Does disabling IPv6 decrease my surface area of attack and increase performance?



I have colleague that is on this whole kick of disabling IPv6 while leaving IPv4 on each new machine that comes in before deploying in our environment. He takes his personal anecdotal evidence and claims that disabling IPv6 helps with network perfomance because there's less "advertising/request" packets the backbone and the nodes have to process. He then quickly adds that it also creates less of a surface area in which attackers could potentially try to attack.

While these arguments sound good on paper, I question the anecdotal evidence provided and the security "precaution" that disabling IPv6 may provide. Heck, I even found this post where one of the posters mentions the IPv6 could even provide a marginal improvement. