Microsoft has a strong history of supporting IPv6, with solutions dating as far back as the days of Windows 2000. Microsoft is continuing its support for IPv6 in Windows 8 and Windows Server 2012. I'll provide you with an overview of the IPv6 capabilities in these latest Microsoft OSs and highlight some potential areas of concern. I won't be going into too much detail about what IPv6 is or how it works. For additional information about IPv6, check out the following Related Articles list.

Related Articles:
"IPv6 Overview"
"The Inevitability of IPv6, Part 1"
"The Inevitability of IPv6, Part 2"
"IPv6: No Sticks, Just Carrots"
"Managing Your Migration and Transition from IPv4 to IPv6"
"Supporting IPv6 in Your Windows Server 2008 Environment"
"Hands-On IPv6 Lab Setup"

IPv6 Overview

You've probably heard experts' warnings that the world is running out of new IPv4 address blocks. The American Registry for Internet Numbers (ARIN) has about 44 million remaining free IP addresses it can hand out in blocks. Although that might seem like a lot, it's only 0.01 percent of the theoretical maximum number of IPv4 addresses. The situation is worse in the Middle East, Europe, Central Asia, and Asia Pacific. For example, there are fewer than 16 million remaining free IPv4 addresses that can be handed out by the Reseaux IP Europeens Network Coordination Centre (RIPE NCC) and Asia-Pacific Network Information Centre (APNIC), which are the Regional Internet Registries (RIRs) for those regions.

If a company is in the market for more IPv4 addresses, it can still get them from either its ISP or an RIR directly if it qualifies. That situation will likely remain for some time. However, IPv6 is the future of the Internet. Many new products and services support only IPv6 or use IPv6 by default. For example, IPv6 is the default in Windows 7 and later and Windows Server 2008 and later. In addition, some organizations (including the U.S. government) are mandating that all new computing products and services being obtained support IPv6. If you plan to use a new product that defaults to or exclusively uses IPv6 or if you want to do business with an organization that's mandating its use, your networks will need to support IPv6. As a result, you need to start planning for IPv6 if you haven't already done so.

The key differences between IPv6 and IPv4 are twofold. First, IPv6 addresses are 128 bits in length, which is four times longer than IPv4 addresses. Second, the addressing scheme used in IPv6 is very different from IPv4. In IPv4, you have several classes of addresses, special addresses for nonpublic use, and some other edge cases that were added as new Internet products and technologies were developed. IPv6 cleaned a lot of that up, so the addressing is easier to understand. For specific details, check out the Related Articles list.

During the development of IPv6, it became clear that systems would need to support both IPv4 and IPv6 concurrently as well as provide a means for IPv6-only systems to access IPv4-only systems. I'll discuss how Windows 8 and Server 2012 meet these needs next. During the development of IPv6, it also became clear that there was a need to provide a means to transition from IPv4 to IPv6 without replacing all the existing network hardware. This is where some concerns exist for security professionals, which I'll discuss later in the "Security Concerns" section.

Windows 8 and Server 2012 IPv6 Support Out of the Box

Windows 8 and Server 2012 support IPv6 out of the box. Server 2012 further supports IPv6 by providing:

  • Support for the Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
  • IPv6 addresses in the DNS server.
  • Transition technologies such as Network Address Translation for IPv6 to IPv4 (NAT64) and DNS for IPv6 to IPv4 (DNS64). These two technologies are used in Server 2012's DirectAccess feature, which heavily uses IPv6.

You can't remove IPv6 support from Windows 8 and Server 2012, but you can disable it. In fact, I highly recommend disabling IPv6 in your organization until you're ready to configure and use it. You can disable it in corporate environments by editing the registry, using Group Policy with policy scripts you've created, or using Microsoft Fix it scripts that must be run on each machine on which you want to disable IPv6. You can also simply unbind IPv6 from the physical adapters, but IPv6 will still be running and can still be used to connect to IPv6 sites over IPv4. You can find more details in the Microsoft Support article "How to disable IP version 6 or its specific components in Windows."

Unlike previous Windows OS versions, Windows 8 and Server 2012 don't give you the option to specify the network configuration when installing fresh copies of them. When the OSs are installed, Windows will auto-configure IPv4 and IPv6 addresses using a variety of technologies. You'll likely be familiar with some of these technologies but not others. A word of caution is that Windows 7 and later and Server 2008 and later will do their best to obtain an IPv6 address, even if you ask them not to. I'll explain this further in the next section.

There are also some areas of potential concern in that not all IPv6 support in Windows is standards compliant. Although this noncompliance probably won't cause you any problems, you need to be aware of it. In many cases, you can use the Netsh utility or Windows PowerShell to force the Windows OS to be standards compliant.

IPv6 Address Configuration

Windows 8 and Server 2012 use a variety of techniques to obtain IPv6 addresses for each adapter present on the machine. Even when Windows is unable to obtain routable IPv6 addresses, it configures interfaces with link-local IPv6 addresses, as shown in Figure 1.

