News Categories
Announcement (9) Amy Babinchak (64) Tips (1) SBS 2011 (6) Windows Essentials 2012 (4) Edwin Sarmiento (28) SQL Server (22) SQL Server 2012 (6) SQL Server Clustering (3) SQL Server Disaster Recovery (6) Windows Server 2008 Clustering (1) log shipping (1) Brian Higgins (3) Uncategorized (42) Hyper-V (67) Virtualization (13) Windows 8 (13) Cisco VPN Client (1) Windows Server 2012 (24) Friend of TT (4) Hangout (2) Office365 (4) DNS (8) Jeremy (7) Cliff Galiher (3) Active Directory (12) ClearOS (4) Linux (4) presentations (2) SQL PASS (6) Chris Matthews (4) Printers (2) SharePoint (8) SQL Server Administration (7) Windows PowerShell (3) recovery model (1) sql server databases (1) Dave Shackelford (7) SMB Nation (1) Steve (1) Boon Tee (5) Kevin Royalty (3) Lee Wilbur (2) Philip Elder (10) SMBKitchen Crew (31) Susan Bradley (15) AlwaysOn (1) AlwaysOn Availability Groups (4) readable secondaries (1) row versioning (1) undocumented (1) The Project (2) Webinar (3) Enterprise for SMB Project (9) Security (25) Remote Desktop Connection for Mac (1) Remote Desktop Services (8) Windows Server 2008 (1) Exchange (15) Powershell (6) Microsoft (15) Performance (7) data types (1) Server 2012 (1) monitoring (1) DevTeach (1) SQL Server High Availability and Disaster Recovery (5) Clusters (44) Hyper-V Server 2012 (2) Business Principles (26) Cost of Doing Business (13) DHCP (7) sbs (15) Windows Server (30) SMBKitchen (26) Windows Server 2008 R2 (4) StorageCraft (1) P2V (1) ShadowProtect (6) StorageCraft ShadowProtect (1) VHDs (1) Intel RAID (2) Intel Server System R2208GZ (1) Intel Server Systems (17) RAID (2) SAS (2) SATA (2) Server Hardware (12) Microsoft Licensing (2) OEM (2) System Builder Tips (4) Intel (5) Intel Channel Partner Program (4) Intel Product Support (10) Intel Server Boards (2) Intel Server Manager (2) Cloud (26) IT Solutions (2) On-Premises (20) SMB (9) WIndows Azure (2) StorageSpaces (1) Error (47) Error Fix (35) Intel Desktop Boards (2) Intel SSDs (2) SSD (2) Business Opportunity (17) Data Security (11) Identity Security (7) Information Security (14) Privacy (2) Intel Modular Server (6) Promise (2) Storage Systems (9) Live ID (2) Microsoft ID (4) User Profiles (2) Articles (2) Building Client Relationships (6) DBCC IND (2) DBCC PAGE (2) filtered indexes (2) SQL Server Index Internals (2) training (11) Adobe (3) Internet Street Smart (8) Intel Storage Systems (2) LSI Corp (2) LSI SAS6160 Switch (2) Storage Spaces (7) Firmware Update (2) Product Support (7) Hybrid Cloud Solutions (3) Server Core (2) MAXDOP (1) SharePoint 2013 (1) SharePoint best practices (1) SQL Server Authentication (1) Family (5) Alternatives (1) SBS 2011 Standard (4) Microsoft Small Business Specialist Community (2) Microsoft Surface (2) SBSC (2) Networking (4) Availability Groups (3) CANITPro (1) HA/DR (1) Step-By-Step: Creating a SQL Server 2012 AlwaysOn Availability Group (1) webcast (1) VMWare (2) Conferences (2) Client Focus (2) Disaster Recovery (6) Error Workaround (8) Troubleshooting (4) Logitech (2) Product Review (7) Windows Features (4) XBox Music (2) SBS 2008 All Editions (4) MDOP (2) Microsoft Desktop Optimization Pack (2) Software Assurance (2) W2012E (6) Windows Server 2012 Essentials (6) Internet Explorer (3) USB 3.0 (2) USB Hard Drive (2) Bug Report (2) Microsoft Office 365 (5) sharepoint online (2) BitLocker (2) Windows (2) Microsoft Update (3) Swing Migration (2) Windows Update (4) Outlook (2) Group Policy (9) WS2012e (2) WSUS (3) Office (3) Microsoft Downloads (5) Microsoft Office (3) DRP (3) Virtual Machines (2) Virtual Server Hardware (2) online course (1) SQL Server learning (7) 2 Factor Authentication (2) 2FA (2) PASS Summit 2013 (4) SQLPASS (5) Contest (1) e-learning (1) Udemy (1) smbtechfest (1) backups (2) PASS Summit First Timers (3) IIS (2) RD Gateway (4) RD RemoteApp (2) RDWeb (4) Remote Desktop Connection (2) Remote Web Access (2) Remote Web Workplace (2) Cryptolocker (6) Backup (4) Restore (2) CryptoLocker (1) AuthAnvil (1) SBS 2003 (1) SBS Migration (1) Windows Server 2012 R2 (9) Documentation (1) IE 11 (4) testimonials (11) SQL Server 2008 (1) Best Practices (1) Support (1) Intel Xeon Processor (1) RemoteApp (1) Android (1) iOS (1) Hyper-V Replica (2) PowerShell (2) SBS (3) Break (1) Business Intelligence (1) Excel 2013 (1) Power Map (1) Power Query (1) PowerBI (1) MultiPoint (2) Surface (1) Net Neutrality (1) Opinion (2) ASP (9) HP (2) Scale-Out File Server (8) SOFS (10) Windows Phone (1) Updates (1) Intel NUC (1) Intuit (1) QuickBooks (1) Office364 (1) Intel Server Systems;Hyper-V (1) Firewall (1) Patching (1) Mobile (1) Mobility (1) sharepoint (1) Microsoft Security (1) Beta (1) Storage Replication (1) outlook (1) Hyper-V Setup (3) JBOD (1) Azure (1) PCI (1) PCI DSS (1) PII (1) POS (1) MicroStaff (2) Catherine Barr (2) Third Tier (1) BeTheCloud (1) BrainExplosion (1) LookAWhale (1) Manuel (1) Rayanne (3) SuperSecretNews (1) TechYourBooks (3) Managed Services (1) Training (1) E-mail (1)
RSS Feed
News
Mar
8
Please stop disabling IPv6
Posted by Amy Babinchak on 08 March 2019 01:27 PM
A recent Windows 10 update brought to light just how many people are disabling IPv6 as part of their normal process. Should you be doing that? Probably not.

