Hey y’all, Mark back with a new topic we haven’t really talked about much here on the blog, IPv6. When I go onsite with customers I tend to have two discussions over and over again. First, RPC ports and firewalls. Ned Pyle has taken care of that one here and here. The second, IPv6. The point of this post is not the technical how it all works deep down, the point is to be similar to the on-site discussions I have every other week and is geared at the Windows/System Administrator. Ray Zabillia and I have more posts planned on some basics and how it all works in the coming weeks. If this is a topic of interest we can keep going from there and do some real in depth on some of the transitions technologies and how to roll your own lab even. Please let us know in the comments! Now on to the glimpse of the on-site discussions.
“Who cares about IPv6? We got IPv4 working and it’s working just fine.”
I bet you do. It’s has similar logical argument of, “who cares about 64-bit computing we have 32-bit”. Do you want to make that claim as well? On February 3, 2011, the Internet Corporation for Assigned Names and Numbers (ICANN) joined the Number Resources Organization (NRO), the Internet Architecture Board (IAB) and the Internet Society to announce that the pool of public Internet Protocol version 4 (IPv4) addresses has now been completely allocated.
On 14 September 2012, the RIPE NCC began to allocate IPv4 address space from the last /8 of IPv4 address space it holds. Currently IPv4 address space is now allocated according to section 5.6 of the IPv4 Address Allocation and Assignment Policies for the RIPE NCC service region. The IPv4 pools of the RIRs (Regional Internet Registry) are nearly exhausted RIPE NCC IPv4 Available Pool. Shortly thereafter the ISPs will exhaust their pools. It is at this point that customers will be impacted by the exhaustion, because there will not be any IPv4 addresses available to give them. They are all gone. Donezo.
Also there are several limitations of IPv4. I’m not saying you need to roll out IPv6 tomorrow, but let’s not do things that will make it hard in the future to transition to.
“IPv4 Limitations? Like what?”
Well for starters we are out of addresses as said above. Chances are you are getting MORE internet connected devices not less. But let’s assume you are lucky enough to have an entire class A or B address to yourself and you don’t need more addresses for the foreseeable future. Do you need IP level security or will you need that in the future? I’m guessing so. IPSec is optional in IPv4 but has become a standard in IPv6 from day one which makes the implementations of IPSEC consistent across vendor implementations. What about Quality of Service (QOS)? IPv4 can do that by using the Type of Service (TOS) field but doesn’t work when the packet is encrypted. So hopefully you don’t want both SECURITY and QOS at the same time. It’s getting harder and harder to force IPv4 to do what is easily accomplished in IPv6.
“We got NAT working right now so it’s fine”
That’s a whole other ball of wax. Not to mention its adding complexity to the network which can make troubleshooting issues even harder to deal with, but not every application works with NAT due to the fact it doesn’t have a “real” IP address on the client. Making IPSec work with NAT is also a challenge. NAT can solve some problems but it can also introduce some others. It’s probably not sustainable for the long haul.
“Hmmm all this sounds like you should talk to the Network Team about this, they are up the hall. This is not my problem”
Alright we’ve arrived at the core of this argument. It is ABSOLUTELY your problem. If you’ve never had to troubleshoot a server not being able to connect to another server, it must be your first day on the job. Connectivity troubleshooting is a critical tool in your troubleshooting bag. If it’s not, add it immediately; you’re welcome. Being able to understand an IPv6 address and what it all means will be helpful and in reality a necessity in the future. I’ve had customers where the network team is “testing” IPv6 and the client now starts receiving this “mystery address”. Is that normal? Is it working like it suppose to? Am I on the right network? All these questions today can be answered with an IPv4 address, why would you NOT answer them because the address looks different? The thought of not having basic understanding of IPv4 today is unthinkable, having IPv6 skills will not only put you ahead of the curve today, and it will set you up for the future. Real life example coming up here shortly.
