[https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251)
[https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows)
Microsoft does not recommend disabling IPv6. You can instead tell Windows to prefer IPv4 over IPv6 via a registry key, which is supported.
This is the way. As a pentester I am able to abuse IPv6 far too often to start collecting hashes/conduct relay attacks. And in that same vein have seen too many clients disable IPv6 altogether and break stuff, setting the preference is a vastly more preferable method that mitigates risk but shouldn't break things.
I would also ensure that your network has DHCP snooping configured. You'll want to prevent a bad actor from setting up your ipv6 settings via the various methods.
IPv6 RA guard might not protect you, at least Cisco hasn't patched many of their switches
There is a test script at https://blog.champtar.fr/VLAN0_LLC_SNAP/
The cert CC advisory at the time https://kb.cert.org/vuls/id/855201
Well dot1x without data encryption (macsec or equivalent) is 'trivial' to bypass, just plug something inline and let the endpoint authenticate. A project to do this type of attacks (many other exists): https://github.com/nccgroup/phantap
Thank you! So to summarize what u/LOLBaltSS and your comments.... 1) Being a highly exploitable attack vector is a big reason to disable IPv6; 2) Disabling IPv6 breaks stuff; 3) **Preferring IPv4 over IPv6 achieves the goal of eliminating the exploitability of IPv6 w/out the result of breaking Windows.**
Being a highly exploitable attack vector is not itself immediately a reason to disable IPv6. It *is* a good reason to make sure that you understand how it can be exploited, and put proper mitigations in place against those attack vectors, which exist regardless of whether you're actively using IPv6 in your network or not.
One such method of mitigating attack risk *could* be to disable IPv6 on all hosts connected to your network, but that requires a few things:
1. You don't actually want to use IPv6 on your network.
2. You have complete control over the network configuration settings of all hosts on your network.
3. All of the hosts on your network actually allow you to disable IPv6 on them.
Alternatively/additionally, you could use higher-layer, wider-reaching, and/or more general defense mechanisms, such as RA Guard and properly configured firewalls.
Moreover, configuring Windows to *prefer* IPv4 does not "eliminate the exploitability of IPv6" on that device; you haven't *disabled* IPv6, and the device will happily still use IPv6 in some circumstances. This is why such preference doesn't break functionality that depends on IPv6 working, whether that functionality is a baked-in Windows feature or otherwise. For example, if some malware ends up on your machine that references an IPv6 literal address that is in use by a malicious host on your network, then you're screwed unless you have the proper mitigations in place to prevent the infected device from communicating with the malicious device.
For a more in-depth discussion of the security considerations, [give this 25-minute lecture a watch](https://youtu.be/SbgbExbu1kk). An older version of the same lecture [is available here](https://youtu.be/a8zefJ_wAbQ), which doesn't have the slides on screen, but does have a good Q&A section afterwards.
Nothing breaks when I disable IPv6 on my network, on the contrary. A lot of admins on the internet don't understand, test, or properly maintain anything IPv6 related, and I avoid the issues they cause by disabling IPv6.
If it works for you awesome, but I am not going to recommend a method that is not officially supported when the risk can be mitigated through a supported method just as well.
What FewNeighborhood is saying, and I agree as a former Blue Teamer (since even blue team has to be a bit purple), is that if you turn off v6 someone else can set it up for you after breaking into a web server and get a parallel network that’s unmonitored and unrestricted. This sounds bad because it is.
Unfortunately, preferring IPv4 over IPv6 does not mitigate all of the security risks by itself. You need DHCPv6 guard, or block DHCPv6 traffic via host firewall:
[https://medium.com/@magusworksitsec/does-preferring-ipv4-over-ipv6-stop-the-famed-mitm6-attack-ed3327fb72f0](https://medium.com/@magusworksitsec/does-preferring-ipv4-over-ipv6-stop-the-famed-mitm6-attack-ed3327fb72f0)
To what degree does preferring IPv4 over IPv6 eliminate exploits/risks? Most risks mitigated? about half the risks mitigated? a small set of risks mitigated but most risks still exist?
IPv6 itself is not exploitable/a risk. Ignored/unconfigured IPv6 is and preferring IPv4 does nothing to address this.
If you don't have global IPv6 connectivity to your sites, then the possible vectors are going to be mostly restricted, and a lot of them can be mitigated by enabling RA guard, much like you have DHCP Guard enabled for IPv4, and not ignoring it with any IDS you have.
What you are calling "mitm attacks on ipv6" are only one type of attack that can be done with unconfigured IPv6. Yes, IPv4 preference can lessen that, but the correct approach (which addressess other issues as well) is implementing RA guard just as you do DHCP guard and mitigations against Arp spoofing.
Not sure what you're on about with "what you are calling", but whatever. I will cede I was too focused on the "mitm" vectors as that is what is most commonly seen/abused, however the RA approach is better.
thanks. we do have a DHCP server but haven't touched the IPv6 stuff. are you saying we should just mirror whatever we did for IPv4 in IPv6, even if we aren't using it?
thank you. does telling Windows to prefer IPv4 over IPv6 in the registry change anything about the amount of network traffic? or does it just reduce the odds of seeing (or seeing evidence of) IPv6 traffic?
This is unsupported by Microsoft. They also no longer test for scenarios where someone disables IPv6 on Windows Server. I once spent a while to troubleshooting general Active Directory problems. Turns out someone disabled IPv6 on the Domain Controllers which eventually led to problems with DNS. Lesson learned: Just leave the IPv6 settings on default.
meanwhile, i had the opposite issues. tons of problems with DNS, found out 2 servers had ipv6 and were using it, turned it off and rebooted and everything was happy.
mind you these servers have been upgraded many times since 2003 to 2022, so its likely they are in a state that is only expecting ipv4.
Does Microsoft document and/or advertise that they do not support IPv6? and that they don't test for scenarios where IPv6 is disabled? I havent been able to find anything recent.
They advise to leave it enabled. The below is only one of many places they explicitly call it out.
[Configure IPv6 for advanced users - Windows Server | Microsoft Learn](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows)
1. Tell them X is unsupported and things will break.
2. Get the go ahead in writing.
3. Things break.
4. Explain why they're broken..
5. Get the go ahead in writing to roll back changes.
6. Roll back changes.
> Get the go ahead in writing.
If you get this step to work you are incredibly lucky. I have tried at multiple companies. Every time I request a go ahead in writing all future communication about the topic becomes verbal. It always ends with a manager coming to my desk and telling me to just do it anyway. If I try to press the issue it devolves into a "This is insubordination. You will do it or lose your job." scenario.
This. These MBA assholes sure do know "plausible deniability" where if it's not in writing, it didn't happen. I've seen this also way too many times in my career. When you push them to put it in writing (memo, email, whatever) they get *pissed.*
I find it's often in how it's phrased. if I "request a go ahead in writing" I usually get stonewalled. but if I create the document as a form outlining requested work and a section that acknowledges the impact to the business. Well I can't start the task until the forms are signed.
> I find it's often in how it's phrased. if I "request a go ahead in writing" I usually get stonewalled. but if I create the document as a form outlining requested work and a section that acknowledges the impact to the business. Well I can't start the task until the forms are signed.
Your suggestion is reasonable and a very logical solution...*to me.* When I have tried strategies like that the push back I got was is it's not a productive use of my time. I should only create technical documentation for knowledge/training purposes and have no authority to request let alone require anyone's signature. I live in the middle of America and have met many toxic managers in my career.
unfortunately for legal purposes I can not knowingly introduce settings or configurations wich would destabilize our network enviornment or pose a risk to the business without management signing off on it. Once the work order is signed, I can begin.
Now in your managements defense. IPV6 is probably not the hill I would choose to die on. But I've certainly had to stand my ground like this in front of stupid and toxic middle management assholes in the past. pick your battles, but stand your ground when it matters.
Thinking about, if I had to roll out the ipv6 change OP was talking about, I would make sure to stand up in company meetings to anounce that we're making a change to ipv6, this change is scheduled to occur on X date. performing such a change is known to cause network instability in some applications, so all departments should be prepared to identify and report any systems that don't appear to be performing accurately on X date.
Give the other department heads a chance to ask "why are we doing this? and defer that question back to whoever made the call.
so would you say "disabling IPv6" is something that we definitely should say "will break things" but not something to lose a job over. let it 'break things'.
This is how you do it. Documentation can be created on both ends. Simply send the email off and ask the higher-ups to review it and email you back the OK.
> Maybe this is where you send an email recapping the verbal conversation, just to make sure you "understand the directions given".
That email would also be ignored but if I did get a response it would be something like this:
**Manager:** *This is not a productive use of your time. John Doe will be reaching out to you to schedule some much needed time management training. Unfortunately, this will reflect negatively in your annual review.*
I mean if you got told verbally to do it, just create a ticket if you guys ticket stuff and say in the ticket as xx requested. Saves the effort of emailing around trying to get a positive response, and if it goes wrong just follow up I was completing ticket xxx as requested.
this is a good idea. instead of it just being a verbal request, create the ticket, and attach any notes about things breaking so there is record of it.
> You will do it or lose your job.
I don't know your situation, but this sounds like a reason to walk all on it's own. If you don't stick to your guns on this, you will eventually be left holding the bag (of shit) and get tossed out anyway.
This is stupid, you don't need the go ahead on writing. You send an email outlining the risks with said tasks and you urge them to reconsider. Follow up with "you're the boss and I'll complete whatever assignments given". When they show up with the verbal go ahead, you've already created the documentation. Save a copy of the email, and present it should you need to.
Curious, I’ve seen this warning that things will break, but I’ve never seen anything break.
Have you actually seen anything break from disabling ipv6?
