Are you disabling IPv6? Maybe you should stop — and here’s why

A recent Windows 10 update brought to light just how many people are disabling IPv6 as part of their normal process. Should you be doing that? Probably not.

But first things first. Since so many people are disabling IPv6, many readers are probably already jaded at the prospect of allowing IPv6 on their network. I’m going to argue that in most cases it is not necessary or desirable to disable IPv6 and, in fact, it is desirable not to. But before we get to that, if you just can’t stomach it or you have some serious legacy applications or hardware, here is Microsoft’s official recommendation: Keep IPv6 enabled but issue a policy that says to prefer IPv4. (Meanwhile, for those who want to transition from IPv4 to IPv6, check out this story.)

To configure IPv6, modify the following registry value based on the this table.

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

Name: DisabledComponents

Type: REG_DWORD

Min Value: 0x00

Max Value: 0xFF (IPv6 disabled)

IPv6 Functionality Registry value Comments
Prefer IPv4 over IPv6 Dec 32
Hex 0x20
Bin xx1x xxxx
Recommended instead of disabling

Moving right along

Now that we’ve gotten that out of the way, let’s take a look at how Windows uses IPv6 even when your DHCP server is providing it an IPv4 address and your Internet router doesn’t support it.

We all know that the world is running out of IPv4 addresses. I’m not going to bother to rehash that here other than to say that this doesn’t matter for your internal network. Your internal DHCP can still use IPv4 for compatibility reasons but you’ll end up using IPv6 to access the Internet. But that still doesn’t mean that you want to disable IPv6. You actually want to use both. You can use IPv4 for the ease of readability. But let Windows prefer IPv6 for the reasons I’m going to discuss now. I think that this is the best option.

IPv6 is core to the Windows operating system and Microsoft doesn’t do any testing with it turned off so they won’t guarantee that anything will work properly without IPv6. Of course, many things do but behind the scenes, Windows has to work hard and fall back to older protocols after it finds that IPv6 isn’t available. That waiting to fail can really be felt on the PC when you disable IPv6. Back in the Windows 7 days there was a condition where there would be a lag getting to the Internet when IPv6 was enabled and your router didn’t support it. But starting with Windows 8 and Server 2012, Windows detects that there is no route to the Internet in IPv6, remembers this, and then prefers IPv4 for this type of traffic. No configuration or disabling required.

What does IPv6 do for network traffic?

disabling IPv6
IPv4 is one of the longest-lived pieces of technology in our computers today. When it was built, the population of computers were a lot smaller and there was no real need for security. In fact, there is no security built into IPv4. My, how things have changed! In IPv6 security is its top priority. IPSec is the default. Here are a few of the advantages of IPv6.

  • There’s no need for NAT. Every computer can have an address that allows it to get to the Internet using the same IP that allows it access to internal resources. We no longer have to try to keep those two networks separate through IP addressing. VOIP QoS is more robust because direct connections to the PC are possible.
  • IPv6 moves the handling of fragmentation to the device rather than the router. This makes everything faster because there is no handling of checksum.
  • IPv6 uses multicast rather than broadcast so hosts that don’t care about what you’re doing do not have to process the packets.
  • IPSec is no longer an add-in. It’s baked in, which means that information in the header and packets are secure by default.

There’s a persistent myth about IPv6 and that is that if you disable it you are reducing the attack surface. The truth is that your IPv6 traffic won’t get out if your router doesn’t support it and if it does support IPv6 then it will protect the internal traffic. Since IPv6 header information is encrypted, your internal network is actually safer.

Additional benefits that might seem scary

disabling ipv6
It’s an upside down world these days. Remember when IT departments used Group Policy to manage and control PCs? Remember when we had to maintain DHCP servers? Remember when your devices used nonroutable addressing and had to NAT to get to the Internet? Remember when employees all worked in the office? Remember when we didn’t have VOIP phones? Remember when you didn’t have any IoT devices at all?

IPv6 doesn’t need a DHCP server because it doesn’t use NAT. The individual device is capable of assigning itself an address. It queries the network for the prefix and the automatically assigns the rest. What is so scary about that? It’s a loss of control. There no more GUI to look at and see which machines are using which addresses. You’ll have to query for that information. But if the computers are self-assigning and assuring that there are no duplicates automatically then why do we really need to care? It’s the letting go of past practices that is the scary part, not the technology itself.

