Monday, February 07, 2011

Why you should NOT disable IPv6 for Windows 7 or Server 2008R2

I was reviewing some Microsoft materials related to IPv6 for some presentations I am putting together and ran across some great material by Joseph Davies again that goes over some very specific reasons why it is bad to disable IPv6 on Windows Vista and Windows Server 2008 which of course also applies to Windows 7 and Server 2008R2.

In summary, you have the potential to break features in Remote Assistance, HomeGroup, DirectAccess, and Windows Mail. I would add BranchCache, Exchange Server 2007 and 2010, Microsoft Outlook and several of the tunneling methods.

I do believe there are legitimate reasons for wanting to control the IPv6 traffic that Windows 7 or Server 2008R2 is generating on your network. I would also argue that the way to do this is by having IPv6 deployed in your network so that you can have a consistent policy that matches much of what you do today for IPv4. Obviously there are different ways to deploy IPv6 but I think that a dual stack/native IPv6 deployment makes for the best solution long term. It allows the flexibility of getting to IPv6 resources and allows for a longer transition windows for IT groups to migrate all services to IPv6.

One of the surprises for many people deploying Windows Server with Exchange and using the recommended deployment practices from Microsoft is that you could have stand alone servers in a DMZ or outside your network that are NOT AD domain joined. They are in "workgroup" mode and this means that if they have a public IPv4 address they will generate a 6to4 tunnel automatically and if they are using RFC 1918 IPv4 addresses they will make use of teredo tunnels automatically. This behavior isn't desirable for most enterprises and can easily be resolved by either turning off IPv6 on those specific servers or by setting up a dual stack configuration for the server with appropriate firewall rules. Obviously you need a network firewall that can do IPv6 or rely on the Windows Firewall to do this function.

So for those that reference my earlier blog entry about turning off IPv6 tunneling - seriously consider if you really need to do that or not. You need to evaluate your scenario and determine what is right but if there is a chance you might need the OS to do one of the tunnels then doing some of the network blocking methods I mentioned might cause more work in the end.
- Ed

16 comments:

chris vashel said...

you could also just disable the tunneling interfaces leaving ipv6 enabled but otherwise unconfigured:

netsh interface ipv6 6to4 set state state=disabled

netsh interface ipv6 isatap set state state=disabled

netsh interface ipv6 set teredo disable

Anonymous said...

This post makes me sad.

You're not giving a compelling argument to keep IPv6 enabled.

In fact, you're not providing any information to enable someone to make a decision.

Restating parts from the "The Argument against Disabling IPv6" is repeating the non-information you're already providing (especially when you "could" be losing functionality, but it can't be confirmed because they don't test against that scenario).

Anonymous said...

I agree with anonymous above, you have not given any information to make a solid decision. You have just reinstated FUD like the rest of the internet on this topic.

Anonymous said...

I agree to the posters above - a very unprofessional "could" without exact reasoning is unfortunately typical for the microsoft "experts" world - is this really the way how you make decisions that affect enterprise infrastructure? No wonder big companies get hacked every day with these kind of avoiding-deeper-knowledge-strategy.

Anonymous said...

What about IDS systems signatures compatibility with the IPV6 traffic ???

Unknown said...

Ipv6 is the new addressing system why is everyone trying to dissable it? It provides more bandwith and has less traffic on it so i beleive it runs much faster. I was a little freaked out with it at first but now that I have read a little bit about how it works it will be good to go. The ipv4 is running out of addresses for all of our gadgets and the internet needs to expand. Ipv is promissing more secure addressing which will make the internet hack proof I hope.

Unknown said...

Ipv6 is the new addressing system why is everyone trying to dissable it? It provides more bandwith and has less traffic on it so i beleive it runs much faster. I was a little freaked out with it at first but now that I have read a little bit about how it works it will be good to go. The ipv4 is running out of addresses for all of our gadgets and the internet needs to expand. Ipv is promissing more secure addressing which will make the internet hack proof I hope.

Unknown said...