On the flip side, I’ve seen VPN break from Comcast allocating ipv6 addresses and my default fix was disabling it. I also liken to kill ipv6 on secure networks because having 2 network addresses is 2x more things to break or be exploited.
Just went through this fun again, users were having trouble accessing some websites because they connected to the cable modem hotspot instead of our internal hotspot and were using ipv6
Make sure that you actually configure IPv6, and are aware it exists. Someone else can abuse this if you make this your "blind" spot.
I deployed my 1st IPv6 networks in 2012, it's really not so special. It also makes you aware if products don't have things like RA Guard, just like DHCP guard. It makes you better, and if you are lucky, the network too.
what does configuration look like for network admin if you aren't really using it for anything. are we basically configuring in such a way that we could leverage it? basically mirror what we do with IPv4? what if you set the "prefer IPv4 over IPv6" registry setting? IPv6 config still needed?
Understand hierarchial routing/aggregation as this is particulary relevant to IPv6. People that have been assigned a larger IPv4 prefix and setup a network/routing plan within that prefix will feel right at home.
e.g. You assign a [10.111.0.0/16](http://10.111.0.0/16) to a site, and then assign smaller networks from within that 111 prefix. It is no different in IPv6. You get assigned 2001:db8:1234::/48 and then assign 1 site within a 2001:db8:1234:1000::/52. You then assign smaller networks from within that /52 to the lans or sub routers.
If you set it up, even if it is just for you monitoring and testing lan. It will give you the possibility to test before you go forward. Don't start with the clients. Start working from the outside in with addressing and routing until you end up at your monitoring host.
If your website/cloud has 4 and 6, you can then monitor the site with 4 and 6. Otherwise you might miss issues that could be related to 6. Remember, it is an entirely seperate network and you can treat it that way.
Likely a misguided attempt at not enabling any unneeded features.
Unfortunately, disabling ipv6 will break ad in really strange ways.
When Microsoft says it's unsupported, they mean it. It will break stuff and no one will know why
When you say it can break AD... Is this limited to Azure AD/Entra AD or also on-premise AD?
Cursory research suggests ipv6 support started for Azure AD in 4/03/2023.
I also wonder about the implications for mixed deployments where you have on-premise AD syncing with azure/Entra AD since folks use O365.
> When you say it can break AD
I'm telling you, if you disable ipv6 it will break ad.
I'm also asserting that no one, not even top Microsoft engineers can predict how or why.
The solution.. when presented with this foot gun, is to simply leave it alone.
Noted.
I'm pretty green but the going practice for higher level admins in my org has been to disable IPv6. I've generally left it on (though not really configured unfortunately) since it didn't seem to cause issues.
Thanks for the advice, I will look more into this.
> Has anyone written about what breaks exactly?
You can find stories on the Internet. The point though, is that even Microsoft doesn't know exactly how everything is going to break. Their engineers just know, "it breaks shit. We don't know what and don't know how. So don't disable it"
If you got a couple free days, sit on the phone and try to get an answer out of them. It will be, "we don't support that configuration and you shouldn't do it"
Mostly I've heard noise on the network. Excess traffic. I mean I'm a minimalist as well when it comes to how I architect IT. If something is generating errors in event logs and it can be ignored, I would rather disable the thing than ignore it. I like a clean log. A clean wireshark capture. Less bandwidth utilization. Although I'm also a futurist, so I like the latest and greatest and seems like disabling IPv6 is taking a step back. And I'm a "take the road most traveled" guy, so that means "defaults" and "common best practices". So i would lean towards leaving it enabled.
Should I spend the time collecting network data so i can show to what degree the IPv6 overhead is? Is that something that is easy enough to do?
Leave it on and do not block local IPV6 multicast.
We ran into problems with failover because we blocked it and had IPV6 disabled.
You have to go into the registry to disable it completely even after you turn it off from the network card settings.
That is just one more example to add to the pile.
thank you. interested in what failed in your failover solution (and what that solution is)? are you talking about Microsoft Cluster Services? or something at a Hypervisor level?
Clustering service level. This article explains the problem. Note that they said it is NOT recommended to turn of IPV6. But if you do not at least have multi-cast enabled, you have to do the registry key entry to disable IPV6 on the virtual adapter, which they also do not recommend doing but we had to in my case since they would not turn on multicast IPV6 despite the warnings.
If you disable it on the virtual adapter:
"This is the only scenario where NetFT traffic will be sent entirely over IPv4. It is to be noted that this is not recommended and not the mainstream tested code path.**"**
[Failover Clustering and IPv6 in Windows Server 2012 R2 - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/failover-clustering/failover-clustering-and-ipv6-in-windows-server-2012-r2/ba-p/371912)
You may see things like:
https://preview.redd.it/tlcpf23idayc1.png?width=816&format=png&auto=webp&s=18c91da25f4a2b46b96514b190a79011460a7fa4
That is why I said, ideally - leave the multi-cast IPV6 enabled so this traffic can get through. And make a note that turning off IPV6 at the network adapter settings does NOT disable it for the virtual adapter.
Less network noise is not a reason to turn off IPv6, most times that traffic will go over ipv4 instead so noise reduction. Do you have some OCD person trying to remove ipv6 because of its discover packets? Are they in management? If so show them the cumulative volume in bytes us trivial compared to your capacity and teach them to use filters in Wireshark?
Embrace it wholeheartedly. Manage it properly. Secure it properly. Don’t leave a whole Wild West of unconfigured and negelected services to run free with no oversight.
I’d rather have IPv6 enabled and fully supported and know what’s going on than disable it and pretend it’s not there and not have a clue.
That’s in general. Factory networks and whatnot with specific IPv4 dependent requirements are obviously their own thing. But in general, you want to make sure you’re the only sheriff in town in both ipv4 and ipv6.
“Network noise” doesn’t mean anything relevant to me. If the network can’t handle… uh, traffic? That’s a different problem to solve. The days of 10BaseT single-collision-domain networks being meaningfully impacted by AppleTalk are long gone. A modern network shouldn’t need to be pampered. Design the network to meet the needs of the clients, not the other way around.
Besides, IPv6 is fun. Learning keeps the mind fresh. You’ll have skills of value in the future.
If you've not actually configured an IPv6 overlay on your network then all you've got is the link local addresses. Clients will by default resort to an IPv6 broadcast if they don't get a DNS response to a lookup. Localhost will use v6 over v4. Otherwise, that's it.
Anyone who isn't the SME for networking insisting that it be disabled doesn't know what they're talking about. There are valid situational cases for configuring the registry setting which prefers IPv4 over IPv6, but it should not be disabled or unbound from anything other than iSCSI/FC NICs, especially if you are running Exchange on-prem.
A better time investment is to get yourself ahead of the curve and properly design and configure your IPv6 overlay.
Thank you! Can you speak to which cases preferring IPv4 over IPv6 would be beneficial? If we didnt remove IPv6 but did set the registry setting to prefer IPv4 over IPv6 would we still be opening ourselves up for issues, or is that a solid config?
The problem is not IPv6 and anyone who blindly disabled it is doing themselves a disservice. You can set systems to prefer IPv4, but the more important things is you should be aware of and configure how IPv6 is being routed/managed on your network. Disabling it on your windows hosts doesn't mean IPv6 traffic isn't flowing on your network.
It's... Acceptable but fully configuring IPv6 is better, just more work. The security risk is not accounting for both existing even if you disable it on any particular endpoint.
We disabled ipv6 as recommended by our security vendor. It mostly broke inbound vpn connections from ISPs that were using it. That was enough for us to revert that change.
Configuring your DHCP servers to hand out IPv6 is a better solution than disabling the protocol entirely. Environments without a DHCPv6 server are pretty easy to take advantage of.
Tell them it might void the service contract with MS.
IPv6 isn’t a security vulnerability, just use proper firewall because nat never was a security solution.
You may also want to mention that if you turn off v6 you may need to upgrade the main firewalls since they will be working much harder doing NAT for everything. The cost of doing that may be enough to dissuade them.
At my place of work “management” do not get to make those calls.
Well to be a bit less glib, those decisions come have to come from the architects or admins and the managers just champion it.
I can remember being told by my old boss to disable IPv6 on our first SBS2008 box that we installed. Turns out, I had to reinstall because it hosed everything. I learned a valuable lesson that day. Even though those old boxes are a lot more complex than what you’re running, Microsoft uses IPv6 for a lot of internal process communication and if you just yank it out, you will either break shit or create demons that you’ll chase for the rest of that machine’s life.
Headaches from NAT, split DNS, RFC1918 clashes, slower performance... I mean, those don't sound like a reward to me, but I guess if you're masochistic they are?
These are the recommendations from MS for IPv6
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
Guaranteed you never tried enabling it when troubleshooting.
We did on an issue which you would have thought was 100% unrelated to IPV6, that fixed it instantly.
We configure and use it as much as possible next to ipv4. Sure, it's more work but the best way to learn is to work with it and there's gonna come a time when it's no longer optional but mandatory. Best to have experience before that time arrives.
Do not be a Jeremy. Do not disable IPv6.
I remember breaking exchange, I remember breaking SBS servers, and with Windows 11 and higher I believe it's highly not recommended. I believe they already said it wasn't recommended on Windows 10 though.
I lost a gig after disabling IPv6 in a windows small business hell of a server. Everything stopped working. So no. Don't disable it. Lots of thngs can break, if you are not using the ipv6 addresses they are not sending traffic on them. At least get a test AD server and some clients and try it and you'll see how it breaks everything. MS has banked on ipv6 hard.