Letting go of NAT is probably the scariest part for many IT admins. NAT gives you this illusion that your network is safe. And yet every day in a million ways each device makes a connection to the Internet and traffic directly routes to it from the Internet. If the device wants to allow an incoming connection it either makes the initial call or a port is opened in its local firewall. Guess what? The same thing happens when you use IPv6 except that the router doesn’t have to do all of those NAT calculations. NAT was never about security.

While Group Policy and DHCP servers might not be eliminated from your network yet, they will be eventually. While some businesses still have digital key phones and all of their employees work in the office they aren’t in the majority anymore. I dare say that there aren’t any businesses that don’t have some form of IoT on their network at this point. Even security cameras and network-connected time clocks count as IoT and many businesses have a lot more variety of IoT devices than that. The point is that the very definition of networking has changed as has the very definition of “the edge.”

You’ve probably read that “the edge” is the user credentials. It’s true. Now that users have access to corporate data from mobile phones, desktop phones, softphones, laptops, tablets, and so much more while on the road and in the office, the edge is getting pretty transparent. I mean, when you can take the desktop phone off your desk and plug into your home Internet and make a call with no additional configuration needed? The world of networking has changed. It’s not, your DNS, DHCP, your NAT scheme, or your firewall that is protecting the network. It’s the credentials on that phone that count. That’s our edge and it is where we need to focus on security.

Forget about the imagined pitfalls of IPv6. It’s small, more nimble, encrypted, and secure. We need to focus our efforts on modernization to make sure that we aren’t crippling our networks by hanging onto legacy networking technologies. The easiest way to adopt IPv6 is to simply stop disabling it.

Featured image: Shutterstock

19 thoughts on “Are you disabling IPv6? Maybe you should stop — and here’s why”

  1. “In IPv6 security is its top priority. IPSec is the default. ” This statement cannot be more wrong! There is no additional security in IPv6 and IPSec has not been the default! This information is just plain wrong!
    In the beginning, there was a plan to use IPSec by default but this plan was thrown out to thrash long ago.
    From the security point of view, IPv4 and IPv6 are the same: No default security mechanism.

  2. Group Policy is going away? What planet do you live on? How will endpoints be managed in a corporate environment without Group Policy?

    This article is pure delusion.

  3. Hello Robert, I’m afraid that I’m not delusional. The future is coming. The writing is on the wall. Azure AD and Intune are the winning solutions going forward.

  4. Murat and Robert, you are absolutely correct.

    IPv6 is mostly unneeded, unless you WANT every grain of sand on the planet to be on the internet all the time (and this adds security?!)

    IPv6 on most computers and servers brings no added security or speed, but DOES add to the complexity and ADDITIONAL security and management requirements of each. You need a GOOD IPv6 firewall on each IPv6-enabled device. This has to be configured, managed, and maintained separately.

    Each network server application also has to be configured/secured separately for IPv6. (Think Apache/SSH/Postfix/etc, or IIS/RDP/anything Microsoft.) Misconfiguration here has HUGE performance and connectivity implications.

    While IPv6 does ALSO have built-in client dhcp capabilities, it does NOT eliminate the need for DNS. DNS servers STILL need to know the hostname and/or resource name associated with the IP address, be it IPv4 or IPv6. As a security point, you don’t usually want each device to update the DNS servers by themselves.

    Newer routers and firewalls have faster CPUs, more RAM, and faster internal fabrics, and thus “appear” faster with IPv6 than older IPv4-only models. (Every router, firewall, or intelligent switch that I have tested over the last several years either performs at the same speed or –generally– faster with IPv6 disabled.)

    The point of the matter is, that even if IPSec were the standard/default for IPv6, all that would do is encrypt the connection between the client and the server. It would NOT prevent unwanted clients from connecting to your network or your resources. It would NOT prevent the misuse/abuse/theft and/or destruction of your data or equipment.

