Condividi tramite


Arguments against disabling IPv6

Hello! Dorian again with a blog article regarding IPv6.

The main background of writing this blog post is that until now best practice says “If you aren’t using it, disable it! ” or our customers see lots of talk on message boards saying “Your Internet is slow? DisableIPv6! That’ll fix it! ” and they develop the wrong idea about what IPv6 does and how it works.

This way we’ve noticed that a lot of customers ask how they can disable IPv6 in the supported way. The answer to this Question is in KB929852 that shows ways to disable certain components, how to alter the in prefix policies or how to deactivate everything except the IPv6 loopback interface.

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
https://support.microsoft.com/kb/929852

Even if this is the “supported” way to deactivate IPv6, Microsoft does not recommend that customers disable IPv6 if they are not planning to use it in the network. Please take into considerations that you “might” face issues or problems and that at some time after you open a Service Request we might need to request you to (re)enable IPv6 just to see if the problems were caused by the deactivation itself.

Some of this possible issues are:

When IPV6 is disabled via registry hacks in https://support.microsoft.com/kb/929852 or via unbinding in the NIC bindings, UDP 389 ceases to respond. This behavior is a known behavior and is referenced briefly in kb 816103.

Be aware that the LDAP test over UDP may not work against domain controllers that are running Windows Server 2008. One reason for this can be that you have disabled IPv6 on the Domain Controller. To re-enable IPv6, set the value discussed in the article below to the default of "0".

What occurs here is that a check is performed to see what the maximum response can be and it calls into an API specific to IPv6 for the result. The return is a null value as the protocol is not enabled. There is a possibility that there may be an additional check included to see if more than one IP protocol is bound to the adapter, however our official stance on IPv6 is not to disable it on 2008 or later platforms.

Exchange 2007 recommended disabling IPv6 to fix an issue with Outlook Anywhere. The Exchange 2007 limitation was fixed in Exchange 2010. The customers that disabled IPV6 and later upgraded to Exchange 2010, then ran into issues because IPV6 was disabled. https://support.microsoft.com/kb/977623/EN-US

Disabling IPv6 costs you money. There is no default GPO that allows IPv6 to be disabled. Depending on how it is disabled, re-enabling it can be challenging. We have several customers that heard this and decided to disable IPv6 in Vista, anyway. When Windows 7 rolled around, the same customers wanted to deploy DirectAccess, and began complaining how hard it was to find all the machines that had v6 disabled and get it re-enabled on those clients. Disabling v6 increased their management costs for very little benefit, and re-enabling IPv6 cost them again. Our goal is to help customers lower TCO, not raise it.

IPv6 is required by the Common Engineering Criteria. All Microsoft products for the enterprise should support IPv6. Future versions of our products may require it.

Additional Refferences:

The IPv6 Blog
https://blogs.technet.com/b/ipv6/

Disabling IPv6 Doesn't Help (By Sean Siler)
https://blogs.technet.com/b/ipv6/archive/2007/11/08/disabling-ipv6-doesn-t-help.aspx

The Argument against Disabling IPv6
https://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6.

If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions like Windows7 or Windows Server 2008 R2, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be. Additionally the P2P APIs require IPv6, and those are public APIs. If IPv6 is disabled, programs that use the P2P APIs will break. This could impact application compatibility for third party apps.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled.

Let’s think even further about the transition to IPv6 and the benefits of being IPv6 ready:

Customers CANNOT learn IPv6 in a weekend. They need time to roll this out, in a slow phased migration. This is what Microsoft has recommended from the beginning. If customers wait until the day their ISP says “Sorry, we’re out of IPv4 addresses !” to start thinking about IPv6, they are in deep trouble. Right now according to the NRO Less than 10% of IPv4 Addresses Remain Unallocated.

More info regarding this here:
Less than 10% of IPv4 Addresses Remain Unallocated, says Number Resource Organization
https://www.nro.net/media/less-than-10-percent-ipv4-addresses-remain-unallocated.html                 

As of 30 September 2010 according to ARIN Stats we got only around 5% of the IPv4 Address Space left. Don’t fall behind, start your IPv6 planning now !

IPv6 Learning Roadmap now available (by Joe Davies)
https://blogs.technet.com/b/ipv6/archive/2010/11/02/ipv6-learning-roadmap-now-available.aspx          

The IPv6 Learning Roadmap provides an organized and sequential list of Web and print resources that you can use to build your understanding of IPv6, starting with prerequisites and then adding level 100 (introductory), level 200 (intermediate), and level 300 (advanced) knowledge.