Sorry to hear that. What was the reason for disabling it at the time, if I may ask? and can you speak to deatils about what stopped working? stuff users would see? or back-end services?
it was a a stupid reason, it was a small company and one for one of the guys it was taking 10 seconds too long to log in every morning. I looked up and in previous versions turning off ipv6 would help the server find itself! What stopped working? well I lost remote access to the server since I was managing it remotely. And the owner got upset and got someone local to fix it.
Same case here, IPv6 fully disabled across our entire environment without issue. In fact the issues arise when it's turned because it doesn't play nice with the way the security blokes have the firewall rules configured.
Yup. I see no need for it on LANs. It primarily exists to solve running out of IPs and what organization is gonna max out a /8 subnet. It’s caused more problems for me across multiple orgs than it’s solved. Ran into a problem only once when I spun up a new DC, forgot to turn it off before joining to the domain, and then it lost domain trust because of it. Simple remove/rejoin to fix, although it took me several hours into the the middle of the night blasting the Tarzan soundtrack to get there lol
These are the recommendations from MS for IPv6
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
Did you read any of it .... the forum post is some guy waffling about his opinion. Next you'll tell me windows defender is the only antivirus you need cause Microsoft says so.
That "forum post" is a blog from a Microsoft employee. It explains the details around IPv6. If you don't like that link, then look at the second one, which is from the Microsoft learn site and has their best practices.
One of the biggest issues i find is that people untick the IPv6 box and think its disabled.... That's where i see all the problems.
If you are going to disable it (which i do, in line with the CIS and other security standards to "disable un-used protocols") - do it properly - [https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows)
4. You have to eventually. If its already setup, set it up propperly with the right security mesures.
So you are basically already there. Don't let managment talk that over. What would be their reason for removing that?
It depends. If you are using Public IPv4s for everything then its essentially mirroring it.
If you are using NAT For everything its basically still mirroring it but without the NAT Rules.
Sure it may be a bit more complex in some parts But for 95% of networks it holds true.
Here is a lesson learned about ipv6:
We had an issue where a user took their laptop home, their home ISP stuff prioritized ipv6 (like a lot do now), and the laptop started doing ipv6 router advertisement traffic.
Well, this user comes back into the office, their machine still is doing ipv6 router lookups and advertisements, and then all the other machines on the subnet start picking up those advertisements and trying to route traffic over ipv6 locally, including dns....
So yeah that one was fun to track down, found it in wireshark traces from the subnet, found the machine advertising themselves, went in and basically sent the commands to make it stop, everything settled and traffic started working again.
We do NOT disable ipv6 normally, but our domain controllers do have it turned off even though MS technically doesn't like it.
>and the laptop started doing ipv6 router advertisement traffic.
Client devices don't just "start doing router advertisement" traffic. This is something your user managed to configure their device to do. IPv6 does not peer-to-peer advertise routes, and the only thing clients do in relation to router advertisement is send Router Solicitations to `ff02::2` and listen for Router Advertisements sent to `ff02::1`. They do not spontaneously start advertising themselves as a router.
>and then all the other machines on the subnet start picking up those advertisements and trying to route traffic over ipv6 locally,
This is a mis-configuration on your network. You should have RA guard (or equivalent) running to protect against rouge RAs, much like you should be running a DHCP guard for IPv4 DHCP.
Yes, it was the solicitation and advertisements that started getting picked up, sourced by a single workstation that somehow was triggered by their home isp config. Other machines started playing along and before you know it, DNS requests were no longer being answered (back then our DNS was on the workstation network at this one site, that has since been moved).
There is no configuration on the network, it was all layer 2 (to the extent that ipv6 doesnt use broadcasts, etc etc).
Happened years ago, but once we started looking at traffic it was 100% a workstation doing ipv6 router shit that then freaked out everyone else on that subnet, absolutely bizarre situation.
All clients with IPv6 enabled can do ocasional solicitation. This is normal.
Clients don't send out Router Advertisements and this will have had nothing to do with the home ISP config - being on an IPv6 capable network doesn't make a client think it's a router forever more. Heck, it thinking it was a router would likely have broken their home network connectivity.
This was something your user setup incorrectly. If a user setup their workstation to be a DHCP server, would you blame their "home ISP config"?
>There is no configuration on the network, it was all layer 2 (to the extent that ipv6 doesnt use broadcasts, etc etc).
So you aren't running any sort of port security? What happens if someone plugs in a rogue DHCP server?
You really should be running RA Guard and DHCP guard (or the equivalents on your switches) to protect against this sort of thing.
> Other machines started playing along and before you know it,
Of course they would, you let rogue RAs have free reign over your network.
Users aren't local admins so they can't really mess with that stuff. I just tried searching for my notes, and this happened about 5 years ago so it's sketchy, but yes I think I have my RA and RS mixed up. We had a workstation doing solicitations on layer 2, our DNS server responded with an RA, then everyone started doing ipv6 lookups, and shit hit the fan.
Dang I wish I saved those notes because it was super crazy when we found it.
EDIT: Found some archived notes
It was a windows 7 workstation sending router advertisements. It also had 7 different public ipv6 addresses assigned to it's ethernet address, so it was a giant mess. I still blame the users comcast equipment for starting it.
any chance you can share a little more info about it. that would be awesome. I'm setting mine up as we speak. I do t want to make the same mistakes you did ;)
Yeah I even went back on pulled my legal hold messages and just found a couple references, not the writeup (I'm pissed I never saved it somewhere, but it was 5 years ago lol).
The workstation came online on our ethernet network with 7 different public ipv6 addresses on its interface, along with our internal IP. It was basically doing rogue dhcp6 messages, sending router advertisements. Everything on that subnet then started switching to ipv6 prioritization, including the DNS server on the same subnet (bad practice to have it live there, that's long since been fixed).
We got the outage report because 'internet wasnt working', we confirmed it indeed was not working, and after port mirror captures we found that this thing was sending ipv6 router advertisements, tricking the other computers to send v6 dns requests. All of the machines trying to v6 failed because we don't route that in our network. A bunch of other machines on the network started grabbing v6 addresses and basically stopped working. Those leases and dns cache eventually wore off, but we literally took the laptop offline and manually purged its v6 config by turning it off.
This can be solved with modern networking equipment to prevent 'rogue' dhcp servers, there are also windows commands you can run to more or less turn off v6 stuff without unchecking that box. That stuff is basically baked into GPO's we have now and I frankly don't even know what the commands are anymore since this was back in the windows 7 days.
This was a freak occurrence, I still blame the home user ISP equipment (because it's easy lol), so honestly if you run GPO's that manually tell windows to NOT use v6 for anything you should be fine. Honestly, you should be turning off that v6 stuff anyways because mdns/dhcp6/dns6 stuff can be used by link local attackers to break your security controls and introduce poisoning you wouldn't normally detect.
I have it disabled. but I was told it will break some stuff on windows. I have it enabled on the Linux wifi. athanasius k you didn't have to go back. but I do appreciate it greatly.
>We had a workstation doing solicitations on layer 2, our DNS server responded with an RA
All of your workstations would have been doing RS before this if IPv6 was ticked on the adapter.
Why was your DNS server responding to them though?! The more details you give, the more broken your setup sounds...
Again, RA Guard would have stopped this.
>I still blame the users comcast equipment for starting it.
Being blunt, you are barking up the wrong tree doing that. Windows does not publish or advertise IPv6 routes unless it is specifically told to, which is not something that happens just by connecting to a network.
The only way Windows would have 7 different public IP addresses on it's Ethernet interface in the absense of a router sending RAs is if it had been configured with static assignments (or perhaps if one of the transition technologies like 6in4, Teredo, etc. were enabled and configured), and this doesn't happen by connecting to a network.
I suppose they could have enabled ICS, but that would still then need manual config to have addresses while on your network...
I don't know what to tell you, but I found my notes and confirmed our windows workstation was sending router advertisements, freaking out everything. There was no config error on the DNS, it was a prioritization thing that was solved by disabling v6 on the effected machine so it stopped advertising, and then we made the DNS side stop trying to do dns6 lookups. When the machine came onto our network it still had a bunch of public v6 ip's on its interface, confirmed by our nac tools and also when we got physical access to it so it was easy to spot that machine had something weird going on. We've never seen it happen since then.
It was basically a rogue dhcp6/ipv6 issue at its core.
We disable. It’s part of some STIGs but likely you would be fine with changing the network stack to prefer IPv4 as long as you’re also locking mdns/llmnr/any other dns bullshit that Microsoft in their infinite wisdom decided to enable by default.
>Managment wants IPv6 removed
Management is being stupid, time to educate them. IPv6 is the present, and future, not the past. Should be doing IPv6 now - if not one is way behind the times.
So, do at least the minimal bits with IPv6 - so link local and the like will work. Don't have to go beyond that if you're not ready for more, but not even doing that much and fully disabling IPv6 is generally pretty bad idea at this point. If anything may be long overdue for disabling IPv6 :-) ... well, at least for stuff that's purely internal, anyway, and for the most part - may still require IPv4 for some legacy uses and the like.
So, in general these days, one should mostly be dual stack, both IPv6 and IPv4, and anything public Internet should well and fully support both. Likewise any hardware or software products and such should well and fully support both - excepting only where some (e.g. legacy) protocols themselves may be limited to only IPv4.
1. Is "less network noise" a good enough reason to deviate from default in this case? No.
2. Are there any other benefits of going through the effort to remove IPv6? No, not really.
3. What could break? Quite a bit these days. Anyone try to do this and fail? I'm sure many have. What happened? Ask them. what lessons were learned? Don't (totally) disable IPv6 in this day and age.
4. Are we going to have to put it back sooner than later? Probably sooner ... if you don't totally break things trying to get rid of it.
The world is moving (yes, very slowly) to ipv6 and your management wants to disable it? It’s a very bad idea unless you have an extremely good reason, which I can’t imagine. Try learning how it works before you are forced to use it.