    Unfortunately, articles such as this one lead the uninformed to make terrible decisions, along the lines of “It’s Microsoft, it’s got to be good!”

    –Patrick

  5. Patrick,

    Being Microsoft, they have a massive target on their back, and to promote broadscale uptake of IPV6 through making their OS built to actually prefer it, then if your assertions are correct, surely there would ensue massive global litigation especially from the ‘uninformed’ small business owner/home user for example as there would be widespread theft, destruction, abuse and misuse.
    It would be corporate suicide to create a worse solution in the most widely used OS on the planet, so we can only assume that people far smarter than ourselves have thought intensely about all of the potentials.

    I’m not seeing this monumental breakdown in network security, certainly no more than what already exists with IPV4.
    IPV4 is no more secure, and as the author points out, NAT is a fallacy as far as network security is concerned.
    Plus it’s inherently clunky for the majority of regular users, who outnumber corporate users exponentially, well at least in companies who are still clinging to IPV4.

    IPV6 does have it’s own challenges, but it has solved many security issues with IPV4, and of course there’s much more work to do.
    As long as people create technology, other people will find a way to break it.

    IPV6 is not going away, it’s adoption is accelerating exponentially and it’s not going to change – a fact that you don’t need to like, but will have to deal with nonetheless, assuming you are in the industry.

    So instead of trying to fight against what already is and will be, use that energy into finding ways to create better security moving forwards.

    Scaling NAT systems forever is quite possibly one of the worst examples of ‘best practice’ for companies, end users and everyone in between.

  6. As a Network Security practitioner for the last 20 years, this article is downright scary. There are so many inaccuracies and fallacies I dont have the time to list them all out. It should be removed.

  7. The premise of this article seems to be to ridicule and belittle those who have studied the issue of IPv6 and reached a different conclusion than the author.

  8. I have found that IPv6 being Enabled has caused many HUGE problems. Many unexplainable network and server issues were solved by disabling IPv6. Not going to stop any time soon. The issue is probably because most things don’t even work with IPv6 yet so unless you know specifically that you need IPv6, better to just disable it.

  9. Lex Barringer

    The one thing that Microsoft has not up to this point has addressed is the need to augment their own firewall to allow IPv6 connections to work properly. By Microsoft’s own default in their own firewall, much of IPv6’s functionality is being filtered and that will actually reduce the speed of your IPv6 traffic.

    Now, I’m an IS/IT person, too, perhaps you should become a member at IEEE and join the 802 working group, where all the networking standards including all the revisions to the network stacks are created and updated.

    From the standpoint of security externally to a company or individual’s WAN, its design is to provide tunneling support to and from external servers via authenticated encrypted tunnels. The caveat is this, just because it’s enabled and have all the rules in place, your software is what opens the encrypted tunnel through IPSec and not the other way around, IPSec only helps you create those tunnels by using shared libraries and architecture. So IPSec on by default isn’t anymore protected than no having it installed.

    If you don’t have tunneling support in all your applications from server to server, and client to server, including WAPs, inside your LAN and/or MAN and IPSec does you no good to have it enabled. Of course, on the flip side, leaving it enabled doesn’t make it any less safe either. IPSec works similar to VPNs but designed to be controlled by administrators from the top level for a LAN/MAN, not as a per connection basis.

    The additional tunnel coding support for each application and library over your network is a nightmare to upkeep. This is where the attack vector comes in. Computer and network security is a very fast moving target, what worked three months ago to stop attackers is no longer useful, to the point of being dangerous, if implemented.

    TL;DR:

    IPSec, while it’s baked in now, is no more safe than when it was an add-in, if your applications don’t use IPSec’s tunneling and other security features; it’s not automatically protected, even though Microsoft says it is. Microsoft expects and believes that everyone is using those features in their code, this is where they’re wrong, thus not all traffic over the network is safe.

