Hello! Dorian again with a blog article regarding IPv6.
The main background of writing this blog post is that until now best practice says “If you aren’t using it, disable it!” or our customers see lots of talk on message boards saying “Your Internet is slow? Disable IPv6! That’ll fix it!” and they develop the wrong idea about what IPv6 does and how it works.
This way we’ve noticed that a lot of customers ask how they can disable IPv6 in the supported way. The answer to this Question is in KB929852 that shows ways to disable certain components, how to alter the in prefix policies or how to deactivate everything except the IPv6 loopback interface.
How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008http://support.microsoft.com/kb/929852
Even if this is the “supported” way to deactivate IPv6, Microsoft does not recommend that customers disable IPv6 if they are not planning to use it in the network. Please take into considerations that you “might” face issues or problems and that at some time after you open a Service Request we might need to request you to (re)enable IPv6 just to see if the problems were caused by the deactivation itself.
Some of this possible issues are:
When IPV6 is disabled via registry hacks in http://support.microsoft.com/kb/929852 or via unbinding in the NIC bindings, UDP 389 ceases to respond. This behavior is a known behavior and is referenced briefly in kb 816103.
Be aware that the LDAP test over UDP may not work against domain controllers that are running Windows Server 2008. One reason for this can be that you have disabled IPv6 on the Domain Controller. To re-enable IPv6, set the value discussed in the article below to the default of "0".
What occurs here is that a check is performed to see what the maximum response can be and it calls into an API specific to IPv6 for the result. The return is a null value as the protocol is not enabled. There is a possibility that there may be an additional check included to see if more than one IP protocol is bound to the adapter, however our official stance on IPv6 is not to disable it on 2008 or later platforms.
Exchange 2007 recommended disabling IPv6 to fix an issue with Outlook Anywhere. The Exchange 2007 limitation was fixed in Exchange 2010. The customers that disabled IPV6 and later upgraded to Exchange 2010, then ran into issues because IPV6 was disabled. http://support.microsoft.com/kb/977623/EN-US
Disabling IPv6 costs you money. There is no default GPO that allows IPv6 to be disabled. Depending on how it is disabled, re-enabling it can be challenging. We have several customers that heard this and decided to disable IPv6 in Vista, anyway. When Windows 7 rolled around, the same customers wanted to deploy DirectAccess, and began complaining how hard it was to find all the machines that had v6 disabled and get it re-enabled on those clients. Disabling v6 increased their management costs for very little benefit, and re-enabling IPv6 cost them again. Our goal is to help customers lower TCO, not raise it.IPv6 is required by the Common Engineering Criteria. All Microsoft products for the enterprise should support IPv6. Future versions of our products may require it.
Additional Refferences:The IPv6 Bloghttp://blogs.technet.com/b/ipv6/
Disabling IPv6 Doesn't Help (By Sean Siler)http://blogs.technet.com/b/ipv6/archive/2007/11/08/disabling-ipv6-doesn-t-help.aspx
The Argument against Disabling IPv6http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.
From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6.
If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions like Windows7 or Windows Server 2008 R2, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be. Additionally the P2P APIs require IPv6, and those are public APIs. If IPv6 is disabled, programs that use the P2P APIs will break. This could impact application compatibility for third party apps.
Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled.
Let’s think even further about the transition to IPv6 and the benefits of being IPv6 ready:
Customers CANNOT learn IPv6 in a weekend. They need time to roll this out, in a slow phased migration. This is what Microsoft has recommended from the beginning. If customers wait until the day their ISP says “Sorry, we’re out of IPv4 addresses !” to start thinking about IPv6, they are in deep trouble. Right now according to the NRO Less than 10% of IPv4 Addresses Remain Unallocated.
More info regarding this here:Less than 10% of IPv4 Addresses Remain Unallocated, says Number Resource Organization http://www.nro.net/media/less-than-10-percent-ipv4-addresses-remain-unallocated.html
As of 30 September 2010 according to ARIN Stats we got only around 5% of the IPv4 Address Space left. Don’t fall behind, start your IPv6 planning now !
IPv6 Learning Roadmap now available (by Joe Davies)http://blogs.technet.com/b/ipv6/archive/2010/11/02/ipv6-learning-roadmap-now-available.aspx
The IPv6 Learning Roadmap provides an organized and sequential list of Web and print resources that you can use to build your understanding of IPv6, starting with prerequisites and then adding level 100 (introductory), level 200 (intermediate), and level 300 (advanced) knowledge.
As a final conclusion:IPv6 was designed to have no impact to the customer environment in production. No double queries, no DNS entries, no tunneling through the firewall, no performance degradation. If you feel like you have seen any of these and can provide data for troubleshooting, please feel free to open an incident with Microsoft so that we can discuss it.
Customers cannot also live with the distributed IPv6 network segmented by ISA... Pity =(
We had the simillar thinking, i.e. we don't use it so lets disable it.
Howerver, we found that if we disabled IPv6 on Windows 7 clients then Offline Files wouldn't work so know we keep it enabled. If you want me details check out my blog thommck.wordpress.com/.../offline-files-versus-vpn-a-k-a-the-case-of-the-missing-work-online-button
It is a network protocol, shouldn't be mandatory to have it enabled. From a security standpoint, i think that it's better to have as few items enabled on the network adapters as possible.
Nice post !
"Disabling IPv6 costs you money" Sorry but this argument is complete nonsense.
Deploy and Un-Deploy of DisabledComponents with Group Policy Preferences Registry , with an own ADM template or even with a script doesn´t even take me more than 2 minutes to: Create a GPP registry entry or write an ADM Template in notepad or a integrate computer startup script with a reg import. I can do all the 3 solutions within 2 minutes.
Even if it was "unbind" on the LAN Connection it can be bind with a script again.
Please remove this argument, editing registry or manipulating clients is never ever a challange for the admin. It´s his daily business.
@Mark Yes there are several methods of deploying an ipv6 setting. The problem is how people do recognize that a problem is being caused by an disabled ipv6 component when they are facing it. From what i have seen until now, nobody remebers that a few months ago they disabled ipv6, and now after a power failure, when the server is booting up they are facing problems...
And there are the costs going. Production down etc.
Example is hypothetical , The key proposition is that Microsoft does not test with ipv6 disabled.
Give me just one example of one serious problem depending on a missing IPv6 (dispite of DA or something obvious), there is none. The costs argument is just marketing, not technical.
We recently initiated a support service call with Microsoft on on Lync environment. First thing the tech did when remoting into the environment: He verified we had IPv6 disbaled on all Lync servers. I confronted him oin the issue, he said "We have seen some issues caused by IPv6"
Microsoft should communicate a consistant message on this topic.
it's not marketing, it's just an another backdoor.
The link is broken for KB977623. Completely agree @Mark Heitbrink. This article has no technical information as how it's going affect the environment or risk etc.
I have always disabled IPV6 on all our servers and workstations, never had any issues, what a crock.
Malware attacks through open protocols cost money too. What a choice Microsoft... thanks for that one! :)
Disappointed, no technical information here!
If you really want to be invisible in the net, the first thing you have to do is to disable IPv6. The top professionals in Internet Security is going to tell you why. :)
To find out more information about what IPv6 really do, don't hesitate to by the book(s):
or read the next article ----