My priority with IPv6 is reaching the makers of products, and our vendors, with the messaging that we need IPv6-only support *yesterday*. It was a "nice to have" in 2012, but since 2017 first thing we do with a new networked system is bring it up on IPv6.
If some of these companies knew how often I'd decided not to buy their products because of zero or indeterminable IPv6 support, they'd be terrified. At least with open source I can test it myself, and usually code a patch if needed, but with appliances and embedded gear it's a frustrating task. At first glance a product spec sheet can seem very technical, but then when you start to look closely, you see how vague it is. I mean, "LAN port"? In *anno domini* 2024 we can probably assume Ethernet, but you can't even tell me if it's 100BASE-TX or 1000BASE-T?
I need to buy a new kitchen refrigerator that we'd like to have a remotely-pollable temperature gauge with wired networking, but I've been putting it off for years. I'm pretty sure we'd be happier building it than buying it, and it would've been done by now.
thats more due to ISPs acting as NATs for end users and doing 4to6 before touching google. I doubt more than 30% of PCs actually have IPV6 purposefully configured.
I'm afraid that's a misconception. An IPv6 client can be NAT64ed to IPv4 destinations, but not the other way around. Basically all IPv6 traffic is coming from native IPv6 nodes.
Native IPv6 use is generally common with wireless mobile and DOCSIS cable, rare with DSL and small business leased-line uplinks, although this is very regional as well. IPv6 is common in India, France, Brazil, Belgium, U.S., rare in Africa and Russia.
NAT-PT. edit: there are far more IPv4 only devices in existence that could not work on IPv6 networks if what you said is true, which is why its on its face, false. This is why DOCSIS can rollout as pure IPv6, while still supporting millions of legacy IPv4 devices on the other side of the router.
IPv6-only networks can support legacy devices in a few ways, but mostly use 464XLAT. The CLAT component does do a NAT46, but the only destination is to a NAT64 where it gets converted back into IPv4. An IPv4-only client can't reach an arbitrary IPv6 destination like `2600::` (without going through a dual-stacked host that does DNS lookups, such as a proxy).
The network "supports" the IPv4-only devices, but those legacy devices can't reach IPv6-only destinations, as I said. Stateful NAT64 is used every day, but it doesn't work in the other direction.
I read your post and my first thought was "Oh no, management have been reading about technical stuff they don't understand on the internet again."
What do they mean by "noise?" Whatever communication is going to happen is going to happen regardless of whether you use IPv4 or IPv6. Having IPv6 doesn't change that. The management traffic to make IPv6 work is small. Nobody would design an IP stack that required massive volumes of management traffic. A few hundred bytes of DHCP6 or SLAAC traffic is a drop in the ocean.
There are currently a few services on the internet that are IPv6-only. That number will increase over time. Doing away with IPv6 will deny you access to those services. Also, some major services have separate servers for IPv6 so removing it may slow your access to those services down or increase the chances of the service not being available as you're limiting yourself to a subset of their servers.
I don't see any compelling reason to remove IPv6 and given that it might break things for no real gain, I wouldn't remove it from my estate
So far the consensus seems to be almost 100% "unsupported configuration" and that it "breaks things". **Is there any detail on what breaks exactly?** is it just Active Directory? or Windows Server in general (e.g. IIS, SQL Server, Exchange, SharePoint, DNS, DHCP. File Services, etc.).
And does Microsoft not support it with respect to Active Directory? or Windows in general?
https://preview.redd.it/q8cc9puswayc1.png?width=1890&format=png&auto=webp&s=f02a85c9c95c3cd5622424b14d5c5bb940a9f97e
I'll leave this here... Defaults are typically bad and bring more value than just less noise. If you are in a regulated space definitely harden, if you need reporting and enforcement a tool like Senteon in screenshot will remediate this.
Disable, it can cause issues in clustering and ha setups. It can also cause issues in name resolution and routing if it registers the ipv6 address to AD as well. You don't need it, it should be disabled.
Defaults are easy to exploit because they are known.
Microsoft doesn't support disabling IPv6 at all and weird things WILL break due to it. You're actually better off disabling RA and DHCP in the Windows / Host Firewall. Also DHCP Snoop your switches and enable RA guard.
I'm a DBA with some sysadmin experience, but in our shop for a small state govt with about 100 MSSQL instances, all MS like yours, our systems/network team disables IPv6 everywhere via the regedit. I dont know the exact reasoning, but its their standard. I admin SQL clusters and I know the cluster services will use/try to use IPv6 for its own comms. We havent had any issues from disabling that I know of.
There is no business use case for ipv6 for 99% of companies , so u less you can claim to be that 1% anything IPv6 is stupid , i have heard ipv6 is rhe future for 10+ years now it’s all bullshit
The future is here.....
Fed gov shop. We're mandated to move to ipv6 as soon as practical. Ipv4 stack will eventually be phased out on our networks and all new systems and equipment must be ipv6 enabled at time of implementation. It's gonna be a complete shit show and it's gonna be super expensive but we have no choice. https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-07.pdf
The 80% IPv6-only mandate won't be expensive, in my experience, because all enterprise gear has had IPv6 support included for many years. Specifically, printers, routers, operating systems, enterprise IP surveillance. The things that don't have it are very consumer-market, or niches that only recently decided that TCP/IP is a good idea, like industrial.
A /24 costs $250 per month to rent , yes go ahead save yourself a few $$$ with ipv6 and have fun connecting to networks like mine that don’t run IPv6 lol
Listen to your management. Having ipv6 enabled in an active directory environment can allow an attacker with internal access to get domain admin very easily.
Check here.
https://medium.com/@browninfosecguy/ipv6-exploitation-in-ad-environment-b22a7c3ec8af
Why not just roll out now ipv4 and keep existing stuff on ipv6 and see how it goes, but that sounds like a nightmare. I could not imagine trying to manage an environment that has ipv6 considering I need to have several dozen vlans and ipv4 address memorized. Can’t even NSloopup without pulling up a knowledge article.
What in the hell??? I have several VLANs myself, and the only IPs I have memorized is the DNS/AD servers, be lookup/dig everything else.
And yes, we have IPv6 fully deployed and operational (for the last several years). IPv6 is coming whether people like it or not, progress might be slow, but it's above 50% of traffic consistently now to Cloudflare sites and Google. And adoption seems to be speeding up based on the graphs.
I‘m really not one of those people who jumps on every new thing when it shows up on the horizon - but IPv6 is one of those things that really enables a lot of automation on the network side that just aren’t possible in IPv4 land.
[https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251) [https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows) Microsoft does not recommend disabling IPv6. You can instead tell Windows to prefer IPv4 over IPv6 via a registry key, which is supported.
This is the way. As a pentester I am able to abuse IPv6 far too often to start collecting hashes/conduct relay attacks. And in that same vein have seen too many clients disable IPv6 altogether and break stuff, setting the preference is a vastly more preferable method that mitigates risk but shouldn't break things.
I read if you don't set up IPv6 someone else will
Sadly true.
we were Just pen tested and had the attack, there are gpos to prefer ipv4 rather than disable ipv6
thank you! going to test that GPO out today. do you know what changes when the setting is applied?
I would also ensure that your network has DHCP snooping configured. You'll want to prevent a bad actor from setting up your ipv6 settings via the various methods.
IPv6 RA guard might not protect you, at least Cisco hasn't patched many of their switches There is a test script at https://blog.champtar.fr/VLAN0_LLC_SNAP/ The cert CC advisory at the time https://kb.cert.org/vuls/id/855201
And this is why we use dot1x on every port, lol
Well dot1x without data encryption (macsec or equivalent) is 'trivial' to bypass, just plug something inline and let the endpoint authenticate. A project to do this type of attacks (many other exists): https://github.com/nccgroup/phantap
You can block IPv6 RA and DHCP in the Windows Firewall. Pentesters hate me.
The importance of this post cannot be understated.
Thank you! So to summarize what u/LOLBaltSS and your comments.... 1) Being a highly exploitable attack vector is a big reason to disable IPv6; 2) Disabling IPv6 breaks stuff; 3) **Preferring IPv4 over IPv6 achieves the goal of eliminating the exploitability of IPv6 w/out the result of breaking Windows.**
Being a highly exploitable attack vector is not itself immediately a reason to disable IPv6. It *is* a good reason to make sure that you understand how it can be exploited, and put proper mitigations in place against those attack vectors, which exist regardless of whether you're actively using IPv6 in your network or not. One such method of mitigating attack risk *could* be to disable IPv6 on all hosts connected to your network, but that requires a few things: 1. You don't actually want to use IPv6 on your network. 2. You have complete control over the network configuration settings of all hosts on your network. 3. All of the hosts on your network actually allow you to disable IPv6 on them. Alternatively/additionally, you could use higher-layer, wider-reaching, and/or more general defense mechanisms, such as RA Guard and properly configured firewalls. Moreover, configuring Windows to *prefer* IPv4 does not "eliminate the exploitability of IPv6" on that device; you haven't *disabled* IPv6, and the device will happily still use IPv6 in some circumstances. This is why such preference doesn't break functionality that depends on IPv6 working, whether that functionality is a baked-in Windows feature or otherwise. For example, if some malware ends up on your machine that references an IPv6 literal address that is in use by a malicious host on your network, then you're screwed unless you have the proper mitigations in place to prevent the infected device from communicating with the malicious device. For a more in-depth discussion of the security considerations, [give this 25-minute lecture a watch](https://youtu.be/SbgbExbu1kk). An older version of the same lecture [is available here](https://youtu.be/a8zefJ_wAbQ), which doesn't have the slides on screen, but does have a good Q&A section afterwards.