“Yea but still, I hear IPv6 screws stuff up that’s why I disable it like so”
Of course you have. First off, I’ve yet to hear what IPv6 “screws up”. Second, this isn’t disabling IPv6, this is unbinding it from the network adapter. If your goal is to disable IPv6 on the system, you have not done so. It is still running on your system. If you need to re-check that box there is NO PROGRAMMATIC WAY**(see bottom of page) to do so. So if you gone ahead and built that uncheck in your image and you do need IPv6 on that network adapter you’ll need to log into EVERY MACHINE AND RE-CHECK IT. Oh how fun that will be. If you do need to disable it follow KB 929852 using the Disabled Components registry key. I recommend not disabling it but if you have absolutely must, use a GPO so you can easily undo this in the future. As stated in the KB if you do use the Disabled Components registry key that checkbox will still be checked. That is expected behavior.
“This is all great in theory but does this actually happen in the real world?”
We here at AskPFEPlat have a unique perspective by spending so much time in front of so many customers we get to see what does happen in the real world. Recently Ray was assisting one of our large enterprise customers in their migration from Windows Server 2003 Active Directory to Windows Server 2008 R2. They had just installed a few 2008 R2 domain controllers and shortly thereafter Ray received a call from one of the company’s AD architect asking to explain why he was getting an IPv6 addresses in response to his “ping” on the 2008 R2 domain controllers. Further, why were there two IPv6 addresses assigned? And why did one of address always begin with FEC0 and the other with 2002? What addresses are being registered in DNS?
Now at this particular customer most of the IT support and administration, including Active Directory has been outsource to a third party vendor. So Ray had a meeting with the customers’ in house AD staff and several members of the third party outsourcers AD staff. One of the members from the third party AD support staff announced that this had an easy fix, they would simply just uncheck the IPv6 protocol box on the Network adapter settings to disable IPv6 and the problems would be resolved.
See the real life problem? Face palm! If a vendor is telling you to disable IPv6 to “fix an issue” or “has seen it cause problems” push back a bit and ask them what is it actually fixing or problems that it is causing. Have them be specific. It’s time to not allow IPv6 to be this great universe mystery.
“Ok I’m coming around a bit. What is Microsoft’s stance on IPv6?”
I’ll let the official documentation do the talking on this one. Short answer: Leave it on. Original can be found at IPv6 For Microsoft Windows: FAQ.
“It is unfortunate that some organizations disable IPv6 on their computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.
From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.
Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.”
“What Microsoft products support IPv6?”
Get the official list here. It is a lot.
“Anything else I should know?”
A quote from the Foreword of Understanding IPV6 – Third Edition sums it up very well.
“In the past 24 months, we’ve made immense progress toward the goal of upgrading the Internet. IPv6 is no longer the next-generation Internet Protocol; it has become the now-generation Internet Protocol.
The World IPv6 Launch in June 2012 marked a key turning point in this transition. When you read this book, some of the most important web services in the world, not only from Microsoft but from across the technology community, are operational on the IPv6 Internet. Millions of users with IPv6-ready computers are using IPv6 to interact with these services and with one another. The apps, the operating systems, the routing infrastructure, the ISPs, and the services are not merely ready, they’re activated.”
-Chris Palmer
IPv6 Program Manger
Microsoft
Ok hopefully by this point in the post you’ve come around fully on IPv6 and are ready to dive in. The point of this is that IPv6 is not coming, it is here now. IPv4 is in fact the legacy technology. In our next post we’ll get into more of the innards and making sense of it all. Don’t worry it’s not that scary. As always let us know what you think in the comments.
-Mark “IPv6 Ready” Morowczyski and Ray “IPv6 Ready” Zabilla
Update (6/17/13 5:00 PM CST). One of our readers, MVP Richard Hicks, points out in the comments there is a way to do this using powershell. Set-NetAdapterBinding -Name MyAdapter -DisplayName “Internet Protocol Version 6 (TCP/IPv6)” -Enabled $true. This is correct but only will work in Windows 8/2012. For more info on this command check here.
