A common paradigm in the technology field is, “If you’re not using it, uninstall or disable it.” While that can be an excellent way to reduce the surface area of a system by removing components that you don’t need and may never use, there are going to be times when that paradigm doesn’t turn out to be the right decision. An excellent example of that is IPv6. Nearly every week when I’m onsite with a customer, the topic of “what should they do about IPv6” comes up, and I end up saying the same thing time and time again. I’ve been saying it so much that I’ve previously written the remaining contents of this post as a document that I’ll give out as a reference whenever the topic has come up. So finally, I decided to post it so that more people can benefit from the information and take corrective actions in their systems before my phone rings at 3AM and I find myself getting on an airplane.
On the properties of the NICs, removing the checkbox binding the IPv6 protocol to the network interface should not be cleared as it will cause IPv6 to become unbound from the network interface. In addition, the Link-Layer Topology Discovery Mapper I/O Driver and Link-Layer Topology Discovery Responder protocols should also not be uninstalled from the systems. While this is often done with the desired effect being to disable IPv6 on the systems, this behavior does not have that effect on the systems. This action only unbinds the IPv6 protocol from the physical network interface while still leaving it enabled within the Operating System, which continues to attempt to utilize IPv6 for communications and can experience unexpected and unpredictable behavior without IPv6 bound to a physical network interface. Link Layer Topology Discovery provides device discovery via the data-link layer to determine the topology of the subnet. While the results obtained from LLTD is similar to those obtained via the ARP protocol, LLTD provides additional information.
Versions of the Windows operating system beginning with Windows Vista prefer the use of IPv6 over IPv4. However, if IPv6 is not utilized within the network infrastructure, leaving IPv6 enabled on the systems will not have an impact on internet communications, web browsing, etc. as the NIC would only be configured with a Link Local address, which is a non-routable address and can only communicate with systems on its same subnet, bounded by a router. IPv6 is an integral part of the operating system and several Windows components rely on it. IPv6 should be left enabled. While KB 929852 describes the use of the DisabledComponents registry key to disable specific IPv6 components, most environments should leave all IPv6 components enabled. The tunnel interfaces can be disabled while leaving the native IPv6 components enabled by using a value of 0x1 for the registry key, however, as discussed below, blocking the tunneling protocol at the point of network egress will be a more effective way to prevent the tunneling interfaces from establishing connections with their particular relay on the Internet.
The checkbox binding IPv6 to the network interface should remain checked on all systems running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and any future version of the Windows operating system.
Another type of IPv6 address that may be present on the systems are either 6to4 or Teredo addresses. These are tunneling protocols that are used to allow for connection to an IPv6 network over an IPv4 routing infrastructure. These 6to4 and Teredo addresses are routable addresses and will be registered in DNS.
When the IPv4 address is in the public IPv4 range, a 6to4 adapter would be leveraged to communicate to IPv6 over an IPv4 infrastructure. This is done via IP Protocol 41 and will be calculated without any external network connectivity. Systems with a 6to4 address will be able to communicate to other systems within your IPv4 network that also have 6to4 addresses, but do not use this address to communicate to external IPv6 resources as the default 6to4 server utilized by Windows systems is only a 6to4 Server and not also a 6to4 Relay. The easiest solution to prevent the establishment of 6to4 connections is to either set the DisabledComponents registry key or leverage the netsh.exe command to disable the 6to4 adapter. (http://en.wikipedia.org/wiki/6to4)
When the IPv4 address is in the private IPv4 ranges and when 6to4 is unavailable when a system is in a public IPv4 range, a Teredo adapter would be leveraged to communicate to IPv6 over an IPv4 infrastructure. This is done via UDP packets at port 3544 to the Teredo server teredo.ipv6.microsoft.com. Systems with a Teredo address will be able to communicate to other systems within your IPv4 network that also have Teredo addresses, but do not use this address to communicate to external IPv6 resources as the default Teredo server utilized by Windows systems is only a Teredo Server and not also a Teredo Relay. The easiest solution to prevent the establishment of Teredo connections from the internal network is to block UDP 3544 at the point of network egress. (http://en.wikipedia.org/wiki/Teredo_tunneling & http://tools.ietf.org/html/rfc4380)
The 6to4 & Teredo adapters can also be disabled by running the following from an elevated command prompt:
netsh int 6to4 set state state=disabled
netsh int teredo set state type=disabled
The MSPress book Understanding IPv6 (Second Edition) is a great read for learning more about IPv6.
Disabling IPv6 Doesn’t Help, by Sean Siler, IPv6 Program Manager
Development and Deployment of IPv6: Good for Internet, Technology
Link Layer Topology Discovery Protocol Specification
929852 – How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
IPv6 for Microsoft Windows: Frequently Asked Questions
The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7