That is correct
Nothing breaks when I disable IPv6 on my network, on the contrary. A lot of admins on the internet don't understand, test, or properly maintain anything IPv6 related, and I avoid the issues they cause by disabling IPv6.
If it works for you awesome, but I am not going to recommend a method that is not officially supported when the risk can be mitigated through a supported method just as well.
What FewNeighborhood is saying, and I agree as a former Blue Teamer (since even blue team has to be a bit purple), is that if you turn off v6 someone else can set it up for you after breaking into a web server and get a parallel network that’s unmonitored and unrestricted. This sounds bad because it is.
Unfortunately, preferring IPv4 over IPv6 does not mitigate all of the security risks by itself. You need DHCPv6 guard, or block DHCPv6 traffic via host firewall: [https://medium.com/@magusworksitsec/does-preferring-ipv4-over-ipv6-stop-the-famed-mitm6-attack-ed3327fb72f0](https://medium.com/@magusworksitsec/does-preferring-ipv4-over-ipv6-stop-the-famed-mitm6-attack-ed3327fb72f0)
To what degree does preferring IPv4 over IPv6 eliminate exploits/risks? Most risks mitigated? about half the risks mitigated? a small set of risks mitigated but most risks still exist?
IPv6 itself is not exploitable/a risk. Ignored/unconfigured IPv6 is and preferring IPv4 does nothing to address this. If you don't have global IPv6 connectivity to your sites, then the possible vectors are going to be mostly restricted, and a lot of them can be mitigated by enabling RA guard, much like you have DHCP Guard enabled for IPv4, and not ignoring it with any IDS you have.
It doesn't do nothing, setting ipv4 preference severely limits mitm attacks on ipv6. Not sure where you are getting your info.
What you are calling "mitm attacks on ipv6" are only one type of attack that can be done with unconfigured IPv6. Yes, IPv4 preference can lessen that, but the correct approach (which addressess other issues as well) is implementing RA guard just as you do DHCP guard and mitigations against Arp spoofing.
Not sure what you're on about with "what you are calling", but whatever. I will cede I was too focused on the "mitm" vectors as that is what is most commonly seen/abused, however the RA approach is better.
Or, just spin up a DHCP server and match the policies with what your v4 scopes are so a bad guy doesn’t leverage v6 to bypass your controls.
thanks. we do have a DHCP server but haven't touched the IPv6 stuff. are you saying we should just mirror whatever we did for IPv4 in IPv6, even if we aren't using it?
thank you. does telling Windows to prefer IPv4 over IPv6 in the registry change anything about the amount of network traffic? or does it just reduce the odds of seeing (or seeing evidence of) IPv6 traffic?
This is unsupported by Microsoft. They also no longer test for scenarios where someone disables IPv6 on Windows Server. I once spent a while to troubleshooting general Active Directory problems. Turns out someone disabled IPv6 on the Domain Controllers which eventually led to problems with DNS. Lesson learned: Just leave the IPv6 settings on default.
meanwhile, i had the opposite issues. tons of problems with DNS, found out 2 servers had ipv6 and were using it, turned it off and rebooted and everything was happy. mind you these servers have been upgraded many times since 2003 to 2022, so its likely they are in a state that is only expecting ipv4.
Over 10 years ago when I was an apprentice, we also usually disabled v6, until we couldn’t anymore due to Exchange 2010 (or 2013?) required it.
Does Microsoft document and/or advertise that they do not support IPv6? and that they don't test for scenarios where IPv6 is disabled? I havent been able to find anything recent.
They advise to leave it enabled. The below is only one of many places they explicitly call it out. [Configure IPv6 for advanced users - Windows Server | Microsoft Learn](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows)
1. Tell them X is unsupported and things will break. 2. Get the go ahead in writing. 3. Things break. 4. Explain why they're broken.. 5. Get the go ahead in writing to roll back changes. 6. Roll back changes.
> Get the go ahead in writing. If you get this step to work you are incredibly lucky. I have tried at multiple companies. Every time I request a go ahead in writing all future communication about the topic becomes verbal. It always ends with a manager coming to my desk and telling me to just do it anyway. If I try to press the issue it devolves into a "This is insubordination. You will do it or lose your job." scenario.
This. These MBA assholes sure do know "plausible deniability" where if it's not in writing, it didn't happen. I've seen this also way too many times in my career. When you push them to put it in writing (memo, email, whatever) they get *pissed.*
I find it's often in how it's phrased. if I "request a go ahead in writing" I usually get stonewalled. but if I create the document as a form outlining requested work and a section that acknowledges the impact to the business. Well I can't start the task until the forms are signed.
> I find it's often in how it's phrased. if I "request a go ahead in writing" I usually get stonewalled. but if I create the document as a form outlining requested work and a section that acknowledges the impact to the business. Well I can't start the task until the forms are signed. Your suggestion is reasonable and a very logical solution...*to me.* When I have tried strategies like that the push back I got was is it's not a productive use of my time. I should only create technical documentation for knowledge/training purposes and have no authority to request let alone require anyone's signature. I live in the middle of America and have met many toxic managers in my career.
unfortunately for legal purposes I can not knowingly introduce settings or configurations wich would destabilize our network enviornment or pose a risk to the business without management signing off on it. Once the work order is signed, I can begin. Now in your managements defense. IPV6 is probably not the hill I would choose to die on. But I've certainly had to stand my ground like this in front of stupid and toxic middle management assholes in the past. pick your battles, but stand your ground when it matters. Thinking about, if I had to roll out the ipv6 change OP was talking about, I would make sure to stand up in company meetings to anounce that we're making a change to ipv6, this change is scheduled to occur on X date. performing such a change is known to cause network instability in some applications, so all departments should be prepared to identify and report any systems that don't appear to be performing accurately on X date. Give the other department heads a chance to ask "why are we doing this? and defer that question back to whoever made the call.
so would you say "disabling IPv6" is something that we definitely should say "will break things" but not something to lose a job over. let it 'break things'.
> When you push them to put it in writing (memo, email, whatever) they get *pissed.* The anger is real. I have experienced it first hand.
do u ever feel gaslighted? like you know we didnt talk about doing something but they swear you did? (or vice versa)
An "As per our discussion..." email is a good first step.
An "As per our discussion..." email is a good first step.
An "As per our discussion..." email is a good first step.
An "As per our discussion..." email is a good first step.
Maybe this is where you send an email recapping the verbal conversation, just to make sure you "understand the directions given".
This is how you do it. Documentation can be created on both ends. Simply send the email off and ask the higher-ups to review it and email you back the OK.
> Maybe this is where you send an email recapping the verbal conversation, just to make sure you "understand the directions given". That email would also be ignored but if I did get a response it would be something like this: **Manager:** *This is not a productive use of your time. John Doe will be reaching out to you to schedule some much needed time management training. Unfortunately, this will reflect negatively in your annual review.*
I mean if you got told verbally to do it, just create a ticket if you guys ticket stuff and say in the ticket as xx requested. Saves the effort of emailing around trying to get a positive response, and if it goes wrong just follow up I was completing ticket xxx as requested.
this is a good idea. instead of it just being a verbal request, create the ticket, and attach any notes about things breaking so there is record of it.
It's fine if it's ignored. It's a paper trail. Beyond that, if you are in some dystopian environment... get out of there.
> You will do it or lose your job. I don't know your situation, but this sounds like a reason to walk all on it's own. If you don't stick to your guns on this, you will eventually be left holding the bag (of shit) and get tossed out anyway.
I know this feeling and have lived this life. it's always just verbally communicated unitl something goes wrong. and then you have nothing.
This is stupid, you don't need the go ahead on writing. You send an email outlining the risks with said tasks and you urge them to reconsider. Follow up with "you're the boss and I'll complete whatever assignments given". When they show up with the verbal go ahead, you've already created the documentation. Save a copy of the email, and present it should you need to.
Curious, I’ve seen this warning that things will break, but I’ve never seen anything break. Have you actually seen anything break from disabling ipv6? On the flip side, I’ve seen VPN break from Comcast allocating ipv6 addresses and my default fix was disabling it. I also liken to kill ipv6 on secure networks because having 2 network addresses is 2x more things to break or be exploited. Just went through this fun again, users were having trouble accessing some websites because they connected to the cable modem hotspot instead of our internal hotspot and were using ipv6
Personally no. That's why I put X. More of a general template really
Great advice, honestly. Do I need to document WHAT will break? because I honestly have no idea.
Yes of course. You might even need to get some expenses approved to find out.
Make sure that you actually configure IPv6, and are aware it exists. Someone else can abuse this if you make this your "blind" spot. I deployed my 1st IPv6 networks in 2012, it's really not so special. It also makes you aware if products don't have things like RA Guard, just like DHCP guard. It makes you better, and if you are lucky, the network too.
what does configuration look like for network admin if you aren't really using it for anything. are we basically configuring in such a way that we could leverage it? basically mirror what we do with IPv4? what if you set the "prefer IPv4 over IPv6" registry setting? IPv6 config still needed?
Understand hierarchial routing/aggregation as this is particulary relevant to IPv6. People that have been assigned a larger IPv4 prefix and setup a network/routing plan within that prefix will feel right at home. e.g. You assign a [10.111.0.0/16](http://10.111.0.0/16) to a site, and then assign smaller networks from within that 111 prefix. It is no different in IPv6. You get assigned 2001:db8:1234::/48 and then assign 1 site within a 2001:db8:1234:1000::/52. You then assign smaller networks from within that /52 to the lans or sub routers. If you set it up, even if it is just for you monitoring and testing lan. It will give you the possibility to test before you go forward. Don't start with the clients. Start working from the outside in with addressing and routing until you end up at your monitoring host. If your website/cloud has 4 and 6, you can then monitor the site with 4 and 6. Otherwise you might miss issues that could be related to 6. Remember, it is an entirely seperate network and you can treat it that way.
