Disable IPv6: Don’t do it!

March 9, 2011 - 0 Comments

Most people already have IPv6 capability whether they know it or not.  All Microsoft operating systems such as Windows Vista and all MacOS releases since 10.2 have IPv6 installed enabled by default.  Mobile devices running Android 2.1, Apple iOS 4.0, and Symbian 7.0 are configured likewise as is nearly every *nix variant you can name.  Even the venerable and ubiquitous Windows XP has a latent IPv6 stack which can be activated with a single command.

Typically, IPv6 enabled systems will prefer IPv6 connections over IPv4, so a misconfigured or malfunctioning IPv6 network will cause connectivity problems.  Many popular troubleshooting regimens simply prescribe disabling IPv6 as the “solution,” which really does nothing more than to hide the underlying problem with the IPv6 network.  When you have a network problem that is “solved” by disabling IPv6, you have masked the symptom of a bigger problem that warrants further investigation.

What Goes Wrong?

Some people connecting to dual-stacked sites notice connection delays that will disappear once IPv6 is disabled.  This can only happen if the IPv6 path has some kind of problem which causes the IPv6 connection to time out before falling back to IPv4.  If this occurs, use a tool like traceroute to check the IPv6 path integrity.  Vary the packet size of the traceroute to look for path MTU problems.  If the source or destination IPv6 address starts with a “2002:” There may be a malfunctioning functioning 6to4 gateway managed by a third party in your path.  In those cases, disable only the troublesome part of IPv6 rather than the whole stack.  Slow connections can also be caused by devices that quietly discard IPv6 packets, like an overzealously configured or buggy firewall.  Blocking ICMPv6 can break IPv6 connectivity, so be sure that is not happening.  Firewalls that block the ports of specific IPv6 services will cause timeouts during the fallback from IPv6 to IPv4.  Also watch for layer 2 transparent firewalls that are not IPv6 aware. 

Sometimes, connections fail completely until IPv6 is disabled.  Misconfigured or buggy DNS resolvers may cause dual-stack connections to fail by erroneously returning an NXDOMAIN reply to a AAAA request.  Misplaced IPv6 routers can inject information into the network which draws packets into black holes, wreaking as much havoc as a rogue DHCP server.  Look for unauthorized devices sending IPv6 Router Advertisements, or enable first hop security features.

What Should You Do?

The moral of the story: If you notice that IPv6 needs fixing, fix it today rather than postponing until tomorrow.  We live in the early days of mass deployment of IPv6, and we need to work together to untangle the implementation quirks that arise.  The list of fixes above represents only a small sampling of potential issues.  You can always seek help at the World IPv6 Day – IPv6 Transition community in the Cisco Support Forums, or at any number of reputable IPv6 discussion forums.  Use network misbehavior as an opportunity to learn about and improve the state of IPv6 internetworking and resist any temptations to disable the protocol.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.