IPv6 configuration in Windows (all current versions)

Topic

New Reply

This subject is largely unknown and optimally configuring IPv6 might provide a significant boost in perceived performance, by eliminating potential time-outs with the out of the box configuration.

By default, IPv6 is enabled and has higher priority over IPv4 in all current editions of Windows.
Some people have the so called native IPv6 stack provided by their ISP, in which case they can use both stacks, IPv4 and IPv6.
However most people do not have IPv6 provided natively by their ISP, in which case they may or may not use one of the emulated (tunnelled) additional protocols related to IPv6 provided by Windows, which might cause more problems than resolve.
I am one of the lucky ones, having IPv6 natively enabled by my ISP (Internode in Australia), but even so, I always configure Windows to prefer IPv4 vs IPv6, which means that IPv6 would be used only as fall-back mechanism.
The reason I configure and recommend IPv4 first is that IPv6 is not so widely supported yet and there is a small delay every time when IPv6 falls back on IPv4, especially when querying DNS.
There are very few sites built exclusively on IPv6 (not supporting IPv4) and those are mostly test or experimental sites.

Those who are interested in promoting more actively IPv6 might not like my recommendation and leave the settings on the default configuration, while accepting the occasional small delay.

There are few ways to configure IPv6 in Windows, but only few are actually correct technically.
One of the worst configurations that I have found to be used by lazy “professionals” is to untick the IPv6 box on the network connection properties. Avoid that configuration at any price!

There is only one good way to configure IPv6, by configuring the registry value DisabledComponents under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters while leaving any other IPv6 setting as is out of the box.

1. The most recommended configuration is to have IPv4 to have higher priority over all IPv6 protocols, while leaving IPv6 enabled.
In this case, the DisabledComponents has the value 20 (hex) or 32 (decimal)

2. The other non-default supported configuration is to set DisabledComponents to ff (hex) or 255 (decimal) which means virtually to disable completely IPv6 with the exception of the loopback interface which cannot be disabled, being a system feature.
This is a configuration found more commonly in enterprises where the security teams do not like to have a protocol not in active (managed) use going under the radar, although there would be functional advantages in leaving IPv6 enabled even in those situations.

Notes:
1. If DisabledComponents registry value does not exist and this is the default (out of the box) configuration, the equivalent default value is 0, with IPv6 enabled and taking precedence over IPv4.
2. Another value to be considered is 21 (hex) or 33 (decimal), which in addition to the value 20/32 disables the additional IPv6 protocols like Teredo, but it seems that only the previous values described which are ff or 20 or 0 are fully supported, at least according to the documentation.
The effect of 21/33 is largely cosmetic, as it does not present any visible advantage, although it is a valid value and works correctly according to my tests.
3. I had a hard time explaining in the early days why ffffffff (hex) is not supported (the true good value being ff), although Microsoft had this mistaken recommendation in some articles, thankfully now they amended and clarified this issue in their most current article.

Please check this Microsoft KB article which has the most up to date and very accurate information and documents all the possible combinations for the valid configurations.

https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows

For those more technically minded, the priority of various IP protocols can be verified and configured by typing in a command line (without getting into details):

13 users thanked author for this post.

doriel, Cascadian, Microfix, Elly, abbodi86, AlexEiffel, Canadian Tech, David F, liamZ, tbsky, BobbyB, Noel Carboni, woody

Reply | Quote

Replies

Nice! Thanks for the technical info, ch100.

Personally I don’t have any “native” IPv6 capability enabled through my ISP yet I still prefer to simply disable the tunneling interfaces (isatap, 6to4, teredo) entirely with netsh commands. I consider tunnels as presenting a security risk and potential privacy issue.

This of course won’t keep if/as servers worldwide start using IPv6 exclusively. I have this fantasy that my ISP will start offering “native” IPv6 capability before that becomes a problem.

My systems on the LAN primarily intercommunicate with one another via IPv6, proving the point that IPv6 is by default at higher priority. I need to think through whether reordering the protocol priorities on my LAN could be useful at all. All my LAN systems have both IPv4 and IPv6, so it may just be a moot point. I’ve never done any detailed testing to see whether IPv6 communications are any more or less efficient than IPv4 communications. I suspect the differences aren’t large.

By the way, a way to check to see if you’re communicating via IPv4 or IPv6 with another computer in particular is to run a PING command. Two examples shown here:

The above shows, by the form of the addresses, that SVN is being reached by IPv6, and google.com is being reached by IPv4.

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

I think that there is no difference in the communication effectiveness if both nodes support IPv6 and you may as well keep IPv6 as primary protocol.
The issue arises when someone tries to communicate on the internet with a host not supporting IPv6 and the communication falls-back on IPv4, in which case a delay is inherent, although I have never measured it. There is also a chance that the fall-back mechanism fails and the communication just does not happen.
Your configuration in which you disable ISATAP, 6to4 and Teredo while keeping native IPv6 enabled can be achieved either by using netsh or by configuring DisabledComponents as I said in the original post to 21 (hex) or 33 (decimal), in which case IPv4 will take precedence or your exact configuration can be achieved by setting DisabledComponents to value 1 – see 5.e in the article which I mentioned as reference.
I don’t know if netsh also configured the registry keys at the same time.

Any IPv6 configuration performed via registry takes effect only after a reboot.

Microsoft and most vendors implement IPv6 as primary protocol because the industry as a whole is interested in moving away from IPv4 and promote IPv6 at the same time for being adopted sooner.
However, this does not mean that we as end-users or system administrators are not entitled to do what best suits our purpose in using the computers.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Valuable Resource CH 100, when(not IF) my Cable ISP starts to support it. From what I have seen around my Network I think I am almost ready to support it myself but it becomes a mute point with out the ISP. 😀

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

This is even more useful if you don’t have IPv6 support.
Just read in detail and create the registry key DisabledComponents as DWORD and configure on value 20 (hex).
Read Microsoft’s article for details or use their wizard on the web site.

Reply | Quote

OKAY, Thank You,

For pointing that out, but will have to wait until later…. Bedtime 😀

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

Cheers mate another good article as ever. Could be a weekend project/pastime as the isp connection speed has gone down hill a bit. After a little investigation is that the cable box is running WinCE and managed to wipe all my saved shows. Anyway back on topic I had never considered IPV6 or 4 had much to do with it. So if its quiet for a while from my “neck of the woods” you’ll probably know LOL 🙂

1 user thanked author for this post.

ch100

Reply | Quote

🙂

Check this setting too
netsh interface tcp show global
Check autotuninglevel value
If it is normal, set it to highlyrestricted (most people recommend here disabled, but highlyrestricted is slightly better)

You may also have to set
netsh interface tcp show heuristics to disabled on Windows 7 – it is disabled on anything else.

Use set instead of show for both settings.

If time allows, I will write something about those settings with netsh in Windows 7 and a combination of netsh and PowerShell from Windows 8 onwards.

Reply | Quote

how to set autotunning level from “normal” to “highlyrestriced”?
and how to set “netsh interface tcp show heuristics to disabled on Windows 7”?
thanks

Reply | Quote

Please follow the instructions in the command prompt.
You have to launch the Command Prompt as Administrator and use “set” instead of “show”

This is one of the more known sites which has more detailed instructions if the instructions provided by Microsoft Help are not enough.

http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574

Try to avoid TCP Optimizer from that site.
I had a bed experience with rolling back the configuration when I tried it long time ago.
The current version may be fixed.

1 user thanked author for this post.

Microfix

Reply | Quote

Here for Windows 8.1 / 10 and 2012 Server also.

Thanks ch100, used the information from this site years ago and forgot about it. 🙂

Windows - commercial by definition and now function...

1 user thanked author for this post.

ch100

Reply | Quote

Windows 8.1/2012 and Windows 10/2016 have a transitional approach moving away from netsh to PowerShell.
netsh still has a role as per the URL from @Microfix

Reply | Quote

In my area, both of the major Internet companies (AT&T and Comcast) do support native IPv6. But as has been posted throughout this thread, there are still lots of websites which do not use IPv6. And as has been pointed out, this does cause some delays and other glitches.

I have OpenDNS configured to be available for both IPv4 and IPv6 for both Windows and Linux.  The rest is up to the site operators.