Why do they want this done? Unless they can clearly articulate that, it shouldn’t be done.
Likely a misguided attempt at not enabling any unneeded features. Unfortunately, disabling ipv6 will break ad in really strange ways. When Microsoft says it's unsupported, they mean it. It will break stuff and no one will know why
When you say it can break AD... Is this limited to Azure AD/Entra AD or also on-premise AD? Cursory research suggests ipv6 support started for Azure AD in 4/03/2023. I also wonder about the implications for mixed deployments where you have on-premise AD syncing with azure/Entra AD since folks use O365.
> When you say it can break AD I'm telling you, if you disable ipv6 it will break ad. I'm also asserting that no one, not even top Microsoft engineers can predict how or why. The solution.. when presented with this foot gun, is to simply leave it alone.
Noted. I'm pretty green but the going practice for higher level admins in my org has been to disable IPv6. I've generally left it on (though not really configured unfortunately) since it didn't seem to cause issues. Thanks for the advice, I will look more into this.
Yeah. A) we don't use it. B) it makes noise. Has anyone written about what breaks exactly?
> Has anyone written about what breaks exactly? You can find stories on the Internet. The point though, is that even Microsoft doesn't know exactly how everything is going to break. Their engineers just know, "it breaks shit. We don't know what and don't know how. So don't disable it" If you got a couple free days, sit on the phone and try to get an answer out of them. It will be, "we don't support that configuration and you shouldn't do it"
Mostly I've heard noise on the network. Excess traffic. I mean I'm a minimalist as well when it comes to how I architect IT. If something is generating errors in event logs and it can be ignored, I would rather disable the thing than ignore it. I like a clean log. A clean wireshark capture. Less bandwidth utilization. Although I'm also a futurist, so I like the latest and greatest and seems like disabling IPv6 is taking a step back. And I'm a "take the road most traveled" guy, so that means "defaults" and "common best practices". So i would lean towards leaving it enabled. Should I spend the time collecting network data so i can show to what degree the IPv6 overhead is? Is that something that is easy enough to do?
I would at the very least do some pcaps on IPv6 traffic over your network and see what it’s for.
Leave it on and do not block local IPV6 multicast. We ran into problems with failover because we blocked it and had IPV6 disabled. You have to go into the registry to disable it completely even after you turn it off from the network card settings. That is just one more example to add to the pile.
thank you. interested in what failed in your failover solution (and what that solution is)? are you talking about Microsoft Cluster Services? or something at a Hypervisor level?
Clustering service level. This article explains the problem. Note that they said it is NOT recommended to turn of IPV6. But if you do not at least have multi-cast enabled, you have to do the registry key entry to disable IPV6 on the virtual adapter, which they also do not recommend doing but we had to in my case since they would not turn on multicast IPV6 despite the warnings. If you disable it on the virtual adapter: "This is the only scenario where NetFT traffic will be sent entirely over IPv4. It is to be noted that this is not recommended and not the mainstream tested code path.**"** [Failover Clustering and IPv6 in Windows Server 2012 R2 - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/failover-clustering/failover-clustering-and-ipv6-in-windows-server-2012-r2/ba-p/371912) You may see things like: https://preview.redd.it/tlcpf23idayc1.png?width=816&format=png&auto=webp&s=18c91da25f4a2b46b96514b190a79011460a7fa4 That is why I said, ideally - leave the multi-cast IPV6 enabled so this traffic can get through. And make a note that turning off IPV6 at the network adapter settings does NOT disable it for the virtual adapter.
Less network noise is not a reason to turn off IPv6, most times that traffic will go over ipv4 instead so noise reduction. Do you have some OCD person trying to remove ipv6 because of its discover packets? Are they in management? If so show them the cumulative volume in bytes us trivial compared to your capacity and teach them to use filters in Wireshark?
Embrace it wholeheartedly. Manage it properly. Secure it properly. Don’t leave a whole Wild West of unconfigured and negelected services to run free with no oversight. I’d rather have IPv6 enabled and fully supported and know what’s going on than disable it and pretend it’s not there and not have a clue. That’s in general. Factory networks and whatnot with specific IPv4 dependent requirements are obviously their own thing. But in general, you want to make sure you’re the only sheriff in town in both ipv4 and ipv6. “Network noise” doesn’t mean anything relevant to me. If the network can’t handle… uh, traffic? That’s a different problem to solve. The days of 10BaseT single-collision-domain networks being meaningfully impacted by AppleTalk are long gone. A modern network shouldn’t need to be pampered. Design the network to meet the needs of the clients, not the other way around. Besides, IPv6 is fun. Learning keeps the mind fresh. You’ll have skills of value in the future.
Disable IPv4 instead
If you've not actually configured an IPv6 overlay on your network then all you've got is the link local addresses. Clients will by default resort to an IPv6 broadcast if they don't get a DNS response to a lookup. Localhost will use v6 over v4. Otherwise, that's it. Anyone who isn't the SME for networking insisting that it be disabled doesn't know what they're talking about. There are valid situational cases for configuring the registry setting which prefers IPv4 over IPv6, but it should not be disabled or unbound from anything other than iSCSI/FC NICs, especially if you are running Exchange on-prem. A better time investment is to get yourself ahead of the curve and properly design and configure your IPv6 overlay.
Thank you! Can you speak to which cases preferring IPv4 over IPv6 would be beneficial? If we didnt remove IPv6 but did set the registry setting to prefer IPv4 over IPv6 would we still be opening ourselves up for issues, or is that a solid config?
No because they’re so incredibly situational. I’ve set that setting a handful of times in the past 10 years.
The problem is not IPv6 and anyone who blindly disabled it is doing themselves a disservice. You can set systems to prefer IPv4, but the more important things is you should be aware of and configure how IPv6 is being routed/managed on your network. Disabling it on your windows hosts doesn't mean IPv6 traffic isn't flowing on your network.
would you agree that preferring IPv4 over IPv6 is safe? or is that even problematic?
It's... Acceptable but fully configuring IPv6 is better, just more work. The security risk is not accounting for both existing even if you disable it on any particular endpoint.
There's no good reason to prefer IPv4 over IPv6 in 2024. You'd actually be better off turning off IPv4 and doing NAT64 at your edge.
Disabling IPv6 will cause some versions of prem Exchange servers to have issues
Throwback to when I disabled IPv6 on an exchange 2013-server, that caused a total shitshow to put it gently
Enabling IPSec had the same effect.
thanks!! needed these kinds of details.
We disabled ipv6 as recommended by our security vendor. It mostly broke inbound vpn connections from ISPs that were using it. That was enough for us to revert that change.
I'd get a new pen tester.
Yep, Comcast is super on the ball when it comes to ipv6, they had mostly rolled it out when I was working there like 7 years ago.
do u know where Spectrum is these days with IPv6? I'll has to reach out. Good idea for an action item/discussion.
Configuring your DHCP servers to hand out IPv6 is a better solution than disabling the protocol entirely. Environments without a DHCPv6 server are pretty easy to take advantage of.
appreciate the detail on this. so basically your users working from home couldn't VPN into the office because the residential ISPs relied on it?
Tell them it might void the service contract with MS. IPv6 isn’t a security vulnerability, just use proper firewall because nat never was a security solution. You may also want to mention that if you turn off v6 you may need to upgrade the main firewalls since they will be working much harder doing NAT for everything. The cost of doing that may be enough to dissuade them.
At my place of work “management” do not get to make those calls. Well to be a bit less glib, those decisions come have to come from the architects or admins and the managers just champion it.
I'd educate myself and then and deploy IPv6
I can remember being told by my old boss to disable IPv6 on our first SBS2008 box that we installed. Turns out, I had to reinstall because it hosed everything. I learned a valuable lesson that day. Even though those old boxes are a lot more complex than what you’re running, Microsoft uses IPv6 for a lot of internal process communication and if you just yank it out, you will either break shit or create demons that you’ll chase for the rest of that machine’s life.
Been running without ipv6 for over 10 years and haven't had any problems.
And what's the reward for running without IPv6?
Headaches from NAT, split DNS, RFC1918 clashes, slower performance... I mean, those don't sound like a reward to me, but I guess if you're masochistic they are?
Same here, we disable it by default on anything we can.
thank you. are you mostly a Microsoft shop?
Yep mostly MS, with a little bit of Linux on the server side
These are the recommendations from MS for IPv6 https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251 https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
Why do you keep endlessly reposting the same comment?
So people who have been disabling it get to see what the Microsoft recommendation is. Most people look at a post once and don't go back.
Everyone they are replying to is saying the same thing too
do you support a Microsoft-centric IT system? Windows, Active Directory, etc?
This is bs I how disabled ipv6 forever and never ran into any windows issue that was fixed by using ipv6
Guaranteed you never tried enabling it when troubleshooting. We did on an issue which you would have thought was 100% unrelated to IPV6, that fixed it instantly.
Well I haven't ran into that kind of issue yet , maybe someday I will
We configure and use it as much as possible next to ipv4. Sure, it's more work but the best way to learn is to work with it and there's gonna come a time when it's no longer optional but mandatory. Best to have experience before that time arrives.
Seriously, I'll be dead before it gets here.
Make sure everyone knows to remove AAAA records for their projects, or people may have load balancers pointing to /dev/null, effectively.
Do not be a Jeremy. Do not disable IPv6. I remember breaking exchange, I remember breaking SBS servers, and with Windows 11 and higher I believe it's highly not recommended. I believe they already said it wasn't recommended on Windows 10 though.