Part 2 of this series can be found here.
Part 3 of this series can be found here.
@Wes
Glad you liked it. We are just consumers of this blog platform, infrastructure is on someone else :).
@Ravikumar Pulagouni
Thanks! Ray and I glad you guys enjoyed this.
@Mike
To Mark's point we aren't trying to tell everyone to migrate to IPv6 immediately just that you need to care and at least have some basic understanding because IPv6 is here now and you may be using it whether you are aware or not. For example, Verizon is listed as 31.06% deployed on IPV6 at the World IPv6 Launch site.
Check out http://www.worldipv6launch.org for some interesting facts and information about IPv6.
Very nice post Mark, looking forward to future articles on this!
@Steven
Glad you enjoyed it and thanks for commenting! We got some nice posts coming up on how to read the address, different types, etc. Keep an eye out in the next few weeks.
What I've seen is that IPv6 is disabled not only on DCs but on all internal servers. I mainly support the federal sector.
These organizations follow the DISA STIGs for security guidance and the DISA guidelines for 2008 R2 specifically mention IPv6
iase.disa.mil/…/2008r2.html
From the document:
"…Rule Title: IPv6 will be disabled until a deliberate transition strategy has been implemented.
Vulnerability Discussion: Any nodes’ interface with IPv6 enabled by default presents a potential risk of traffic being transmitted or received without proper risk mitigation strategy and is, therefore, a serious security concern…."
There is no rush to have the internal boxes transition to IPv6 so they just disable it to meet the guidance.
I have a different take on this. Yes there are some applications that need it. Now suppose we are not using Direct Access or the few other apps that may need IPv6. I understand the benefits of IPv6 on the edge and yes even some benefits internally but if the internal IPv4 network has been working fine with no issue is there a need to really implement IPv6?
I sort of look at it like a empty forest root design. Yes there are benefits of collapsing and going to a single domain but many times the benefits don't justify the work/hours/money to migrate.
@VenkatSP and @yakk083
Glad you guys liked it. We have parts 2 and 3 as well. We will work on some more IPv6 content.
Nice post Mark. Thanks a lot.
@Richard Hicks
Great catch, post is updated. Thanks always for reading and for spreading the good word about us on Twitter.
@Sandor
Mission accomplished! Stay tuned, for part 2 and 3.
@Mike
Can't speak to the stats, you might be right. As for ADFS, a few of us here do quite a bit of ADFS work so…..we are working on something for you guys.
Ok, that makes sense, nothing wrong with getting people up to speed. Hopefully when this series is done they will know disabling is more than a checkbox. I'm in my late 30's I wonder if I'll ever work on a network where there is no IPv4….man that will make me feel really old and I'm guessing if it happens I'll be close to retirement age.
Thanks for the tweet; saw that responding here.
@Heine A Microsoft tool is a bit mis-leading. As it says by the developer on the home page.
"Although I work for Microsoft as a developer on the Hyper-V team, I must point out that as the license tab indicates this tool and documentation are provided "as-is". You bear the risk of using it. No express warranties, guarantees or conditions are provided. It is not supported or endorsed by Microsoft Corporation and should be used at your own risk."
So technically this isn't officially supported. However if you tested it and it works in your environment that is great! The key with using this tool would be testing in your environment. Think of it similar to a script you would find, you wouldn't just blindly run that against all your production machines without testing. This tool also works at the local command line so you'd need to do some trickery to get it to work remotely. Thanks for pointing this out though! Great stuff.
@Jeffrey
Thanks glad you enjoy part 1. We will get into the real meat in part 2 and 3.
Guys,
A good article with a lot of depth and brevity. I've started studying for my first Windows 2012 Certification, in which IP6 figures quite heavily. I'm going to use this as a reference post for my revision.
Thanks for posting it.
@Santosh
Thanks!
Nice post Mark.