-- rc primak

Reply | Quote

Does OpenDNS emulate IPv6, or it uses one of the tunnelling protocols like Teredo?
If they use Teredo, then I would suggest that it is far better to configure the priority to IPv4 and use it natively, unless you are passionate about IPv6 and do a lot of testing and research of how it works, in which this is different.

Reply | Quote

If it’s available at the ISP and the web site, IPv6 is fully supported in OpenDNS. They even have different IP addresses for their servers.  I have both sets entered into my network setups in Linux and in Windows.

If IPv6 is not available, OpenDNS drops back to its IPv4 settings. That’s why you need to set up both sets of addresses.

I have used some test sites to determine whether in fact OpenDNS is using IPv6 with AT&T services where this is available. All indications are that this is in fact happening.  This is with what used to be U-Verse, not DSL.

-- rc primak

Reply | Quote

Comcast in my area is flaky with IPv6. Sometimes my router picks it up other times it loses the addresses. The fall back in Windows is a problem because as I understand it once a month Windows does a check for Ipv6 and sets Windows according to this. I finally got fed up with Comcast DNS Ipv6 and used Google’s address for both ipv4 and 6. Also it pays to mention that many older modems don’t support native ipv6 as well as some routers. There are sites that will check ipv6 status and Comcast has a good one.

Reply | Quote

For flaky IPv6 connections it may be more useful to disable IPv6 by setting DisabledComponents to ff (hex).

Reply | Quote

I found AT&T DNS to be flaky, too. So I switched to OpenDNS when AT&T couldn’t even resolve Microsoft Updates one afternoon. I have never looked back.

-- rc primak

Reply | Quote

Quote: [Notes: 1. If DisabledComponents registry value does not exist and this is the default (out of the box) configuration, the equivalent default value is 0, with IPv6 enabled and taking precedence over IPv4..]

Win 7 Hm Prem: I do NOT have Disabled Components in Parameters, or sub-groups Interfaces or Winsock. In the MS KB article linked I get the impression that the Dnload Choice [Prefer IPv4 over IPv6] presumes “DisabledComponents” exists. Does the above Note mean the article is irrelevant to those of us who don’t have it?

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

CraigS26 wrote:

Does the above Note mean the article is irrelevant to those of us who don’t have it?

No, it only means that if the key is missing, the default value of “0” (zero) is assumed by the OS.

For Vista, Win 7, Win 8.x and Win 10 this key is valid.  Works for Home, Pro and Enterprise editions.  Also valid for Server 2008, 2008 R2, SBS 2011, Server 2012, 2012 R2 and Server 2016.

If it does not exist, and you want to change the behavior as described in CH100’s excellent overview, you can add the key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

Create a new DWORD at that location.  Name it precisely DisabledComponents . . .  caps matter in the registry!

Assign the value you want to force TCPIPv6 behavior as described.

Cheers!

 

Edited: because spelling . . .

~ Group "Weekend" ~

2 users thanked author for this post.

CraigS26, ch100

Reply | Quote

Thanks, ch100. Very nice article.

You could say I am a “professional” as I wear so many hats, technical or managerial, I can’t devote lots of time to research how to manage computers like you. Although I would say that I had good success over the years at not spending much time managing computers and reaping the benefits of them while maintaining pretty good security and not suffering from the consequences of my unenlightened tinkering, I sure do appreciate to benefit from your advice.

I don’t see any benefits right now to use IPv6 but it is not a subject I know a lot. Anyone can gives good reasons to do so when the web is still ipv4? Also, like Noel, I disable all tunneling as they are a security concern.

To satisfy my curiosity, I also would like to know why it is bad to only disable the protocol on the network card. You will get timeouts when the system tries to use a protocol thst isn’t there? I find it pretty bad that MS lets you disable ipv6 on the card without adjusting the internals to conform to what the non profesionnal user clearly expresses by doing that. They could just flip the equivalent of the disabledcomponents switch then or whatever else is needed.

