Both the Internet Assigned Numbers Authority and the Asia-Pacific Network Information Centre have run out of IPv4 addresses to allocate, and RIPE, the European numbering authority, is soon to follow. Large ISPs are now beginning to turn on IPv6 for their customers, and most vendors of firewalls, load balancers and other network appliances are starting to claim that their devices fully support IPv6. Is it time then for agencies to stop worrying about IPv6 and simply leave it enabled on Windows PCs?
The Myth of Disabling IPv6
Actually, you can’t fully disable IPv6 on a computer running Windows 7. For example, if you clear the checkbox for IPv6 for your Local Area Connection network interface (see Figure 1), it won’t disable IPv6 on the system. It simply removes the binding for it from that particular network interface.
And if you edit the registry as indicated by this article in the Microsoft Knowledge Base, the binding for IPv6 will be removed from all network interfaces on your system, including LAN, WAN and VPN interfaces. But the underlying components of IPv6 won’t be removed from your system, which is easy to see by opening a command prompt and pinging the IPv6 loopback address ::1 from a command prompt window on the system.
Figure 1: Clearing the selected checkbox only removes the binding for IPv6.
Disabling IPv6 Breaks Functionality
Are there negative consequences to disabling IPv6 on a Windows 7 PC? Several features of Windows 7 depend on IPv6 to function as intended, including:
- DirectAccess, which allows users to remotely access agency resources whenever they have Internet connectivity, as if they were directly connected to the agency LAN.
- Remote Assistance, which enables users to invite remote users to connect to their computer to help them when they have problems.
- HomeGroup, which makes it easy for users to share their libraries and printers on their home network.
Because Microsoft performed most of its internal validation testing of Windows 7 with IPv6 enabled, disabling IPv6 may have unintended consequences that even Microsoft isn’t yet aware of. Users could end up with mysterious issues requiring the help of Microsoft Support for troubleshooting, and one of the questions they may ask is, “Have you disabled IPv6?” If you have done so, you might be asked to turn it back on to resolve the issue.
Leaving IPv6 enabled might seem to go against a system administrator’s prime directive: “If you’re not using it, don’t enable it.” But there’s another directive that says: “If it ain’t broke, don’t fix it,” and in this case it’s the latter that should take precedence.
Will leaving IPv6 enabled result in a lot of additional network traffic that could lead to poor application performance? No. Windows systems that need to communicate with other Windows systems on the same subnet simply prefer using IPv6 Link Local addresses over IPv4 addresses, and this has only a negligible impact on the overall network traffic.
But My Vendor Doesn’t Support It Yet
If you contact your vendor for firewall appliances or other network security devices, you’ll probably find that they do have updated hardware that now fully supports IPv6. If they don’t, they probably won’t stay in business for very long.
And if your legacy routers and gateway appliances don’t currently support IPv6 or don’t have it enabled, then IPv6 traffic isn’t going to flow in and out of the network anyway. So monitoring or controlling the flow of IPv6 traffic across your boundary isn’t really an issue. But if your ISP has already enabled IPv6, then maybe it’s time to upgrade your routers, gateways and security appliances. The reality is that almost all routers sold during the past 10 years support IPv6 as well as IPv4.
For Users Who Travel
What if someone has a notebook running Windows 7 with IPv6 enabled, and they travel to another city and use the LAN connection in a hotel to connect to the Internet? Are there possible security consequences of having IPv6 enabled on systems that travel beyond an agency’s perimeter firewall?
The reality is that IPv6 is a much more secure protocol than IPv4, which actually has no security at all. In fact, IPv4 application developers have found it necessary to implement additional security at the application layer because there’s no inherent security built into IPv4. By contrast, IPv6 is built from the ground up with security in mind.
Disabling IPv6 on Windows 7 PCs provides no additional security or any other real value to a network. And leaving IPv6 enabled on these PCs enables certain valuable Windows features to work properly. So the bottom line is, don’t disable IPv6 on Windows 7 PCs unless you can justify your decision with a more compelling reason than “But I haven’t had time to learn about it yet.”
Start thinking long term, and get that IPv6 migration plan in order for your agency. If you want to learn more about IPv6 and how to prepare for its inevitable arrival, visit the IPv6 Blog on TechNet at http://blogs.technet.com/b/ipv6/.