แชร์ผ่าน


Stop hurting yourself by: Disabling IPv6, why do you really do it?

Applies to:

Windows 10/ 2016

Windows 8.1/ 2012 R2

Windows 8 / 2012

Windows 7 SP1/ 2008 R2

Problem description:

==============

Windows Server 2016 Hyper-V Failover Cluster (but this would apply to any modern Windows and Windows Server)

Randomly, name resolution fail.  The issue just started recently.

The Windows based systems are getting an IPv6 address even though the network is an IPv4 based.

The DNS server is only resolving IPv4 based IP addresses which is by design in this customer environment (and 99% of the environments out there).

Cause:

====

A network trace (Message Analyzer/Wireshark) showed that the device with the MAC address, [00-1A-1E-01-43-65], was sending Router Advertisement in the network segment.

This MAC address belonged to a Wireless Access Point (WAP) that one of the networking administrators was testing to see the capabilities.

It just happened that it was not configured (default setting) and started broadcasting IPv6 addresses.

Background:

==========

To ‘prevent’ this type of issue, normally the common thing for IT administrators to do is to disable ipv6 in the network adapter.

Control Panel\Network and Internet\Network Connections

Right-click on a network adapter

Click on “Properties”

Uncheck the box for "Internet Protocol Version 6 (TCP/IPv6)"

Warning:  This is unsupported by us (Microsoft)

The supported work-around that many IT administrators end-up using is described in:

929852 How to disable IPv6 or its components in Windows

https://support.microsoft.com/?id=929852

Since the different component owners in the Product Group don’t test with IPv6 disabled, I was wondering, is/are there a better way of keeping IT administrators from shooting themselves on the foot while also providing the availability?

Investigation:

===========

Windows Vista and Windows Server 2008 and newer OS’es implements RFC 3484  and uses a prefix table to determine which address to use when multiple addresses are available for a name.

By default, it favors IPv6 global unicast addresses over IPv4 addresses.

969029 The functionality for source IP address selection in Windows Server 2008 and in Windows Vista differs from the corresponding functionality in earlier versions of Windows

https://support.microsoft.com/?id=969029

              For information about RFC 3484:

              Default Address Selection for Internet Protocol version 6 (IPv6)

              https://tools.ietf.org/html/rfc3484

RFC 4291 will let you set ipv4 precedence over ipv6

              Using SIO_ADDRESS_LIST_SORT

              https://msdn.microsoft.com/en-us/library/windows/desktop/ms740614(v=vs.85).aspx

                           For information about RFC 4291:

                           IP Version 6 Addressing Architecture

                           https://tools.ietf.org/html/rfc4291

Start, CMD (Run As Admin)

netsh interface ipv6 show prefixpolicies

Note that higher precedence in prefix policies is represented by a lager "precedence" value, exactly opposite to routing table "cost" value.

        40      1  ::/0

        30      2  2002::/16

        20      3  ::/96

        10      4  ::ffff:0:0/96

Note that IPv6 addresses (::/0) are preferred over IPv4 addresses (::/96, ::ffff:0:0/96).

We can create a policy that will make Contoso IPv6 tunnel less favorable than any IPv4 address:

netsh interface ipv6 add prefixpolicy 2001:470::/32 3 6

2001:470::/32 is Contoso's prefix, 3 is a Precedence (very low) and 6 is a Label.

Recommendation:

================

The moral of the story is, don’t disable IPv6.  Use the “Prefer IPv4 over IPv6” if you must.

Option 1:

Use the “Prefer Ipv4 over IPv6” using the custom .admx here:

How to Disable IPv6 through Group Policy

https://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx

Option 2:

OR use GPP to set the Disabled Components for “Prefer IPv4 over IPv6”

929852 How to disable IPv6 or its components in Windows

https://support.microsoft.com/?id=929852

Option 3:

OR if in individual machines:

Instead of manually configuring these settings, there is a fix it:

2533454 Resolving Internet connectivity issues after World IPv6 Launch (June 6, 2012)

https://support.microsoft.com/?id=2533454

Yong “Hailing from Long Beach, CA. today”.

Other “Stop hurting yourself by” posts:

WMI: Stop hurting yourself by using “for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s”
https://blogs.technet.microsoft.com/yongrhee/2016/06/23/wmi-stop-hurting-yourself-by-using-for-f-s-in-dir-s-b-mof-mfl-do-mofcomp-s/