And I would like to know why if you use the disabledcomponents you couldn’t also disable the protocol. I would have had the intuition that disabling a protocol that is not in use reduces the attack surface and don’t really understand why that would be a problem once disabledcomponents is set to disable all ipv6. I am not too concerned about security issues with MS tcpipv6 protocol, though, just trying to follow general security best practices and it seems that Microsoft makes it hard to not do bad things while trying to follow what appears to me to be common sense. They added so many protocols over the years on the network card that are not needed on the autonomous laptops for salesmen on the road. Why, for example would you still need to have Netbios over tcpip activated if you don’t need it?

1 user thanked author for this post.

ch100

Reply | Quote

I don’t see any benefits right now to use IPv6 but it is not a subject I know a lot. Anyone can gives good reasons to do so when the web is still ipv4? Also, like Noel, I disable all tunnelling as they are a security concern.

The are hidden benefits, but they may not be worth keeping a dual-stack configuration if not required. You can safely go ahead and use the ff value which means you would practically disable IPv6 (except for the IPv6 loopback).
There are components which were designed to work only on IPv6 which may have been patched to work with IPv4 since I have found that information. Those components are hardly in common use and implemented better by dedicated network devices like DirectAccess in Windows 2008 R2 (patched since to work with IPv4) or Routing and Remote Access.
Another benefit may be related to the internal communication in a network (LAN), which is not subject to the ISP availability of the native IPv6 stack.
And yet another benefit would be that you would be forced to learn a bit more about the IPv6 technologies and be ahead of the mainstream 🙂
While I appreciate Noel’s work and results which are shared with us, I am not so much in favour of that sort of approach for the type of users reading what is posted here. Noel’s approach require a lot of work to maintain and is suitable for organisations with very large teams specialised in firewalls and security in addition to Windows, organisations with thousands of users and almost unlimited IT budgets for which security is more important than ease of use. One needs to have a lot of passion and dedication and beyond anything else a lot of knowledge and experience to be able to maintain DNS whitelists and firewall whitelists in a small environment setup.

To satisfy my curiosity, I also would like to know why it is bad to only disable the protocol on the network card. You will get timeouts when the system tries to use a protocol thst isn’t there? I find it pretty bad that MS lets you disable ipv6 on the card without adjusting the internals to conform to what the non profesionnal user clearly expresses by doing that. They could just flip the equivalent of the disabledcomponents switch then or whatever else is needed.

As with everything Microsoft, they take advantage of their monopoly position to force users to behave in the way desired by the company. In this case it may be for a good purpose.
They make certain configurations available, but hard to understand by the common user who tends to use the default configuration. This is one of them. Microsoft wants the common user to use Cortana, to accept telemetry which I totally understand from a system engineering perspective and IPv6 to smoothly and gradually transition the Internet to the new technology. The first try with IPv6 was in Windows 2003 which was an incomplete implementation and not default. Since then, the TCP/IP stack was redesigned in Vista/Server 2008 and now IPv6 is built-in like IPv4. It cannot be uninstalled like in Windows 2003, but can be disabled in the registry. I think some people managed to find a way to disable IPv4 safely and gracefully, but not IPv6 which says a lot about the internal design.
Back to your enquiry about disabling the protocol on the NIC, there is a URL in KB929852 which points to KB3014406.
“See KB3014406 if you encounter startup delay after you disable IPv6 in Windows 7 SP1 or Windows Server 2008 R2 SP1.”
https://support.microsoft.com/en-us/help/3014406/startup-delay-occurs-after-you-disable-ipv6-in-windows

Symptoms
You may experience an additional five seconds delay during the startup of Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP1.
Cause
This issue occurs because the code to avoid waiting for IPv6 to register with the network stack is not recognized correctly when IPv6 is manually disabled.

There is a hotfix to change this default behaviour. This is one potential side effect and I remember reading about other side-effects too.

Microsoft should have obviously greyed out the check-box for IPv6 on the NIC, but they may have left it available for testing purpose or some other hidden reason. Ideally that box should be greyed-out and enabled when the IPv6 stack is enabled and greyed-out and disabled when the IPv6 stack is disabled in the registry. But this is not the case…
I think that when you disable IPv6 on the NIC with the protocol disabled in the registry, this does not have any effect, but I may be wrong, because the IPv6 loopback stays enabled anyway.
Just do ipconfig /all or route print with DisabledComponents on ff and you will see the result.

Note: You will find recommendations to disable the IPv6 loopback in the hosts file which is dubious and can break Windows networking functionality, not so obvious immediately.