Figure 1: Default Network Configuration with Link-Local IPv6 Addresses

There is no practical way to stop the allocation of link-local addresses—nor should you want to disable them, because link-local addresses are used for communications between hosts and between hosts and routers. By default, Windows won't use link-local IPv6 addresses to communicate, but it's important to understand that they can be used and that they can be used by default if you really want Windows to use them (or if you make a significant number of mistakes in how you configure Windows networking).

If an IPv6-ready networking infrastructure isn't configured, Windows 8 and Server 2012 will still be able to use IPv6 and configure IPv6 addresses in certain situations:

  • Situation 1: Home users with public IP addresses. In this situation, Windows will try to establish a connection using the IPv6 transition technology named Teredo. Teredo will work only if the Windows machine isn't domain-joined and has UDP access to the Internet, with no firewall-blocking packets.
  • Situation 2: Home users with public IP addresses when Teredo fails. In this situation, Windows will use another IPv6 transition technology named 6to4. It requires only a publicly routable IP address.
  • Situation 3: Windows can resolve the name using the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) by means of DNS or name broadcasts. In this situation, Windows will assume that the host is an ISATAP server that's capable of accepting IPv6 packets encapsulated in IPv4 packets, delivering them to IPv6 hosts, encapsulating replies, and sending the replies back. ISATAP works in both domain-joined and non-domain-joined environments. It also works in RFC 1918 nonroutable IP address environments.

If you want domain-joined Windows 8 and Server 2012 systems to use IPv6, you'll likely want to assign predetermined IPv6 addresses to each system, especially if they're Server 2012 systems. At a minimum, you need to provide the IPv6 address allocated to each system. Optionally, you can also provide the IPv6 address of the default gateway that each system should use and the DNS server's IPv6 addresses. Providing this information is optional because Windows can get it from other sources. In the case of the default gateway, Windows can participate in router solicitation and listen for router advertisements to learn the IPv6 addresses of routers. It can also use IPv4 addresses to communicate with DNS servers. Using DNS over IPv4 assumes that your DNS servers are used to store IPv6 addresses of hosts in your organization and are capable of making recursive queries to other servers to get addresses for hosts outside your organization.

If you have numerous Windows 8 systems or a Server 2012 system that you really don't care which IPv6 address it gets, you might be tempted to use DHCPv6. However, I highly recommend resisting that temptation. To understand why, you need to understand how the IPv6 address configuration process works.

When Windows 8 or Server 2012 starts up, it sends out router solicitation requests to find IPv6-capable routers. Routers will respond to router solicitation requests and will periodically send out router advertisements with their address. Routers can also provide additional information, such as the addresses of DNS servers and domain search suffixes. When Windows receives a response or hears an advertisement for an adapter whose IPv6 address hasn't been configured, it will use the information provided by the router to configure an IPv6 address—even if the router asks it not to!

IPv6 routers use two flags to tell an IPv6 client what to do with the information they provide. The first flag is the Managed Address Configuration flag (or simply the m flag). This flag tells IPv6 clients to use the router's information to only configure routing and use traditional configuration mechanisms such as DHCPv6 to fetch the IPv6 address.

The Other Stateful Configuration flag (or the o flag) tells IPv6 clients to use the router's information to configure routing and build an IPv6 address, but to use a mechanism such as DHCPv6 to get the other information such as the addresses of DNS servers and the suffixes to use when making DNS queries. This is where the distinction between stateless and stateful configuration comes in. Stateless configuration is where an IPv6 client relies wholly on router solicitation and router advertisements to configure IPv6. Stateful configuration is where an IPv6 client relies on a DHCP server or other mechanisms to configure IPv6.

Figure 2 shows an example of an IPv6 address configured from a response to a router solicitation request. Note that the IPv6 and default gateway addresses look very different. This is because Windows uses the link-local address of the router as the default gateway. This is very different from IPv4, where you can manually set the address of the default gateway to its non-link-local address (which in this case is 2001:470:b:a6b::1).

Figure 2: IPv6 Address Configured from a Response to a Router Solicitation Request

Unfortunately, Windows 8 and Server 2012 are poor IPv6 clients. First, Windows will ignore the addresses of DNS servers and search suffixes provided by IPv6 routers in solicitation responses and advertisements. Even when the m flag is set, Windows will use the information provided by a router to build an IPv6 address. And even when told not to use DHCPv6 for other information when the o flag is set, it will. In other words, when a router responds to a router solicitation or when a router advertisement is heard, Windows will use the information to build an IPv6 address for the adapter on which the information is heard and it will still look for a DHCPv6 server. If a DHCPv6 server is available but doesn't offer IPv6 addresses (i.e., it's configured as a stateless DHCPv6 server set up to serve clients with the o flag set and return only DNS server addresses and search suffixes), Windows will ignore it. However, if the DHCPv6 server returns an IPv6 address along with DNS server addresses and search suffixes, Windows will add the address to the interface and use the additional information. That means your Windows system now has two IPv6 addresses and can use and can be reached on either address. Worse, both addresses will be published in DNS.