But first things first. Since so many people are disabling IPv6, many readers are probably already jaded at the prospect of allowing IPv6 on their network. I’m going to argue that in most cases it is not necessary or desirable to disable IPv6 and, in fact, it is desirable not to. But before we get to that, if you just can’t stomach it or you have some serious legacy applications or hardware, here is Microsoft’s official recommendation: Keep IPv6 enabled but issue a policy that says to prefer IPv4.

To configure IPv6, modify the following registry value based on this table.

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

Name: DisabledComponents

Type: REG_DWORD

Min Value: 0x00

IPv6 Functionality Registry value Comments
Prefer IPv4 over IPv6 Dec 32
Hex 0x20
Bin xx1x xxxx
Recommended instead of disabling

Moving right along

Now that we’ve gotten that out of the way, let’s take a look at how Windows uses IPv6 even when your DHCP server is providing it an IPv4 address and your Internet router doesn’t support it.

We all know that the world is running out of IPv4 addresses. I’m not going to bother to rehash that here other than to say that this doesn’t matter for your internal network. Your internal DHCP can still use IPv4 for compatibility reasons but you’ll end up using IPv6 to access the Internet. But that still doesn’t mean that you want to disable IPv6. You actually want to use both. You can use IPv4 for the ease of readability. But let Windows prefer IPv6 for the reasons I’m going to discuss now. I think that this is the best option.

IPv6 is core to the Windows operating system and Microsoft doesn’t do any testing with it turned off so they won’t guarantee that anything will work properly without IPv6. Of course, many things do but behind the scenes, Windows has to work hard and fall back to older protocols after it finds that IPv6 isn’t available. That waiting to fail can really be felt on the PC when you disable IPv6. Back in the Windows 7 days there was a condition where there would be a lag getting to the Internet when IPv6 was enabled and your router didn’t support it. But starting with Windows 8 and Server 2012, Windows detects that there is no route to the Internet in IPv6, remembers this, and then prefers IPv4 for this type of traffic. No configuration or disabling required.