3 users thanked author for this post.

Elly, AlexEiffel, Dioxygen Difluoride

Reply | Quote

Why, for example would you still need to have Netbios over tcpip activated if you don’t need it?

The only correct way to disable NetBIOS is on the network card properties. If you stop the TCP/IP NetBIOS Helper service, you are looking for trouble.
This may be due to legacy code dating back in the days of Windows NT 3.1/3.5.1/4.0.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Thanks for the article, ch100.  A few points:

ch100 wrote:

I don’t see any benefits right now to use IPv6 but it is not a subject I know a lot. Anyone can gives good reasons to do so when the web is still ipv4? Also, like Noel, I disable all tunnelling as they are a security concern.

The are hidden benefits, but they may not be worth keeping a dual-stack configuration if not required.

Don’t those “benefits” also result in potential security and privacy-loss risks to users, as well?

See here:  https://securityintelligence.com/the-importance-of-ipv6-and-the-internet-of-things/

ch100 wrote:

To satisfy my curiosity, I also would like to know why it is bad to only disable the protocol on the network card. You will get timeouts when the system tries to use a protocol thst isn’t there? I find it pretty bad that MS lets you disable ipv6 on the card without adjusting the internals to conform to what the non profesionnal user clearly expresses by doing that. They could just flip the equivalent of the disabledcomponents switch then or whatever else is needed.

As with everything Microsoft, they take advantage of their monopoly position to force users to behave in the way desired by the company. In this case it may be for a good purpose. They make certain configurations available, but hard to understand by the common user who tends to use the default configuration. This is one of them. Microsoft wants the common user to use Cortana, to accept telemetry which I totally understand from a system engineering perspective and IPv6 to smoothly and gradually transition the Internet to the new technology.

As I see it, a user should not have to access the registry to simply disable a network protocol. That’s a bad (and, IMO, deliberate) design flaw and should be pointed out, accordingly.

In light of the forced/demanded telemetry and general intrusiveness that’s been inherent throughout the deployment of Windows 10, it’s hard to see what Microsoft’s good purposes are here from the perspectives of end users.  This ever increasing emphasis on telemetry might well suit the purposes of OS vendors like MS, but that doesn’t seem to be translating into more user friendly, safe, or secure software (see Microsoft’s continuing system update problems, among other things.)  Users don’t appear to be trading their money/privacy for stability/security.

Microsoft and Apple are being directly paid for licensing and use of their operating systems.  IMO, their increasing intrusions into user data and activities probably started out as the equivalent of a contractor working on your house going through your couch cushions for loose change. Creepy, but “meh.”  It progressed from there to going through your wallet, coping your driver’s license and SS numbers, and grabbing some loose change, as well. Now your OS contractor is demanding that you install the digital equivalent of a permanent, personally-identifiable, IOT sigmoidoscope into every person in your family   –via EULAs, telemetry, always on monitoring devices like Cortana, Siri, Alexa, etc.,– implemented using end-to-end, poorly understood and partially implemented networking protocols like IPv6 (all monitored by nebulous groups of third parties to help things go smoothly, if not so gradually.)

Sure I might have overstated that a bit for dramatic effect, but most network/OS professionals seem committed to euphemizing what the software industry appears h**l-bent on doing, and the tools they’re using to do it (including IPv6.)

These articles are old, but what, if anything, has been improved? Certainly not the state of the OS art.

http://www.networkworld.com/article/2259462/lan-wan/invisible-ipv6-traffic-poses-serious-network-threat.html

http://www.zdnet.com/article/security-versus-privacy-with-ipv6-deployment/

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I am getting tired of this scare campaign in relation to telemetry and associated technologies.
I am not replying any more to those enquiries, as they have become counter-productive.
NSA, CIA, FBI, FSB and other similar agencies do not need telemetry from Microsoft to collect information for law enforcement or other purposes. They have always collected information as this is their business and have better and more reliable ways to do it.
My post was about IPv6 and how to control it for a better user experience.
I am not interested in how to minimize an already bad user experience as many posters here do instead of configuring their computers correctly and for productive purpose and having a good user experience.
If it is so bad for you, then stop using computers or stop using Windows or whatever is suitable.
Everything of interest about this subject is in my original post and the replies provided to other users.

