Disabling IPv6 – Confessions of a UI
June 16, 2010 Leave a comment
A couple of days ago I decided to disable IPv6 on the network and set about to find the best way to do it. The reasons for/against disabling IPv6 are quite a talking point and outside of the scope of this article, however I will provide a brief summary:
- MS best practice is to leave it turned on
- MS test all of their products with it turned on, so if you want the most compatible environment its probably better to leave it on.
- Disabling IPv6 means you lose features that are dependant on it, such as Homegroups – but there is nothing “essential” that will break.
- Disabling it can lead to faster network performance (marginal) as the OS will try and use IPv6 as default and fall back to IPv4 after a short timeout. a good example of this is DNS and DHCP as it will check the IPv6 versions first, wait for the timeout and then go to the IPv4 versions that you almost certainly use.
- Regardless of it being enabled/disabled, if want to make security the focus then you should block all IP protocol 41 and UDP 3544 traffic at the perimiter firewall – just to be sure no IPv6 traffic gets routed into the network.
- It is the future, although clearly not as immediate as everyone makes out. To be honest I wouldn’t be suprised to see IPv6 making more of an impact in the cloud environments over the next couple of years, but I don’t expect any local networks or businesses to migrate to it any time soon. Too much cost, not enough benefit.
Anyway back to the issue, essentially there are two ways of disabling:
- Manually unticking the IPv6 protocol from the adapter
- Setting a registry key to disable IPv6 across the system and all adapters
- As I wanted to disable it system wide I went about using Group Policy client preferences to push a registry key out to the clients. I immediately came across the following TechNet article giving the required key and value:
Unfortunately it didn’t work, so I looked again and then found more articles stating the key was correct but the value was not. In fact it seems no-one can agree as some state it as 0xff, some as 0×00 and others agree with the MS article of 0xFFFFFFFF. Each article claimed success and made no mention of the other values. Well I tried them all but no success – checking the protocol bindings on the adapters showed IPv6 still enabled and active:
After about half an hour of reboots, checking the key, trying all different values and generally getting a bit hacked off I decided it wouldn’t be the first time the UI had lied so decided to test the actual protocol using the Microsoft key of 0xFFFFFFFF – low and behold:
So it *is* disabled, it just doesn’t disable the protocol on the adapter…. genius
(For information, none of the other values work so ignore them – only the MS article value of 0xFFFFFFFF works. Some other values are available to disable specific IPv6 things, but 0xFF doesnn’t appear to do anything at all.)
Anyway, in my book if you disable the protocol then the UI should be updated, otherwise admins will get all confused when they don’t know the key is there something doesn’t work. Checking the protocol bindings will show everything active…..