Jan 03 2008

Keep It On or Shut It Off?

Be sure to measure the pros and cons before disabling IPv6 in Windows Vista.

Vista is the first version of Microsoft Windows that both fully supports Internet Protocol Version 6 and has IPv6 enabled out-of-the-box. Many administrators are not yet ready to migrate their networks to IPv6, however, so this raises a couple of questions: First, if you decide to deploy Vista, should you leave IPv6 on or turn it off? And second, if you decide to turn off IPv6, what’s the proper way to do it?

Some administrators say there are two major concerns that support disabling IPv6 on Vista: security and policy. The security concerns of having IPv6-enabled clients on the network are generally a result of unfamiliarity with IPv6. To some degree, ignorance is an acceptable excuse when it comes to an evolving technology as complex as IPv6.

For example, I contributed the chapter on deploying IPv6 to the Windows Vista Resource Kit from Microsoft Press, and in my initial draft of that chapter I wrote about three types of unicast IPv6 addresses: global, link-local and site-local. I thought this topic was well-established information, but my reviewer informed me that site-local addresses had been deprecated by RFC 3879 and replaced by unique local addresses. And a quick search of the RFC Index shows that there have been almost two dozen new RFCs about IPv6 in 2007 alone. So while IPv4 is essentially an established and therefore well-understood protocol, IPv6 is still continuing to evolve, at least to some extent, though much of it is established and accepted.

Key Considerations

The other major reason that administrators are not happy about IPv6 being enabled by default in Vista is because their companies have written security policies in place which state that IPv6 hosts are not allowed on the network. But because you as the IT expert were probably the architect of much of your company’s security policy, part of your job should be to educate management about what should be allowed and what should be restricted as far as your business’s network is concerned.

Other arguments against IPv6 have been more technical in nature. One is that IPv6 adds more idle network traffic and may cause potential incompatibilities with your switching and routing hardware. The first is really a red herring because the additional traffic is minimal; the second should be a nonissue if you use modern switches and your routers aren’t IPv6 enabled.

A potentially more serious matter would be if IPv6 addresses of Vista clients were published in the domain name system but some services were not IPv6-aware. Those clients would always try IPv6 first before falling back to IPv4. This could cause delays for applications that have to perform DNS lookups. The TCP/IP stack in Vista has been constructed so that, if clients have only link-local addresses assigned, the DNS Client service will send only a single query for A records. The situation becomes more complex if ISATAP has been deployed. But for companies that have not yet started migrating their networks to IPv6, Vista clients will simply assign themselves link-local addresses, so this issue also becomes moot.

“Microsoft does not recommend customers disable IPv6 in Windows Vista,” says Sean Siler, the senior IPv6 program manager at Microsoft. “When customers want to perform a security action, we often ask them, ‘What threat are you trying to mitigate?’ In this case, customers generally have no identified threats; they simply want to disable it because they believe they are not using it.”

Additionally, certain subsystems in Windows Vista — notably the Peer-to-Peer (P2P) subsystem — require IPv6 to operate, he says. If IPv6 is disabled, P2P is also disabled. Windows Meeting Space is built using the P2P APIs, so that application will not function if IPv6 is disabled. Because the P2P subsystem is available to developers through an API, an application can be written that calls these APIs. You should be careful to test for application compatibility before disabling IPv6. As time goes by, there likely will be more third-party applications and more Microsoft “out-of-the-box” applications that rely on P2P APIs.

“Leaving IPv6 enabled — even if the customer is not actively using it — does not necessarily introduce security risks to the customer, because the customer is still in control,” Siler continues. “In a managed network, until a network administrator or manager chooses to route IPv6 traffic into a network, having IPv6 enabled on the stack provides no extra path of connectivity to the Internet. An unmanaged environment gets the added benefit of seamless IPv6 connectivity only when applications require it. The built-in Windows Firewall fully supports IPv6 and is capable of providing a rich set of stateful rules for IPv6 support. In short, there really are no good reasons to turn off IPv6, but are many reasons to leave it enabled.”

Still, if you’re worried about stepping into a technology you haven’t studied in depth yet, or if your boss refuses to change company policy to allow IPv6 nodes on your network, then you may have to disable IPv6 in Vista. The proper way of doing this is to set a registry key to 0xffffff as described in Microsoft Knowledge Base article KB929852. This doesn’t remove IPv6 from the networking stack (it’s built in, so you can’t do that), but it does prevent Vista computers from sending or receiving IPv6 traffic, which is all that really matters from a networking perspective. And if you need to do this for a lot of systems, you can always create a custom ADMX template and use Group Policy to push this registry change out to all your Vista computers.

And remember, if you disable IPv6 on all your Vista computers today, you will need to enable it in the future when you begin your inevitable IPv4/6 migration. Both of these tasks will take time and effort. You need to consider the ROI of disabling IPv6 now and re-enabling it later, versus simply leaving it enabled.

If you decide to leave IPv6 enabled on Vista, then there should be no problems. But if you’re paranoid about security — and most administrators are, for good reason — then as a precaution you might want to block all Internet Protocol type 41 and UDP port 3544 traffic at your perimeter firewall, just to be sure no IPv6 traffic gets routed into or out of your network. Meanwhile, start learning about IPv6 today. It’s the future of networking and you don’t want to get left behind.

Mitch Tulloch is a Microsoft Most Valuable Professional (MVP) and lead author of the Windows Vista Resource Kit from Microsoft Press.

aaa 1