1 user thanked author for this post.

Microfix

Reply | Quote

As you have mentioned ch100,

I’m also tired of all this, to the point where I visit this site less and less.

Windows - commercial by definition and now function...

1 user thanked author for this post.

ch100

Reply | Quote

I don’t think that you have to visit this site less, but a bit of filtering through the messages which you read may be useful. I tend to do the same.
It is the nature of an Internet forum to host various points of view with which not everyone agrees.

1 user thanked author for this post.

woody

Reply | Quote

For what it’s worth, I never mentioned the “NSA, CIA, FBI, FSB and other similar agencies”.  I suspect that neither I, or any of us, have much to say about what they choose to collect or divine about our internet (or other) activities. I can only hope that they find me as boring as I truly am.

I’m more concerned with sending unnecessary data hither and yon to be potentially collected by far more obviously nefarious entities, such as these developers:

https://f5.com/labs/articles/threat-intelligence/ddos/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-attack-on-ovh-22422

Simple security demands that what need not be sent, should not be sent (and what need not be open to the outside of a network, should not be open.)

In light of the massive ongoing occasions of new malware, identity thefts,  and security threats, that is not a hysterical position to take.

No offense was intended.

 

Reply | Quote

@ ch100

NSA, CIA, FBI, FSB and other similar agencies do not need telemetry from Microsoft to collect information for law enforcement or other purposes. They have always collected information as this is their business and have better and more reliable ways to do it.

True, as per http://www.mintpressnews.com/snowden-leak-nsa-hacking-tools-russias-warning-us-government/219660/ , but this involves a lot of work, ie the 3-letter agencies trying to infect cptrs with spyware, eg it would be quite impossible for the NSA to infect Noel Carboni’s fire-walled Win 7/8.1 cptrs if he were an extremist or terrorist.
But if they could hv a direct backdoor in M$’s Win 10, it would greatly lessen their work of spying on certain targets, esp when Win 10 attains about 80% of the world market. If you were in charge of the NSA, wouldn’t you want this ?
http://21stcenturywire.com/2015/11/04/nsa-partner-in-crime-microsoft-admits-windows-10-auto-spying-cant-be-disabled/
https://www.theregister.co.uk/2013/09/19/linux_backdoor_intrigue/

Reply | Quote

Let’s drop the snooping conversation at this point, shall we?

There are positions on all sides. Arguing here is generating lots of heat – and no light.

Best if we stick to technical discussions and let observers draw their own conclusions, OK?

2 users thanked author for this post.

ch100, rc primak

Reply | Quote

FYI, the IPv6 protocol was there since Windows XP but on XP it’s turned off by default and already enabled by default since Window Vista.

also, AT&T (one of the major ISPs with IPv6 support & my current DSL provider) has a page to test web sites for IPv6 connections:
https://www.att.com/esupport/ipv6.jsp

Reply | Quote

The TCP/IP stack has been completely redesigned for Vista/2008 and the current implementation is not related to the XP/2003 implementation, except for the commands which most (but not all) are still working like in XP times.
It is like comparing Firefox with Netscape. They look and behave similarly, but the internals are not the same. 🙂

Reply | Quote

My two reasons for switching DNS and enabling IPv6:

1) AT&T DNS could not reach MS Updates

2) The entire resolving of Names works faster and more reliably with OpenDNS, and I have no problems using IPv6 where it’s available.

Maybe that’s three  reasons, but obviously, my reasons are performance related, not security or privacy related.

-- rc primak

1 user thanked author for this post.

ch100

Reply | Quote

So if I understand well what you say is only the DNS name resolution which makes the IPv6 communication possible or not, even if the ISP does not provide it natively?
Or in addition to DNS, you also have to use one of the tunnelling protocols to make IPv6 possible?

Reply | Quote

No. The ISP must provide support for native IPv6 for this protocol to be used by DNS. No native support, no IPv6 in any case. Sorry if I confused folks with my use of “AT&T DNS”. I use U-Verse (or so it was originally named), not AT&T ADSL service.