As a final conclusion:
IPv6 was designed to have no impact to the customer environment in production. No double queries, no DNS entries, no tunneling through the firewall, no performance degradation. If you feel like you have seen any of these and can provide data for troubleshooting, please feel free to open an incident with Microsoft so that we can discuss it.

Comments

  • Anonymous
    January 01, 2003
    We had the simillar thinking, i.e. we don't use it so lets disable it. Howerver, we found that if we disabled IPv6 on Windows 7 clients then Offline Files wouldn't work so know we keep it enabled. If you want me details check out my blog thommck.wordpress.com/.../offline-files-versus-vpn-a-k-a-the-case-of-the-missing-work-online-button

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Nice post !

  • Anonymous
    November 24, 2010
    Customers cannot also live with the distributed IPv6 network segmented by ISA... Pity =(

  • Anonymous
    March 22, 2012
    It is a network protocol, shouldn't be mandatory to have it enabled. From a security standpoint, i think that it's better to have as few items enabled on the network adapters as possible.

  • Anonymous
    January 26, 2013
    "Disabling IPv6 costs you money" Sorry but this argument is complete nonsense. Deploy and Un-Deploy of DisabledComponents with Group Policy Preferences Registry , with an own ADM template or even with a script   doesn´t even take me more than 2 minutes to: Create a GPP registry entry or write an ADM Template in notepad or a integrate computer startup script with  a reg import. I can do all the 3 solutions within 2 minutes. Even if it was "unbind" on the LAN Connection it can be bind with a script again. Please remove this argument, editing registry or manipulating clients is never ever a challange for the admin. It´s his daily business.

  • Anonymous
    January 31, 2013
    The comment has been removed

  • Anonymous
    March 25, 2013
    We recently initiated a support service call with Microsoft on on Lync environment. First thing the tech did when remoting into the environment: He verified we had IPv6 disbaled on all Lync servers. I confronted him oin the issue, he said "We have seen some issues caused by IPv6" Microsoft should communicate a consistant message on this topic.

  • Anonymous
    November 19, 2013
    it's not marketing, it's just an another backdoor.

  • Anonymous
    January 03, 2014
    Pingback from ???? ???????????????????? IPv6 ?? Windows Firewall | IT in realworld

  • Anonymous
    January 18, 2014
    The link is broken for KB977623. Completely agree @Mark Heitbrink. This article has no technical information as how it's going affect the environment or risk etc.

  • Anonymous
    March 21, 2014
    The comment has been removed

  • Anonymous
    April 30, 2014
    Malware attacks through open protocols cost money too. What a choice Microsoft... thanks for that one! :)

  • Anonymous
    May 21, 2014
    Disappointed, no technical information here!

  • Anonymous
    May 25, 2014
    If you really want to be invisible in the net, the first thing you have to do is to disable IPv6. The top professionals in Internet Security is going to tell you why. :)

    To find out more information about what IPv6 really do, don't hesitate to by the book(s):

    http://www.ebook3000.com/upimg/allimg/091217/0000390.jpg

    and/or

    http://yuq.me/users/20/352/GeYnxcXEbC.png

    or read the next article ---- http://www.prweb.com/releases/2013/7/prweb10908989.htm

  • Anonymous
    March 23, 2015
    Disabling IPv6 is the common discussion like the requirement of the "WINS" Service. To "believe" that this could be a Problem or not, is not enought - we need technical facts. Microsoft has released an incomplete work an it seems that some of the Services are optimized using the new written IPv6 protocol stack. The Problems you might be get are not related the IPv6 Stack as more the lacks of Microsofts product, that does'nt works with IPv4 exclusive.
    In Server 2012 R2, i had disabled all IPv6 Stacks - on Domain Controllers, File-Servers and more - nothing happens - all of the Services works stable. Microsoft seems to had done their Job in this release so you can do working without IPv6 successfully. I understand that MS don't wanna get more Tickets and finally Needs more human rescources to handle them, but as a customer who paid for them, they can't Forces me to use IPv6 - and they know this because they supports an native IPv4 Environment.

  • Anonymous
    September 13, 2015
    Take the Lync whitepaper:
    http://www.microsoft.com/en-us/download/confirmation.aspx?id=41936
    and you find a statement: "We do not recommend that you use both IPv4 and IPv6 on the same NIC as this can cause performance issues."

    So Microsoft really itself say: having IPv4 and IPv6 on the same machine is causing performance troubles and we should avoid it..