What does IPv6 do for network traffic?

don't disable IPv6
IPv4 is one of the longest-lived pieces of technology in our computers today. When it was built, the population of computers were a lot smaller and there was no real need for security. In fact, there is no security built into IPv4. My, how things have changed! In IPv6 security is its top priority. IPSec is the default. Here are a few of the advantages of IPv6.

  • There’s no need for NAT. Every computer can have an address that allows it to get to the Internet using the same IP that allows it access to internal resources. We no longer have to try to keep those two networks separate through IP addressing. VOIP QoS is more robust because direct connections to the PC are possible.
  • IPv6 moves the handling of fragmentation to the device rather than the router. This makes everything faster because there is no handling of checksum.
  • IPv6 uses multicast rather than broadcast so hosts that don’t care about what you’re doing do not have to process the packets.
  • IPSec is no longer an add-in. It’s baked in, which means that information in the header and packets are secure by default.

There’s a persistent myth about IPv6 and that is that if you disable it you are reducing the attack surface. The truth is that your IPv6 traffic won’t get out if your router doesn’t support it and if it does support IPv6 then it will protect the internal traffic. Since IPv6 header information is encrypted, your internal network is actually safer.

Additional benefits that might seem scary

never disable ipv6
It’s an upside down world these days. Remember when IT departments used Group Policy to manage and control PCs? Remember when we had to maintain DHCP servers? Remember when your devices used non-routable addressing and had to NAT to get to the Internet? Remember when employees all worked in the office? Remember when we didn’t have VOIP phones? Remember when you didn’t have any IoT devices at all?

IPv6 doesn’t need a DHCP server because it doesn’t use NAT. The individual device is capable of assigning itself an address. It queries the network for the prefix and the automatically assigns the rest. What is so scary about that? It’s a loss of control. There no more GUI to look at and see which machines are using which addresses. You’ll have to query for that information. But if the computers are self-assigning and assuring that there are no duplicates automatically then why do we really need to care? It’s the letting go of past practices that is the scary part, not the technology itself.

Letting go of NAT is probably the scariest part for many IT admins. NAT gives you this illusion that your network is safe. And yet every day in a million ways each device makes a connection to the Internet and traffic directly routes to it from the Internet. If the device wants to allow an incoming connection it either makes the initial call or a port is opened in its local firewall. Guess what? The same thing happens when you use IPv6 except that the router doesn’t have to do all of those NAT calculations. NAT was never about security.

While Group Policy and DHCP servers might not be eliminated from your network yet, they will be eventually. While some businesses still have digital key phones and all of their employees work in the office they aren’t in the majority anymore. I dare say that there aren’t any businesses that don’t have some form of IoT on their network at this point. Even security cameras and network-connected time clocks count as IoT and many businesses have a lot more variety of IoT devices than that. The point is that the very definition of networking has changed as has the very definition of “the edge.”

You’ve probably read that “the edge” is the user credentials. It’s true. Now that users have access to corporate data from mobile phones, desktop phones, softphones, laptops, tablets, and so much more while on the road and in the office, the edge is getting pretty transparent. I mean, when you can take the desktop phone off your desk and plug into your home Internet and make a call with no additional configuration needed? The world of networking has changed. It’s not, your DNS, DHCP, your NAT scheme, or your firewall that is protecting the network. It’s the credentials on that phone that count. That’s our edge and it is where we need to focus on security.

Forget about the imagined pitfalls of IPv6. It’s small, more nimble, encrypted, and secure. We need to focus our efforts on modernization to make sure that we aren’t crippling our networks by hanging onto legacy networking technologies. The easiest way to adopt IPv6 is to simply stop disabling it.

_________________

Make your IT business better than the competition. IT Pro Helpdesk, TechYourBooks, Super Secret News,  Ransomware Prevention Kit and more. https://www.thirdtier.net


Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.

Help Desk Software by Kayako Fusion