-- rc primak

Reply | Quote

These are good for testing:

http://www.ipv6-test.com/

http://www.test-ipv6.com/

4 users thanked author for this post.

woody, rc primak, Microfix, ch100

Reply | Quote

There seem to be a lot of negative views about IPv6 on here…. My line has been IPv6 enabled for a while now (Sky broadband in the UK), it works and I notice no noticeable delay when browsing drops back to IPv4. It just works, I see little reason to disable it and have even turned on IPv6 on my personal websites.

 

2 users thanked author for this post.

rc primak, ch100

Reply | Quote

@davews
The original post does not recommend disabling IPv6 unless there is no support for IPv6 at the ISP level and this is what the user wants. Even so, the main recommendation is to prioritise IPv4 for maximum compatibility and performance and not to completely disable IPv6.
It also draws attention to a typical misconfiguration which is to disable IPv6 on the NIC without configuring the registry and this is the configuration achieving the worst results.

2 users thanked author for this post.

AlexEiffel, NetDef

Reply | Quote

I just tested disabling IPv6 with the FF value and rebooting with or without the protocol disabled on the NIC. No difference in delay at all, so either it does something or they already fixed the delay issue on Windows 10 AU.

I also saw that using the value of FF disables the tunneling as well (6to4 and isatap). I already had teredo off, so I can’t comment about this one.

I thank you for the information. I also think like Noel that tunneling is a security risk as it permits bypassing corporate Firewall outbound rules, so I always deactivate it.

So, I guess if someone were to apply your recommended setting of prioritizing IPv4 over 6 without disabling 6, but would like to disable tunneling for security issues, we could use your registry setting plus the following commands?

netsh interface teredo set state disabled
netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state state=disabled undoonstop=disabled

 

 

1 user thanked author for this post.

Noel Carboni

Reply | Quote

If you use the value of 21 hex (33 decimal) you have all tunnelling protocols disabled and don’t need to do anything further.
You can check by running ipconfig /all
If you want to take further steps, you could remove the virtual tunnelling devices from Device Manager after enabling Show hidden devices.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Presuming one wanted to keep IPv6 at a higher priority than IPv4, but disable the tunneling interfaces, the setting for DisabledComponents would be 1 then?

Does that provide an advantage over the commands Alex mentioned? For example, does it cause some resources not to be allocated?

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

Yes, it would be 1 in the registry.
I don’t know if the netsh commands configure the registry for DisabledComponents or a different location.
I use netsh often for other purposes like ipv4 and ipv6 Disable TaskOffload or the TCP stack tuning, but not for the IPv6 related purpose.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

They don’t set the DisabledComponents setting. I was just looking at my workstation’s config earlier today.

As I’d prefer IPv6 in house to be the preferred protocol to ensure my local SVN accesses are fastest, I’ve gone ahead and set it to 1 and will see whether I can notice any difference in usage over just having disabled the interfaces via netsh. So far I have sensed nothing different.

-Noel

2 users thanked author for this post.

AlexEiffel, ch100

Reply | Quote

I read something online about each bits of the disabledcomponents value having a specific meaning for each protocol so it would make sense that using netsh modifies the value, unless the value itself overrides anything netsh can do.

I know that using it at ff and then doing the netsh int ipv6 6to4 show state showed disabled after using ff while it was enabled before.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

AlexEiffel wrote:

netsh int ipv6 6to4 set state state=disabled undoonstop=disabled

Glad you listed the undoonstop option. That’s not widely documented.

-Noel

1 user thanked author for this post.

AlexEiffel

Reply | Quote

And please don’t confuse disabling IPv6 tunneling with disabling IPv6 either.

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

Realized, belatedly, that I should return here after all this time.

You see, before registering as a ‘Lounge Member’, this is exactly the kind of article full of knowledgeable insight that made my use of Win7 better. Not because I had some sudden power over Microsoft. But because I gained a better understanding of an advance in technology that had occurred without my noticing. You may find that laughable, but I was somewhat busy with other aspects of life for a number of years, and computer development passed me by.

Comments diverged and wandered, and I have no reason to opine on that, after such a passage of time. None of it lessens the learning I gained from your original article.

This feels incomplete, but I hope you understand me better now.

Hope you notice this, and have a good day,
Paul

Reply | Quote