Good job, please more IPv6 articles. Thx
@Mike
Was wondering if you were still reading, hadn't seen any comments from you in a while. The point of this post wasn't to say, "you need to start migrating to IPv6." It is really to say
1.) As an admin you probably need to start learning the basics of IPv6 (which we'll cover shortly) because some places are beginning to roll it out. It's time to no longer let this be a great mystery.
2.) If you do need to disable it, disable it the proper way. The way you are probably doing it, is not doing what you think it is doing.
Thank you Mark. A good and well defined article.Its given to me whole stuff about IPV4 & IPV6.
I often wonder about those stats; for example if a federal agency has its edge/Layer 3 devices IPv6 enabled is that counted as "deployed" in their count? Meanwhile on the internal network IPv4 might be used on every Windows box.
By the way…I'm not saying this is a bad series I agree people should start learning now.
On another note a series that might be interesting is guys in platforms that know AD really well that are starting out learning ADFS. I know several PFEs that are going through this now. I still wish ADFS was just called FS.
You can untick ipv6 using the nvspbind executable.
nvspbind -d "Local Area Network" ms_tcpip6
You say IPv6 does not cause problems, but upgrading windows 7 computers to Office 2013 causes printing to take painfully long time unless IPv6 is disabled
Paul
It is possible to check the IPv6 and do it in a quite simple way, without having to visit every machine.
I use the Microsoft tool nvspbind to do it.
This tool unchecks and checks IPv6 on the NIC(s) and seems to be working fine.
Download it from archive.msdn.microsoft.com/nvspbind
To Disable IPv6:
nvspbindx64.exe * /d ms_tcpip6
To Enable IPv6:
nvspbindx64.exe * /e ms_tcpip6
On a side note – users of older VPN client, such as Cisco VPN Client should test if they need to disable IPv6.
Some of the VPN software didn't understand IPv6, so it would let traffic through locally, eventhough Split Tunnelling is prevented by configuration. Split Tunnelling prevention apparently only worked for IPv4.
-Heine
"If you need to re-check that box there is NO PROGRAMMATIC WAY to do so."
Set-NetAdapterBinding -DisplayName "Internet Protocol Version 6 (TCP/IPv6)" -Enabled $true
Great article, though I note that it is served from an IPv4-only webpage. 😉
Great article, you really sparked my interest in IPv6. I can't wait to read Part 2.
"If you need to re-check that box there is NO PROGRAMMATIC WAY to do so."
http://www.expta.com/…/how-to-configure-ipv6-using-group.html
Good day
I have tried on a number of occassions to enable IPv6 in the registry editor to create a private network but i am not having no luck
I have followed the information provided to me previously but there is no information in the parameters key ..
how do i go about this the correct way? it is becoming quite frustrating
Pingback from The Most Popular Posts of 2013 and Belated Birthday – Ask Premier Field Engineering (PFE) Platforms – Site Home – TechNet Blogs
Good explanation, thank you very much! I am just now reading this article due to a recent problem that I encountered. My Outlook 2003 stopped pulling Comcast e-mails through, indicating that the incoming server could not be found. This occurred coincident
with a server upgrade on Comcast’s end, but appeared to be linked only to Outlook 2003. One of the solutions that I found online was to uncheck IPv6, which I did. After restarting two different computers with this solution, e-mails flowed through to Outlook
with no problem. Based on your explanation above, this fundamentally doesn’t make sense as IPv6 should only expand availability of server addresses, not restrict them. Any explanations for what might be going on here?
Thanks in advance!
Until I am up to speed with it I will continue to disable. Is my router IPv6 enabled? Hmm not sure. And what about about Windows Update? Seems not to work on Server 2012 R2 Standard with IPv6 enabled on my network as is, probably due to firewall NAT’ing.
See also
http://www.insinuator.net/2014/05/microsoft-windows-update-over-ipv6-or-not/
there isn’t a ”IPV6” in my pc,why?