Given that Windows 8 and Server 2012 always check for a DHCPv6 server, you might be wondering why I didn't simply recommend using DHCPv6. There are two reasons:

  • The IPv6 addresses returned by the DHCPv6 server don't contain enough information by themselves to be usable. They're missing prefix information. Depending on the IPv6 addresses you configure, you might find that Windows assumes the IPv6 prefix is 128-bits, meaning that the host can only communicate with itself.
  • In DHCPv6, there's no way to specify the default gateway address. As a result, Windows has to rely on router advertisements to find the IPv6 routers and build a routing table.

My recommendation is that you simply rely on router solicitation and discovery to obtain an auto-configured address and find the default gateway, and use IPv4 to query DNS servers. This setup works well.

Figure 3 shows a Server 2012 system sending ICMPv6 echo requests to a host named Primary, even though Primary has an IPv4 address. Once Server 2012 has an IPv6 address other than its link-local address, it will attempt to use IPv6 by default.

Figure 3: Server 2012 System Sending ICMPv6 Echo Requests

Connectivity Testing and Troubleshooting

Testing IPv6 in your network is like testing a sports car in the city. It's necessary, but it's only the first step. You also need to try it out on the information highway.

Figure 4 shows a simple echo request and reply to an IPv6-capable website. As you can see, the Ping command includes the -6 flag, which forces Ping to use IPv6. If all goes well, you should see a reply. If you have a native IPv6 connection to the Internet, the response should be quite speedy. In the example shown in Figure 4, the response time is quite high, because I'm running IPv6 in an IPv4 tunnel with a tunnel broker (i.e., a company that provides IPv6 connectivity). If your echo request fails to elicit a reply, there might be a firewall or other networking device blocking ICMPv6 somewhere between your Windows system and the target.

Figure 4: Echo Request and Reply to an IPv6-Capable Website

When using firewalls and routers, you need to configure them with rules largely similar to those used for IPv4 networks. Your existing IPv4 rules won't work for the most part. The exception is when the rules are network-layer independent and focus on transport-layer protocols (TCP or UDP) and ports. Whatever you do, no matter how tempted you are, don't configure an IPv6 default rule that allows all traffic to flow between IPv6 interfaces in order to troubleshoot IPv6 connectivity. Cyber criminals, cyber terrorists, and nation states engaged in cyber warfare activities are all proficient in using IPv6.

Once you know you have connectivity to the Internet using IPv6, you'll want to test some IPv6-only websites to verify that everything works. Figure 5 shows a DNS lookup for the host

Figure 5: DNS Lookup

(In case you're wondering why I used a Google website to test IPv6, Microsoft doesn't offer a website dedicated to IPv6 testing.) As you can see in Figure 5, the lookup came back with only an IPv6 address. Figure 6 shows a browser connected to the website.

Figure 6: Browser Connected to an IPv6 Website

Security Concerns

Windows 8 and Server 2012 are particularly adept at obtaining an IPv6 address in a variety of situations and using IPv6 to communicate by default. This can be very problematic in certain environments. A staged migration to IPv6 might have the routers and firewalls configured to support IPv6 and offer router advertisements, but have the m and o flags configured to prevent clients from using them. Unfortunately, Windows will use the advertisements regardless, and IPv6 communications will begin. Most enterprises processing sensitive data (e.g., Social Security numbers, credit card data) will be using sophisticated system and network monitoring tools, such as intrusion prevention systems (IPSs) and Security Event and Incident Management (SEIM) systems. However, IPv6 support for these types of tools isn't great, and you might find that they're unable to detect suspicious and malicious activity taking place over IPv6. So, before you turn on IPv6 on your Windows networks, make sure that your third-party tools and packages, such as IPSs and SEIM systems, will support it.

Of great concern to many organizations is something called the Advanced Persistent Threat (APT). This term is definitely loaded, but to many people it simply means a very sophisticated attacker who has breached their systems and networks and is able to snoop on data at will. Tools are becoming readily available to deal with APT, but unfortunately they're usually insufficient because they don't account for the use of IPv6 to exfiltrate data from corporate networks. The sheer number of tunnel brokers, Teredo servers, and 6to4 hosts on the Internet makes it infeasible to configure edge defenses to block traffic to all of them.

Of equal to concern to most organizations is the ability to block employees' access to unauthorized websites and cloud services. These organizations often deploy solutions that block the unauthorized sites and services to ensure compliance with statutory and regulatory compliance obligations, prevent accidental infections and data leakage, and increase worker productivity. Such solutions typically rely on the use of proxy servers or firewalls, and assume that web browsing is taking place over IPv4. These organizations will need to deploy IPv6 gateways and establish similar defenses for IPv6.

If you haven't already done so, I recommend that you regularly inspect network traffic for IPv6 traffic. You should also check your DNS servers for IPv6 addresses that aren't link-local addresses (i.e., addresses that begin with something other than FE80::).

A Challenging Situation for IT

Microsoft has invested a lot of energy into making sure Windows 8 and Server 2012 are able to work in IPv6-ready environments. In fact, the behavior of the Windows IPv6 client might be more about ensuring connectivity than faulty software. From a technical standpoint, this makes Windows one of the best-prepared OSs for IPv6 environments. From a corporate IT standpoint, it creates some challenges. However, with a little bit of planning, IPv6 works great.