An attempt to restore the reputation of IPv6
IPv6 is not really new. According to Google, 10% of all users that access Google, do this over an IPv6 connection (Source). My blog is also accessible over IPv6 since its start in January 2014 (and since January 2016 only over HTTPS - thanks to Let’s Encrypt!).
When I talk with customers about IPv6, I often hear things like “Oh, we had to disable it. Too much problems!” or “We had to disable it. With IPv6 enabled, we had connectivity problems.". Sometimes it went wrong. Especially in this cases, where IPv6 was only unbind from the network adapter. That’s the wrong way to “disable” IPv6.
Troublemaker IPv6
I have often heard that IPv6 causes connectivity problems. One of the most common examples is slow internet access. Often in conjuction with Windows Vista, Server 2008 or later, or with Linux (I don’t have a Mac and I don’t have many customers that use Macs a significant number). But every time, disabling IPv6 was the “solution”.
Another example: Domain-joined Windows Clients lose connection to the Active Directory, or can’t join an Active Directory domain. Disabling IPv6 was the “solution”.
This third example is particularly nice: Some of you will know this. It’s the default setting on Active Directory Domain Controllers since Server 2008:
This setting results in an ugly “unknown” in nslookup.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\windows\system32>nslookup
Default Server: UnKnown
Address: ::1
>
Many admins change the setting to “Obtain DNS server address automatically”. Then they will start wondering, why the Active Directory domain has stopped working. Solution? Disabling IPv6.
IPv6 seems to be quite a waste, right? Sometimes it helps to understand why something has happened.
IPv6 Autoconfiguration
With IPv4, you need a DHCP server or static IP addresses. Okay, RFC3927 describes a third way (Dynamic Configuration of IPv4 Link-Local Addresses), but this was added long after the release of IPv4. IPv6 includes an autoconfiguration process. This process is specified in RFC4862 (IPv6 Stateless Address Autoconfiguration). This process is called SLAAC, StateLess Address AutoConfiguration. RFC4862 describes:
The autoconfiguration process includes generating a link-local address, generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link.
These IPv6 link-local addresses are assigned, or changed, whenever an interfaces is
- initialized (for example on system startup),
- an interface is enabled for IPv6,
- an interfaces is re-initialized or,
- an interface is attached to a new network
These IPv6 link-local addresses share a common IPv6 prefix (FE80::/10) and are only valid for the local network (layer 2 domain). They will not be routed. An IPv6 link-local address is dynamically generated and consists of the link-local prefix (FE80::/10) and an interface identifier. Latter is generated from the world-wide unique MAC address. This should ensure that a IPv6 link-local address is unique. Neverless, there is a Duplicate Address Detection (DAD). The relationship between link-local and MAC address is handy, but to protect your privacy, the interface identifier will include a random part (RFC4941 - Privacy Extensions for Stateless Address Autoconfiguration in IPv6).
Open a terminal/ command prompt and check your IP addresses. You will find a IPv6 IP starting with FE80 for each interface (if not, continue reading and re-enable IPv6…). This output is taken from my laptop running Windows 8.1 (german localization).
Drahtlos-LAN-Adapter WiFi:
Verbindungsspezifisches DNS-Suffix: fritz.box
Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265
Physische Adresse . . . . . . . . : 4C-34-88-07-12-28
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::89d4:4eb0:3ff4:9172%6(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.20.17(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.224
Lease erhalten. . . . . . . . . . : Freitag, 1. Januar 2016 12:47:13
Lease läuft ab. . . . . . . . . . : Montag, 1. Februar 2016 15:15:57
Standardgateway . . . . . . . . . : 192.168.20.30
DHCP-Server . . . . . . . . . . . : 192.168.20.30
DHCPv6-IAID . . . . . . . . . . . : 139211912
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1D-9C-96-3B-4C-34-88-07-12-28
DNS-Server . . . . . . . . . . . : 192.168.20.30
NetBIOS über TCP/IP . . . . . . . : Aktiviert
Notice the IPv6 link-local address in the output: fe80:0000:0000:0000:89d4:4eb0:3ff4:9172, or shorter fe80::89d4:4eb0:3ff4:9172. Check your clients, your servers, your switches and routers. Most of them will have an IPv6 link-local address.