Hey, y’all, Mark back with some new info on two of my favorite topics, IPv6 and Slow Boot Slow Logon
I’ve had ipv6 screw up situations where the valid input is either a domain name or an IP address.
In these situations, "localhost" will complete to "::1" instead of "127.0.0.1". If you are using an application server that only responds to 127.0.0.1 and not ::1, you’re hosed.
I lost 2 days development time only to find out the reason my application wasn’t working was because my bookmark used "localhost" instead of 127.0.0.1, and it was completing to "::1" which was not bound to my application server’s interface.
I had to actually edit my hosts file to say "localhost equals 127.0.0.1"
Ridiculous.
Right here, ipv6 has cost me more time in my life than how much it has saved me. This will likely be true until the day I die.
Hmm… this website… AAAA-Records? No. Microsoft has disabled it on their servers.
Interesting article and I get the strong message on leaving IPv6 enabled. In reality though, are there any security risks by leaving IPv6 enabled in an environment where it is unlikely to be being actively managed either at the client or network level?
I would like to feel confident that we are future proofing corporate client deployments without introducing unnecessary risk. Any thoughts on that side of it?
Thanks Mark, very helpful!
"First off, I’ve yet to hear what IPv6 ‘screws up’." — Oh, it screws up DNS. More specifically, ISPs like comcast that offer IPv6 with route advertising or DHCPv6. What happens is, you have a windows domain, right? It has a DNS server, right? Everything
refers to that DNS server from it’s IPv4. Comcast suddenly assigns you a route and an IPv6 DNS server. Suprise, your entire domain is now broken because IPv6 DNS servers are always checked before IPv4 servers are. SO. ANNOYING.
good share.
We’ve never touched IPv6 settings on our desktops or servers, it’s always been left on, although we’re a 100% IPv4 environment. Today after days of crazy network traffic taking down our production Hyper-V cluster, I identified 9 desktops that were dishing
out 1.5 million ICMPv6 broadcasts per minute. Basically flooding the network with multicast traffic. They all had the same NIC cards and had been left asleep over the holidays. Guess what? Disabling IPv6 through the registry corrected the problem. We now have
a stable environment. I could spend my time working out why the machines decided to do this, but will undoubtedly come to nothing. I could learn about ICMPv6, and maybe work out that our network is not configured correctly, but I’ll leave that to the network
guy. The priority was to stabilize the environment. I agree it shouldn’t be disabled just because you can, but if you’re not using it and it’s bringing down your network don’t be afraid to. IPv6 should be implemented in a controlled and considered way, not
enabled by default, esp from my experience from the last few days.
I am on with Microsoft Support troubleshooting an AD problem. Someone before me had unchecked ipv6 on the domain controllers, but I just added two new DCs and had left ipv6 on like I thought was correct. The Microsoft Support technician has unchecked it for some unknown reason as well as turned off the Windows Firewall. I know the two are not related, but it appears she is incorrect in turning off ipv6 and from looking around I don’t think Windows Firewall has to be turned off either even though she is trying to tell me otherwise. She also misconfigured the DNS settings according to what I have read from Microsoft. I guess once she is done poking around aimlessly I will go back and fix these things. I would expect Microsoft Support Staff to know best practices, etc. but I guess I paid $499 to have someone go against what Microsoft says.
I am actually happy to read this website posts which carries tons of valuable information, thanks for providing such information.
Good day I am so grateful I found your web site, I really found you by accident, while
I was researching on Bing for something else, Anyways I am here now
and would just like to say thanks a lot for a fantastic post and a all
round exciting blog (I also love the theme/design), I don’t have time to go through it all at the
minute but I have bookmarked it and also added in your RSS feeds, so when I have time
I will be back to read more, Please do keep up the excellent work.
Hi, after reading this remarkable piece of writing i am also glad to
share my familiarity here with friends.
My Grama’s internet has this problem where it drops down to 1-3 bars and messes up things we are using the internet for. Any ideas on how to fix it?