Fixing Windows 7 IPv6 Headaches

Fixing Windows 7 IPv6 Headaches

Summary: Windows 7 does a decent, but not perfect job, of supporting IPv6. Here's how to get it to do better.

SHARE:

The Internet's IPv4 dashboard gas gauge is blinking empty at only 5% left in the tank, isn't it nice that Windows 7 supports IPv6? Well, sort of, supports it.

Actually, Windows 7 does a decent job of supporting IPv6. It certainly does much better than the ones that came before, but it still has some quirks.

The one that springs to my mind first is that Windows Server 2008 and Windows 7 both still use random interface identifiers when creating its IPv6 addresses. While Windows 7 is now certified as being IPv6 Ready, it's not quite on target by default.

That's not how IPv6 addressing should work. Instead, an IPv6 device should auto-configure its address with the Neighbor Discovery Protocol (NDP) to determine its network and interface identifier and to form the computer's 128-bit IPv6 address. IPv6 addresses assignments are spelled out in these Internet Engineering Task Force (IETF) documents:

Microsoft mixed up how the interface identifier should be created even though Microsoft engineers helped write RFC 4941. Oh well. Still, you can force Windows 7 to use the correct method by issuing the following command from a DOS prompt:

netsh interface ipv6 set global randomizeidentifiers=disabled

I recommend that you put this in batch or login file to run this as an automated command on all your new Windows 7 installations. Doing so avoids any possible IPv6 network problems with other Windows 7 systems and with IPv6 address-compliant networking equipment such as Cisco Catalyst Switches.

It would also be nice if Windows 7 supported SEcure Neighbor Discovery (SEND) (RFC 3971 http://www.faqs.org/rfcs/rfc3971.html). SEND is the more secure version of NDP. You can use it to verify that the devices on are valid on your LAN.

Unfortunately, while again Microsoft helped write this specification, its software engineers haven't implemented it. Some major network vendors, such as Cisco and Juniper, already support it. I hope that Microsoft will add it into Windows, along with the correct addressing scheme, in the next Service Patch (SP) for all its operating systems. After all, the sooner we iron out any potential implementation problems and security worries with IPv6 the better.

Topics: Software, Microsoft, Networking, Operating Systems, Telcos, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • not worried...

    None of the local ISPs here supports IPv6 so I guess I shouldn't be worried yet~~
    cym104
    • RE: Fixing Windows 7 IPv6 Headaches

      @cym104 Neither do any of the local ISPs I've been using since 2002, but I've been happily using IPv6 since then. Tunnel brokers are a very good thing.
      neojima
  • RE: Fixing Windows 7 IPv6 Headaches

    If you're going to do the command like option, I recommend doing it as an administrator level task (Task Scheduler) at startup.<br><br>I created one and it works fine.<br><br>I'd include the XML but the posting mechanism strips out the tags, leaving only the data. Sorry!
    PollyProteus
  • RE: Fixing Windows 7 IPv6 Headaches

    Interesting how section 3.2 of RFC 4941 talks about "Generation of Randomized Interface Identifiers". Not to mention the well know risk to privacy by not using the randomly generated addresses.
    rickminer
    • RE: Fixing Windows 7 IPv6 Headaches

      @rickminer There are two issues here: "random interface identifiers" [RFC 4941 sec 3.2] and "temporary" (privacy) addresses [RFC 4941 sec 3.3].

      Servers and desktops are physically static, and so there is no difference in their trackability whether they use static MAC-based IPv6 addresses, or static "random interface identifiers" (sec 3.2).
      As a network manager, it is easier for me if I can directly map IPv6 address <=> MAC address <=> hostname, rather than having to discover and record another attribute for everything on the network.
      I already have MAC address <=> hostname for IPv4 DHCP.

      As a network manager, I can definitely say I prefer static machines to have static non-temporary addresses.
      It is just so much extra work to discover and track new temporary addresses (sec 3.3) that appear every day and which last for 2 days -- there is no network event that you can log to record when a host decides to create a new temporary address.
      If we didn't record all temporary addresses, then *IF* we were to get a copyright violation notice for a temporary IPv6 address, could we just say, "sorry that was on a temporary address, we don't know what computer that was"? Or if there was a DOS or ssh attack, wouldn't it be a really good idea to be able to work out which machine was responsible? Should I push all these temporary addresses into reverse DNS, or store in a separate database that will need extra tools to interogate?

      ==
      Mobile machines are more susceptible to being traced as they move around the Internet if they use the same identifier.
      As before, if they always keep the same identifier then there is no difference in trackability if they use a MAC-based address v. a random address (sec 3.2)

      As before, if a machine is on my network, I do want to be able to track its actions, to know which machine is which. So, no random or temporary addresses for me please.

      netsh interface ipv6 set privacy state=disabled
      netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

      There is other stuff that happens if you log in to AD, group policies etc etc
      jm493
  • RE: Fixing Windows 7 IPv6 Headaches

    RFC 2373 is obsolete. It was replaced by 3513.
    david08048
  • Currently, what uses windows 7 and windows 8: EUI-64 or randomly generate?

    Currently, what uses windows 7 and windows 8: EUI-64 or randomly generate?
    Depending on the answer, you can set windows 8 for EUI-64 standard and not randomly generate?
    erick.lobo@...