  10. I have a huge problem with IPV6. Everything was nice until I had children and these children reached 7yo.
    Problem is indeed lack of control, namely most routers DO NOT ALLOW to change the DNS server for IPV6 devices.
    Now this is a major security flaw. It means either completely not allowing my children to access the internet on their own. Period. Or disabling IPV6 to make sure all traffic gets routed through IPV4 and thus gets proper DNS that won’t give out address of websites where children have no business going to.
    So yes, I’m disabling IPV6 on my network until we can have consumer grade routers that allow to use a personalized DNS.
    It’s not IPV6 in itself but rather poor implementation from Netgear Linksys, Cisco and other consumer grade routers that is the issue. But it’s a real threat nonetheless.

  11. Jesus, these comments read like a bunch of grumpy old 40-65 year old men that have been working on networks for their entire careers…….. oh and know EVERYTHING 🙂

    The same guys who are terrified of the cloud (because it doesn’t use subnets!) and rely on iptables. Buckle up Boomers, they are taking your infrastructure away and forcing you to adapt modern networking architectures and technologies. It’s your unwillingness to retire legacy architecture/hardware that is not only contributing to the ease of attacks but making it harder for modern SOC organizations to detect because the gear is either too old for API’s or logging doesn’t exist.

    1. GrumpyOldITGuy

      Yes, I am one of those grumpy old men who have been working on networks for their entire careers…in fact been working on networks since before the Internet. While I don’t know EVERYTHING, I do know A LOT about networking, and your comment reads like someone who doesn’t. We wouldn’t have made it this long in the business without learning new things as the ecosystem changed.
      IPv6 is not production ready yet. When it is, those old guys who know a lot about networking will be using it.

    2. Boomers? Yeah, right. Nobody in IT for the past 20 years would have survived if they weren’t agile, adaptable, and willing to learn/implement constantly. The past ten years have moved at a snail’s pace compared to the decade (or two) before that.

      We’re not terrified of the ‘the cloud’ and it’s comical that you think ‘the cloud’ is something new. Guess what mainframes and RDP was? The cloud. Centralized vs distributed computed. Been there, done that — two or three times– , cute that you think you discovered it.

      Your comments? They read like a newbie who’s going to think it’s a great idea to ‘update’ something without realizing all of the legacy dependencies…

      …and then end up calling one of us to bail you out.

  12. This article and it’s responses seem to be an argument between the way things “have been”, and the way things “could be”. The author describes a great IT world that “could be”. Unfortunately its not reality. Too many existing devices and software don’t work that way. The solution can not be, to suggest we replace all of of our existing devices and software, vetting the new ones to see how they do or don’t work with IPv6. While I think the IT world the author describes would be nice, and is probably a great goal to work towards, I am one of those people who fear it. I fear it because I have had to (and still have to) troubleshoot when things go wrong. IPv6 isn’t great because we no longer need to use a whole bunch of troubleshooting tools. It is actually bad and scary because IPv6 takes those troubleshooting tools away. So far I haven’t seen anyone saying how we troubleshoot problems with IPv6 other than to shut it off. And when IPv6 does frequently give us problems, shutting it off does solve those problems. So without any other troubleshooting tools, we will continue to shut it off when there are problems. And we will get it into our routines to shut it off on original install before anyone complains about the inevitable problems. You want us to stop shutting it off. Then don’t tell us how great it is. Tell us exact steps and tools to troubleshoot it WHEN it causes problems. Telling us to stop using our “old” routers and software is not an option.

  13. I’m an IT professional who prides himself in trying to learn at least one new thing every single day, so in no way can I be accused of clinging to the “old ways”. However, we get measurably better network performance on all PCs and servers when IPv6 is disabled. It’s so noticeable that I can tell within seconds when I’m on a PC in our domain that has not had IPv6 disabled.

    Does IPv6 have potential? Sure. I believe that eventually we’re going to be able to implement it confidently and live happily with it, but we’re not there yet as far as my experience has shown.

  14. Bottom line: My computer(s) are much, much, much faster with IPV6 completely shut off and locked out of my system.

    Partly based on this article, I reset my Netgear router, again, to enable IPV6 and did some settings changes in Windows. Result: DISASTER!!! I am not kidding. The internet slowed way, way down to the point some sites would hang. But, also LAN traffic started getting squirrley and throwing errors.

    Is it DNS, NAT some peculiarity of my ISP? Beats me and I don’t care anymore. NO IPV6 = Way faster. That’s all I need to know.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top