Explore the neighborhood
With an IPv6 link-local address, your host has everything to explore the neighborhood. RFC4861 specifies the “Neighbor Discovery for IP version 6 (IPv6)”.
IPv6 nodes on the same link use Neighbor Discovery to discover each other’s presence, to determine each other’s link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.
Now multicast comes into play. The host will send a request to the multicast address ff02::2 (all routers in the local network). This is called a Router Solicitation. A router will respond to this request with a Router Advertisement. This advertisement include information about the MTU, lifetime and the prefix. The host can use this prefix to create its own local (fc00::/7) or global (2000::/3) unicast IPv6 address. This address also sets together from prefix (included in the Router Advertisement) and an interface identifier (randomly generated due to privacy extension or based on the MAC address of the physical interface). Router Advertisements are sent periodically (default 200 seconds) or as response to a Router Solicitation. Router Advertisements are only sent by routers. Because of this, the sender address of a Router Advertisement is used as default gateway by the host. If multiple routers are available, a in RFC4861 described algorithm will make the selection. If there are no routers available on the local network, there will be no response on a Router Solicitation and the default gateway will not be changed. A Router Advertisement doesn’t include information about DNS servers, domain name etc. The packet offers two flags, that can be used by the host to determine if there is a DHCPv6 server: The M-bit (managed address config flag) is set to 1 if a stateful DHCPv6 is available. The O-bit (other config flag) is set to 1 if the host should ask a stateless DHCPv6 server for DNS servers, domain name etc. If the M-bit is set to 1, the O-bit will be ignored. If the M-bit is set, the IPv6 unicast address is assigned by the stateful DHCPv6 server.
A stateful DHCPv6 server can assign IPv6 IP addresses. A statefless DHCPv6 can’t! Latter can only provide information about optional IP parameters like DNS server, domain name, SNTP server etc.
Neighbor Discovery can do so much more. There are five ICMPv6 packet types, and Router Solicitation and Advertisement are only two of them. The Neighbor Solicitation is used by hosts to determine the link-local address of a neighbor host. It’s also used to verify that a neighbor host is still reachable via a cached link-local address. Neighbor Advertisements are used in the same way as Router Advertisements: They are used to respond a Neighbor Solicitation. Redirect is used to inform hosts that there is a better first hop router for a specific destination. Some admins have the strong wish to block ICMP. Don’t even think about blocking ICMPv6. You will get into trouble.
Putting the pieces together
Imagine you have a network with multiple clients, servers, routers etc. Now you add a new router to your network. It’s a router for home users, but it was cheap and it’s only for a cable connection, that you want to use for downloads. You add the router to your network and the fun starts. Clients can’t connect to the domain network. Your domain controllers are going mad. Branch offices aren’t reachable any more. You disable IPv6 on clients and servers and everything is fine. You enable IPv6, you remove the new router, and everything is fine. But with your new router active and IPv6 enabled, everything is fucked up.
Let me explain what has happened. The new router has started to send Router Advertisements. Your clients and servers now have a new, additional default gateway. Since Microsoft Server 2008 and Windows Vista, IPv6 has precedence over IPv4. Maybe the new router acts as stateless DHCPv6 server. Your clients and servers are now using your ISPs DNS servers. It is logical that services, that relies on your corporate DNS, doesn’t work anymore. If internet is slow, this is mainly a DNS problem. Your ISP or the router treats AAAA DNS requests wrong.
Lessons learned
You should not disable IPv6. Microsoft doesn’t recommend this. It will break things.
We do not recommend that you disable IPv6 or its components, or some Windows components may not function.
If you have trouble with IPv6, check what is wrong and fix it. If a device sends RA or acting as a stateless DHCPv6, configure the device the right way. But stop blaming IPv6. It’s that easy. ;)