Ipv6 is the new addressing system why is everyone trying to dissable it? It provides more bandwith and has less traffic on it so i beleive it runs much faster. I was a little freaked out with it at first but now that I have read a little bit about how it works it will be good to go. The ipv4 is running out of addresses for all of our gadgets and the internet needs to expand. Ipv is promissing more secure addressing which will make the internet hack proof I hope.

Anonymous said...

Ipv6 is the new addressing system why is everyone trying to dissable it? It provides more bandwith and has less traffic on it so i beleive it runs much faster. I was a little freaked out with it at first but now that I have read a little bit about how it works it will be good to go. The ipv4 is running out of addresses for all of our gadgets and the internet needs to expand. Ipv is promissing more secure addressing which will make the internet hack proof I hope.

Anonymous said...

If we will disable it, this mean we know how to enable it again. And when we will need IPv6 (at the moment most of us not) this thing will be re-enabled again. But I don't see any reason to leave it on ours systems at the moment.

Anonymous said...

I disabled IPV6 in Win7 for the reasons stated in the above posts..it was creating a teredo tunnel and causing connectivity problems. I believe it also slowed down my working connections. I have no issues leaving it off. Can someone tell me the logic of turning it on when it requires a 6to4 'patch' to make it work on the limited locations that actually use it?
Nobody seems to have a good reason for using it, except that we might need it in the future.

Anonymous said...

I came across this article while searching for a way to disable IPv6 remotely on all our Win7 machines (without GPO). QUite simply, this is a great bit of misinformation. Disablin g IPv6 does not cause problems for the very vast majority of users or networks. It most certainly does not cause problems with Exchange or Outlook. I suggest that in future you verify your information with practical tests, rather than simply quoting someone else's fiction. Give solid examples, not speculation. Many of us who actually work with these things have already verified that none of your concerns are valid.

Ed Horley said...

I am not sure where the confusion is regarding my comments about Exchange (I gave a very specific example of concern - one from a production environment I might add.) Also, depending on if you are using DirectAccess or not it can affect just about every Microsoft application you run, including Outlook. My simple point is, you need to evaluate what you NEED before you just turn IPv6 off. I believe my last statement says it pretty well.

"You need to evaluate your scenario and determine what is right but if there is a chance you might need the OS to do one of the tunnels then doing some of the network blocking methods I mentioned might cause more work in the end."

Clearly you can run a full Microsoft environment in IPv4 only, the question you should ask is, SHOULD I be doing that in the future?

Also, you should be asking what long term impact (in terms of man hours) it would be to disable it everywhere vs. turning off the transition technologies and then working on a road map to get IPv6 implemented properly. For some, it may turn out from a cost perspective to be better to do IPv6. Perhaps due to wanting to fully leverage DirectAccess or because their network team is already planning on supporting IPv6 in the near future.

Also, it isn't FUD to state there are specific services and functions within the OS that require IPv6, I am simply stating what could be impacted by disabling IPv6. I'm not sure how that is FUD but perhaps I will spin it the other way and list what you will gain by leaving IPv6 on?

Most importantly, IT Professionals need to understand the impact of what they are doing with protocols that are preferred and on by default within an OS. There is the potential for unintended behavior when turning something off and not understanding the impact. Hence the cautionary tale. Also, there is a big difference between turning off the transition technologies in Windows and turning off IPv6. Don't confuse the two. Perhaps that topic deserves a blog post of its own.

Thanks everyone for the feedback, I have several other posts (more recent) on IPv6 and PowerShell that are likely useful if you are trying to automate changing IPv6 within your environment. You can find the most recent one at:
http://www.howfunky.com/2013/04/some-powershell-ipv6-and-adv-firewall.html
- Ed


Anonymous said...

it doesn't work for me to choose "time.nist.gov". any other options to fix?

windows 8 trial version 90 days download here said...

t doesn't work for me to choose "time.nist.gov". any other options to fix?

Ross said...


I use a TV unblocking service called Unblock-US.com, but they only provide IPv4 DNS, my Comcast modem/router DNS is non-configurable and I need Homegroups which requires IPv6. What IPv6 components can I turn off or tool or configuration can I use to get around this restriction!? I've tried setting 0x20 to make IPv4 Preferred to no avail. And Chrome does not support custom DNS any more. Thanks.