I lost a gig after disabling IPv6 in a windows small business hell of a server. Everything stopped working. So no. Don't disable it. Lots of thngs can break, if you are not using the ipv6 addresses they are not sending traffic on them. At least get a test AD server and some clients and try it and you'll see how it breaks everything. MS has banked on ipv6 hard.
Sorry to hear that. What was the reason for disabling it at the time, if I may ask? and can you speak to deatils about what stopped working? stuff users would see? or back-end services?
it was a a stupid reason, it was a small company and one for one of the guys it was taking 10 seconds too long to log in every morning. I looked up and in previous versions turning off ipv6 would help the server find itself! What stopped working? well I lost remote access to the server since I was managing it remotely. And the owner got upset and got someone local to fix it.
Ipv6 disabled on multiple ad controllers and workstations over multiple generations of os at multiple clients. No problems.
Same case here, IPv6 fully disabled across our entire environment without issue. In fact the issues arise when it's turned because it doesn't play nice with the way the security blokes have the firewall rules configured.
This and old applications that cannot function over ipv6
+1 Works fine without any issue for over a decade.
+1 too
Yup. I see no need for it on LANs. It primarily exists to solve running out of IPs and what organization is gonna max out a /8 subnet. It’s caused more problems for me across multiple orgs than it’s solved. Ran into a problem only once when I spun up a new DC, forgot to turn it off before joining to the domain, and then it lost domain trust because of it. Simple remove/rejoin to fix, although it took me several hours into the the middle of the night blasting the Tarzan soundtrack to get there lol
These are the recommendations from MS for IPv6 https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251 https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
Did you read any of it .... the forum post is some guy waffling about his opinion. Next you'll tell me windows defender is the only antivirus you need cause Microsoft says so.
That "forum post" is a blog from a Microsoft employee. It explains the details around IPv6. If you don't like that link, then look at the second one, which is from the Microsoft learn site and has their best practices.
Go read them for me and tell me what it actually breaks and what doesnt work if you do.
We have enabled ipv6 and never got issues with that.
One of the biggest issues i find is that people untick the IPv6 box and think its disabled.... That's where i see all the problems. If you are going to disable it (which i do, in line with the CIS and other security standards to "disable un-used protocols") - do it properly - [https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows)
4. You have to eventually. If its already setup, set it up propperly with the right security mesures. So you are basically already there. Don't let managment talk that over. What would be their reason for removing that?
Does 'setting IPv6 up' essentially mirror how IPv4 is setup? or is it a completely different animal.
It depends. If you are using Public IPv4s for everything then its essentially mirroring it. If you are using NAT For everything its basically still mirroring it but without the NAT Rules. Sure it may be a bit more complex in some parts But for 95% of networks it holds true.
Here is a lesson learned about ipv6: We had an issue where a user took their laptop home, their home ISP stuff prioritized ipv6 (like a lot do now), and the laptop started doing ipv6 router advertisement traffic. Well, this user comes back into the office, their machine still is doing ipv6 router lookups and advertisements, and then all the other machines on the subnet start picking up those advertisements and trying to route traffic over ipv6 locally, including dns.... So yeah that one was fun to track down, found it in wireshark traces from the subnet, found the machine advertising themselves, went in and basically sent the commands to make it stop, everything settled and traffic started working again. We do NOT disable ipv6 normally, but our domain controllers do have it turned off even though MS technically doesn't like it.
>and the laptop started doing ipv6 router advertisement traffic. Client devices don't just "start doing router advertisement" traffic. This is something your user managed to configure their device to do. IPv6 does not peer-to-peer advertise routes, and the only thing clients do in relation to router advertisement is send Router Solicitations to `ff02::2` and listen for Router Advertisements sent to `ff02::1`. They do not spontaneously start advertising themselves as a router. >and then all the other machines on the subnet start picking up those advertisements and trying to route traffic over ipv6 locally, This is a mis-configuration on your network. You should have RA guard (or equivalent) running to protect against rouge RAs, much like you should be running a DHCP guard for IPv4 DHCP.
Yes, it was the solicitation and advertisements that started getting picked up, sourced by a single workstation that somehow was triggered by their home isp config. Other machines started playing along and before you know it, DNS requests were no longer being answered (back then our DNS was on the workstation network at this one site, that has since been moved). There is no configuration on the network, it was all layer 2 (to the extent that ipv6 doesnt use broadcasts, etc etc). Happened years ago, but once we started looking at traffic it was 100% a workstation doing ipv6 router shit that then freaked out everyone else on that subnet, absolutely bizarre situation.
All clients with IPv6 enabled can do ocasional solicitation. This is normal. Clients don't send out Router Advertisements and this will have had nothing to do with the home ISP config - being on an IPv6 capable network doesn't make a client think it's a router forever more. Heck, it thinking it was a router would likely have broken their home network connectivity. This was something your user setup incorrectly. If a user setup their workstation to be a DHCP server, would you blame their "home ISP config"? >There is no configuration on the network, it was all layer 2 (to the extent that ipv6 doesnt use broadcasts, etc etc). So you aren't running any sort of port security? What happens if someone plugs in a rogue DHCP server? You really should be running RA Guard and DHCP guard (or the equivalents on your switches) to protect against this sort of thing. > Other machines started playing along and before you know it, Of course they would, you let rogue RAs have free reign over your network.
Users aren't local admins so they can't really mess with that stuff. I just tried searching for my notes, and this happened about 5 years ago so it's sketchy, but yes I think I have my RA and RS mixed up. We had a workstation doing solicitations on layer 2, our DNS server responded with an RA, then everyone started doing ipv6 lookups, and shit hit the fan. Dang I wish I saved those notes because it was super crazy when we found it. EDIT: Found some archived notes It was a windows 7 workstation sending router advertisements. It also had 7 different public ipv6 addresses assigned to it's ethernet address, so it was a giant mess. I still blame the users comcast equipment for starting it.
any chance you can share a little more info about it. that would be awesome. I'm setting mine up as we speak. I do t want to make the same mistakes you did ;)
Yeah I even went back on pulled my legal hold messages and just found a couple references, not the writeup (I'm pissed I never saved it somewhere, but it was 5 years ago lol). The workstation came online on our ethernet network with 7 different public ipv6 addresses on its interface, along with our internal IP. It was basically doing rogue dhcp6 messages, sending router advertisements. Everything on that subnet then started switching to ipv6 prioritization, including the DNS server on the same subnet (bad practice to have it live there, that's long since been fixed). We got the outage report because 'internet wasnt working', we confirmed it indeed was not working, and after port mirror captures we found that this thing was sending ipv6 router advertisements, tricking the other computers to send v6 dns requests. All of the machines trying to v6 failed because we don't route that in our network. A bunch of other machines on the network started grabbing v6 addresses and basically stopped working. Those leases and dns cache eventually wore off, but we literally took the laptop offline and manually purged its v6 config by turning it off. This can be solved with modern networking equipment to prevent 'rogue' dhcp servers, there are also windows commands you can run to more or less turn off v6 stuff without unchecking that box. That stuff is basically baked into GPO's we have now and I frankly don't even know what the commands are anymore since this was back in the windows 7 days. This was a freak occurrence, I still blame the home user ISP equipment (because it's easy lol), so honestly if you run GPO's that manually tell windows to NOT use v6 for anything you should be fine. Honestly, you should be turning off that v6 stuff anyways because mdns/dhcp6/dns6 stuff can be used by link local attackers to break your security controls and introduce poisoning you wouldn't normally detect.
I have it disabled. but I was told it will break some stuff on windows. I have it enabled on the Linux wifi. athanasius k you didn't have to go back. but I do appreciate it greatly.
We have various machine with it turned off, in all honesty the odds of you seeing a real problem with it are next to nothing.
>We had a workstation doing solicitations on layer 2, our DNS server responded with an RA All of your workstations would have been doing RS before this if IPv6 was ticked on the adapter. Why was your DNS server responding to them though?! The more details you give, the more broken your setup sounds... Again, RA Guard would have stopped this. >I still blame the users comcast equipment for starting it. Being blunt, you are barking up the wrong tree doing that. Windows does not publish or advertise IPv6 routes unless it is specifically told to, which is not something that happens just by connecting to a network. The only way Windows would have 7 different public IP addresses on it's Ethernet interface in the absense of a router sending RAs is if it had been configured with static assignments (or perhaps if one of the transition technologies like 6in4, Teredo, etc. were enabled and configured), and this doesn't happen by connecting to a network. I suppose they could have enabled ICS, but that would still then need manual config to have addresses while on your network...
I don't know what to tell you, but I found my notes and confirmed our windows workstation was sending router advertisements, freaking out everything. There was no config error on the DNS, it was a prioritization thing that was solved by disabling v6 on the effected machine so it stopped advertising, and then we made the DNS side stop trying to do dns6 lookups. When the machine came onto our network it still had a bunch of public v6 ip's on its interface, confirmed by our nac tools and also when we got physical access to it so it was easy to spot that machine had something weird going on. We've never seen it happen since then. It was basically a rogue dhcp6/ipv6 issue at its core.
DISA STIG says to disable if you aren’t using. Do with that bit of information what you will
We disable. It’s part of some STIGs but likely you would be fine with changing the network stack to prefer IPv4 as long as you’re also locking mdns/llmnr/any other dns bullshit that Microsoft in their infinite wisdom decided to enable by default.
Which STIGs? I know CIS Benchmarks recommend disabling IPv6, but never seen any STIGs with such documentation.
