Fixing Windows 7 IPv6 Headaches
The Internet's IPv4 dashboard gas gauge is blinking empty at only 5% left in the tank, isn't it nice that Windows 7 supports IPv6? Well, sort of, supports it.
Actually, Windows 7 does a decent job of supporting IPv6. It certainly does much better than the ones that came before, but it still has some quirks.
The one that springs to my mind first is that Windows Server 2008 and Windows 7 both still use random interface identifiers when creating its IPv6 addresses. While Windows 7 is now certified as being IPv6 Ready, it's not quite on target by default.
That's not how IPv6 addressing should work. Instead, an IPv6 device should auto-configure its address with the Neighbor Discovery Protocol (NDP) to determine its network and interface identifier and to form the computer's 128-bit IPv6 address. IPv6 addresses assignments are spelled out in these Internet Engineering Task Force (IETF) documents:
- IETF RFC 2373, IP Version 6 Addressing Architecture
- IETF RFC 2464, Transmission of IPv6 Packets over Ethernet Networks
- RFC 4941, Privacy Extensions for Stateless Address Autoconfiguration in IPv6
Microsoft mixed up how the interface identifier should be created even though Microsoft engineers helped write RFC 4941. Oh well. Still, you can force Windows 7 to use the correct method by issuing the following command from a DOS prompt:
netsh interface ipv6 set global randomizeidentifiers=disabled
I recommend that you put this in batch or login file to run this as an automated command on all your new Windows 7 installations. Doing so avoids any possible IPv6 network problems with other Windows 7 systems and with IPv6 address-compliant networking equipment such as Cisco Catalyst Switches.
It would also be nice if Windows 7 supported SEcure Neighbor Discovery (SEND) (RFC 3971 http://www.faqs.org/rfcs/rfc3971.html). SEND is the more secure version of NDP. You can use it to verify that the devices on are valid on your LAN.
Unfortunately, while again Microsoft helped write this specification, its software engineers haven't implemented it. Some major network vendors, such as Cisco and Juniper, already support it. I hope that Microsoft will add it into Windows, along with the correct addressing scheme, in the next Service Patch (SP) for all its operating systems. After all, the sooner we iron out any potential implementation problems and security worries with IPv6 the better.