh for all interfaces we would issue:
C:\Users\Ed>netsh interface ipv6 show address
<... omitted for brevity...>
Interface 11: Local Area Connection
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Temporary Preferred 3m16s 3m16s 2001:db8:7:7:41b9:cf5b:e4d5:7392
Public Preferred 3m16s 3m16s 2001:db8:7:7:b9f7:e225:37d0:960f
Other Preferred infinite infinite fe80::b9f7:e225:37d0:960f%11
<... omitted for brevity...>
To get details from netsh for a specific interface (11 is the wired port, we got that earlier) we would issue:
C:\Users\Ed>netsh interface ipv6 show address 11
Address 2001:db8:7:7:41b9:cf5b:e4d5:7392 Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : 4m18s
Preferred Lifetime : 4m18s
DAD State : Preferred
Address Type : Temporary
Address 2001:db8:7:7:b9f7:e225:37d0:960f Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : 4m18s
Preferred Lifetime : 4m18s
DAD State : Preferred
Address Type : Public
Address fe80::b9f7:e225:37d0:960f%11 Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.11
Valid Lifetime : infinite
Preferred Lifetime : infinite
DAD State : Preferred
Address Type : Other
The next useful show command is to know how things are routing:
C:\Users\Ed>netsh interface ipv6 show route
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- --- ------------------------ --- ------------------------
No Manual 256 ::/0 11 fe80::215:63ff:fe88:4bdc
No Manual 256 ::1/128 1 Loopback Pseudo-Interface 1
No Manual 8 2001:db8:7:7::/64 11 Local Area Connection
No Manual 256 2001:db8:7:7:41b9:cf5b:e4d5:7392/128 11 Local Area Connection
No Manual 256 2001:db8:7:7:b9f7:e225:37d0:960f/128 11 Local Area Connection
No Manual 256 fe80::/64 15 Teredo Tunneling Pseudo-Interface
No Manual 256 fe80::/64 11 Local Area Connection
<... omitted for brevity...>
No Manual 256 ff00::/8 1 Loopback Pseudo-Interface 1
No Manual 256 ff00::/8 15 Teredo Tunneling Pseudo-Interface
No Manual 256 ff00::/8 11 Local Area Connection
<... omitted for brevity...>
So if you want to see your specific routes per interface you can do that using:
C:\Users\Ed>netsh interface ipv6 show route verbose
Destination Prefix: ::/0
Source Prefix: ::/0
Interface Index: 11
Gateway/Interface Name: fe80::215:63ff:fe88:4bdc
Publish: No
Type: Manual
Metric: 256
SitePrefixLength 0
ValidLifeTime 1755
PreferredLifeTime 1755
Destination Prefix: ::1/128
Source Prefix: ::/0
Interface Index: 1
Gateway/Interface Name: Loopback Pseudo-Interface 1
Publish: No
Type: Manual
Metric: 256
SitePrefixLength 0
ValidLifeTime Infinite
PreferredLifeTime Infinite
Destination Prefix: 2001:db8:7:7::/64
Source Prefix: ::/0
Interface Index: 11
Gateway/Interface Name: Local Area Connection
Publish: No
Type: Manual
Metric: 8
SitePrefixLength 0
ValidLifeTime 255
PreferredLifeTime 255
Destination Prefix: 2001:db8:7:7:41b9:cf5b:e4d5:7392/128
Source Prefix: ::/0
Interface Index: 11
Gateway/Interface Name: Local Area Connection
Publish: No
Type: Manual
Metric: 256
SitePrefixLength 0
ValidLifeTime Infinite
PreferredLifeTime Infinite
Destination Prefix: 2001:db8:7:7:b9f7:e225:37d0:960f/128
Source Prefix: ::/0
Interface Index: 11
Gateway/Interface Name: Local Area Connection
Publish: No
Type: Manual
Metric: 256
SitePrefixLength 0
ValidLifeTime Infinite
PreferredLifeTime Infinite
<... omitted for brevity...>
To check if you have a working IPv6 DNS server you would issue:
C:\Users\Ed>netsh interface ipv6 show dns
<... omitted for brevity...>
Configuration for interface "Local Area Connection"
DNS servers configured through DHCP: None
Register with which suffix: Primary only
<... omitted for brevity...>
So in this particular case I am not being provided any IPv6 DNS name servers via DHCPv6 or statically on that interface. Alternately, as an example output if you had an IPv6 DNS server statically entered (like with the gogoClient) it would show:
<... omitted for brevity...>
Statically Configured DNS Servers: 2001:5c0:1000:11::2
Register with which suffix: Primary only
<... omitted for brevity...>
From the above information I can determine that I am getting my IPv6 address via SLAAC, no DHCPv6 is running and I am getting an RA from the router and it is providing me with a default gateway that is using its link local address and not it's global unicast prefix address, which is the default behavior expected.
Now lets actually do something interesting next and use Chris' examples of netsh to shutoff Windows from doing 6to4 automatic tunneling. To do this you would issue:
C:\Users\Ed>netsh interface ipv6 6to4 set state state=disabled
Ok.
The netsh command provides confirmation that the command worked so if you are scripting you can parse the output to validate the change. Remember that 6to4 tunnel only happens if the Windows platform has a public IPv4 address assigned to it's interface and no other native IPv6 option is available. You will most commonly see 6to4 traffic in cases where servers are in a public DMZ with public IPv4 addresses and in cases where Windows clients are in "guest" networks where they are also provided public IPv4 addresses.
A more common scenario is wanting to disable Teredo tunneling since it is explicitly designed to work on devices that have IPv4 addresses behind a NAT device and with an RFC 1918 IP address. The majority of SMB and Enterprise networks are built this way today so the concern is valid.
Teredo can also be a problem for Windows 2008 deployments if the servers are in the DMZ or Inside network and functioning as stand alone devices that are not joined to an Active Directory domain. When Windows 7 and Server 2008 are NOT domain joined and have a valid RFC 1918 IPv4 address only, the OS's will attempt to run IPv6 on ISATAP first, if no DNS entry exist for ISATAP then they will attempt to use Teredo. So, Teredo is enabled by default but not necessarily active. Furthermore, if Teredo is the only IPv6 available the OS will NOT send AAAA queries in DNS by default - a good default protection behavior as it is unlikely the Teredo server you are connecting to is also a Teredo relay server which will forward traffic to the bigger IPv6 Internet on your behalf.
So, to keep your non-domain joined OS from randomly joining teredo.ipv6.microsoft.com (the default Teredo server entry in the OS) and happily exchanging traffic with others who do the same you can simply turn Teredo off with the following command:
C:\Users\Ed>netsh interface ipv6 set teredo disable
Ok.
As a final measure you can turn off ISATAP. This will prevent the OS from building out an IPv6 tunnel utilizing ISATAP which would be advertised in DNS. The alternate way of controlling this is by poisoning the isatap.
C:\Users\Ed>netsh interface ipv6 isatap set state state=disabled
Ok.
As a final thought, the nice thing about doing these commands is that you can still leave IPv6 enabled on the OS. This allows for supporting native IPv6 in a dual stack configuration in the future without breaking IPv6 completely. So when the time comes to start turning on IPv6 (Global or ULA) in your network the servers will behave properly. Remember, the rule of thumb for IPv6 is go native where you can, tunnel where you must. Take a look at Scott Hogg's blog post for a great write up on why going "Native" is important. Plus his daughter's artwork is awesome!
- Ed