>Managment wants IPv6 removed Management is being stupid, time to educate them. IPv6 is the present, and future, not the past. Should be doing IPv6 now - if not one is way behind the times. So, do at least the minimal bits with IPv6 - so link local and the like will work. Don't have to go beyond that if you're not ready for more, but not even doing that much and fully disabling IPv6 is generally pretty bad idea at this point. If anything may be long overdue for disabling IPv6 :-) ... well, at least for stuff that's purely internal, anyway, and for the most part - may still require IPv4 for some legacy uses and the like. So, in general these days, one should mostly be dual stack, both IPv6 and IPv4, and anything public Internet should well and fully support both. Likewise any hardware or software products and such should well and fully support both - excepting only where some (e.g. legacy) protocols themselves may be limited to only IPv4. 1. Is "less network noise" a good enough reason to deviate from default in this case? No. 2. Are there any other benefits of going through the effort to remove IPv6? No, not really. 3. What could break? Quite a bit these days. Anyone try to do this and fail? I'm sure many have. What happened? Ask them. what lessons were learned? Don't (totally) disable IPv6 in this day and age. 4. Are we going to have to put it back sooner than later? Probably sooner ... if you don't totally break things trying to get rid of it.
rogue DHCPv6 servers can cause a lot of havoc if there is no real ipv6 infrastructure present.
So can rogue IPv4 devices. Not all that different.
You should have rouge DHCP protection on your switches configured for v4 and v6
The world is moving (yes, very slowly) to ipv6 and your management wants to disable it? It’s a very bad idea unless you have an extremely good reason, which I can’t imagine. Try learning how it works before you are forced to use it.
[40% of global traffic to Google is IPv6](https://google.com/ipv6/) today.
[удалено]
My priority with IPv6 is reaching the makers of products, and our vendors, with the messaging that we need IPv6-only support *yesterday*. It was a "nice to have" in 2012, but since 2017 first thing we do with a new networked system is bring it up on IPv6. If some of these companies knew how often I'd decided not to buy their products because of zero or indeterminable IPv6 support, they'd be terrified. At least with open source I can test it myself, and usually code a patch if needed, but with appliances and embedded gear it's a frustrating task. At first glance a product spec sheet can seem very technical, but then when you start to look closely, you see how vague it is. I mean, "LAN port"? In *anno domini* 2024 we can probably assume Ethernet, but you can't even tell me if it's 100BASE-TX or 1000BASE-T? I need to buy a new kitchen refrigerator that we'd like to have a remotely-pollable temperature gauge with wired networking, but I've been putting it off for years. I'm pretty sure we'd be happier building it than buying it, and it would've been done by now.
thats more due to ISPs acting as NATs for end users and doing 4to6 before touching google. I doubt more than 30% of PCs actually have IPV6 purposefully configured.
I'm afraid that's a misconception. An IPv6 client can be NAT64ed to IPv4 destinations, but not the other way around. Basically all IPv6 traffic is coming from native IPv6 nodes. Native IPv6 use is generally common with wireless mobile and DOCSIS cable, rare with DSL and small business leased-line uplinks, although this is very regional as well. IPv6 is common in India, France, Brazil, Belgium, U.S., rare in Africa and Russia.
NAT-PT. edit: there are far more IPv4 only devices in existence that could not work on IPv6 networks if what you said is true, which is why its on its face, false. This is why DOCSIS can rollout as pure IPv6, while still supporting millions of legacy IPv4 devices on the other side of the router.
IPv6-only networks can support legacy devices in a few ways, but mostly use 464XLAT. The CLAT component does do a NAT46, but the only destination is to a NAT64 where it gets converted back into IPv4. An IPv4-only client can't reach an arbitrary IPv6 destination like `2600::` (without going through a dual-stacked host that does DNS lookups, such as a proxy). The network "supports" the IPv4-only devices, but those legacy devices can't reach IPv6-only destinations, as I said. Stateful NAT64 is used every day, but it doesn't work in the other direction.
Microsoft does not recommend but I have disabled IPV6 via a configuration baseline for all my workstations (1750) for a year and a half.
In my experience disabling it has fixed more things than it has broken.. lol! (Rightly or wrongly..)
At the firm i work for, we turn off IPv6 off every machine NIC. Hasnt caused us any issues and been doing it for 2+ years
Do not disable ipv6. It will become the standard some day.
I read your post and my first thought was "Oh no, management have been reading about technical stuff they don't understand on the internet again." What do they mean by "noise?" Whatever communication is going to happen is going to happen regardless of whether you use IPv4 or IPv6. Having IPv6 doesn't change that. The management traffic to make IPv6 work is small. Nobody would design an IP stack that required massive volumes of management traffic. A few hundred bytes of DHCP6 or SLAAC traffic is a drop in the ocean. There are currently a few services on the internet that are IPv6-only. That number will increase over time. Doing away with IPv6 will deny you access to those services. Also, some major services have separate servers for IPv6 so removing it may slow your access to those services down or increase the chances of the service not being available as you're limiting yourself to a subset of their servers. I don't see any compelling reason to remove IPv6 and given that it might break things for no real gain, I wouldn't remove it from my estate
So far the consensus seems to be almost 100% "unsupported configuration" and that it "breaks things". **Is there any detail on what breaks exactly?** is it just Active Directory? or Windows Server in general (e.g. IIS, SQL Server, Exchange, SharePoint, DNS, DHCP. File Services, etc.). And does Microsoft not support it with respect to Active Directory? or Windows in general?
Sounds like MS isn't even sure what breaks ¯\\\_(ツ)\_/¯
https://preview.redd.it/q8cc9puswayc1.png?width=1890&format=png&auto=webp&s=f02a85c9c95c3cd5622424b14d5c5bb940a9f97e I'll leave this here... Defaults are typically bad and bring more value than just less noise. If you are in a regulated space definitely harden, if you need reporting and enforcement a tool like Senteon in screenshot will remediate this.
Disable, it can cause issues in clustering and ha setups. It can also cause issues in name resolution and routing if it registers the ipv6 address to AD as well. You don't need it, it should be disabled. Defaults are easy to exploit because they are known.
Microsoft doesn't support disabling IPv6 at all and weird things WILL break due to it. You're actually better off disabling RA and DHCP in the Windows / Host Firewall. Also DHCP Snoop your switches and enable RA guard.
Just leave it on. You might want that functionality someday when you finally get tired of NAT.
Disable it on adapters. Nothing breaks.
[удалено]
You’ve disabled llmnr right?
I just disabled this in registry yesterday in Citrix environment. It's in prod. Guess I'll wait and see. Nothing so far.
I have worked at a multinational company where it was completely disabled on all machines. Absolutely no issues and no issues with MS support.
Set it to prefer ipv4 and forget about it. No reason to disable it outright, it'll probably cause more harm than good
If you don't have a reason to turn it on/leave it on turn it off. Life is just simpler and simpler is better
Needed to disable it on an Apple Macbook today so the customer could connect to an Azure Virtual desktop... Someone explain this to me lol..
Sconfig wouldn’t allow me to set network properties with IPv6 disabled so there’s that.
Honestly, if management wants a single network stack on your internal servers and laptops, I’d work towards being IPv6 only.
I'm a DBA with some sysadmin experience, but in our shop for a small state govt with about 100 MSSQL instances, all MS like yours, our systems/network team disables IPv6 everywhere via the regedit. I dont know the exact reasoning, but its their standard. I admin SQL clusters and I know the cluster services will use/try to use IPv6 for its own comms. We havent had any issues from disabling that I know of.
There is no business use case for ipv6 for 99% of companies , so u less you can claim to be that 1% anything IPv6 is stupid , i have heard ipv6 is rhe future for 10+ years now it’s all bullshit
The future is here..... Fed gov shop. We're mandated to move to ipv6 as soon as practical. Ipv4 stack will eventually be phased out on our networks and all new systems and equipment must be ipv6 enabled at time of implementation. It's gonna be a complete shit show and it's gonna be super expensive but we have no choice. https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-07.pdf
The 80% IPv6-only mandate won't be expensive, in my experience, because all enterprise gear has had IPv6 support included for many years. Specifically, printers, routers, operating systems, enterprise IP surveillance. The things that don't have it are very consumer-market, or niches that only recently decided that TCP/IP is a good idea, like industrial.
You are part of the 1% that needs it
Just like the cloud :-)
I always say, there's no such thing as the cloud, it's just someone else's computer.
Been running a cloud for 20+ years 🙀
When the users aren't on a company premise they access the company's cloud.
Yeah we call it private cloud
> There is no business use case for ipv6 Except, of course, saving tons of money in the cloud. But I suppose that doesn't count?
A /24 costs $250 per month to rent , yes go ahead save yourself a few $$$ with ipv6 and have fun connecting to networks like mine that don’t run IPv6 lol
Disable. I doubt you're monitoring IPv6 traffic, so that can be a method for malware to communicate undetected
On a domain env, whenever I have dns issues... The first thing is to check and disable ipv6. 90% of the time, ipv6 is the cause
Listen to your management. Having ipv6 enabled in an active directory environment can allow an attacker with internal access to get domain admin very easily. Check here. https://medium.com/@browninfosecguy/ipv6-exploitation-in-ad-environment-b22a7c3ec8af
Why not just roll out now ipv4 and keep existing stuff on ipv6 and see how it goes, but that sounds like a nightmare. I could not imagine trying to manage an environment that has ipv6 considering I need to have several dozen vlans and ipv4 address memorized. Can’t even NSloopup without pulling up a knowledge article.
What in the hell??? I have several VLANs myself, and the only IPs I have memorized is the DNS/AD servers, be lookup/dig everything else. And yes, we have IPv6 fully deployed and operational (for the last several years). IPv6 is coming whether people like it or not, progress might be slow, but it's above 50% of traffic consistently now to Cloudflare sites and Google. And adoption seems to be speeding up based on the graphs.
I‘m really not one of those people who jumps on every new thing when it shows up on the horizon - but IPv6 is one of those things that really enables a lot of automation on the network side that just aren’t possible in IPv4 land.