Disabling IPv6 – Confessions of a UI

June 16, 2010 by Leave a comment

A couple of days ago I decided to disable IPv6 on the network and set about to find the best way to do it. The reasons for/against disabling IPv6 are quite a talking point and outside of the scope of this article, however I will provide a brief summary:

  • MS best practice is to leave it turned on
  • MS test all of their products with it turned on, so if you want the most compatible environment its probably better to leave it on.
  • Disabling IPv6 means you lose features that are dependant on it, such as Homegroups – but there is nothing “essential” that will break.
  • Disabling it can lead to faster network performance (marginal) as the OS will try and use IPv6 as default and fall back to IPv4 after a short timeout. a good example of this is DNS and DHCP as it will check the IPv6 versions first, wait for the timeout and then go to the IPv4 versions that you almost certainly use.
  • Regardless of it being enabled/disabled, if want to make security the focus then you should block all IP protocol 41 and UDP 3544 traffic at the perimiter firewall – just to be sure no IPv6 traffic gets routed into the network.
  • It is the future, although clearly not as immediate as everyone makes out. To be honest I wouldn’t be suprised to see IPv6 making more of an impact in the cloud environments over the next couple of years, but I don’t expect any local networks or businesses to migrate to it any time soon. Too much cost, not enough benefit.

Anyway back to the issue, essentially there are two ways of disabling:

  1. Manually unticking the IPv6 protocol from the adapter
  2. Setting a registry key to disable IPv6 across the system and all adapters
    As I wanted to disable it system wide I went about using Group Policy client preferences to push a registry key out to the clients. I immediately came across the following TechNet article giving the required key and value:

http://support.microsoft.com/kb/929852

ipv63

Unfortunately it didn’t work, so I looked again and then found more articles stating the key was correct but the value was not. In fact it seems no-one can agree as some state it as 0xff, some as 0×00 and others agree with the MS article of 0xFFFFFFFF. Each article claimed success and made no mention of the other values. Well I tried them all but no success – checking the protocol bindings on the adapters showed IPv6 still enabled and active:

ipv62

After about half an hour of reboots, checking the key, trying all different values and generally getting a bit hacked off I decided it wouldn’t be the first time the UI had lied so decided to test the actual protocol using the Microsoft key of 0xFFFFFFFF – low and behold:

ipv6

So it *is* disabled, it just doesn’t disable the protocol on the adapter…. genius :(

(For information, none of the other values work so ignore them – only the MS article value of 0xFFFFFFFF works. Some other values are available to disable specific IPv6 things, but 0xFF doesnn’t appear to do anything at all.)

Anyway, in my book if you disable the protocol then the UI should be updated, otherwise admins will get all confused when they don’t know the key is there something doesn’t work. Checking the protocol bindings will show everything active….. 

    About these ads

    Filed under Technical

    Leave a Reply

    Fill in your details below or click an icon to log in:

    Gravatar
    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Cancel

    Connecting to %s

    Follow

    Get every new post delivered to your Inbox.

    %d bloggers like this: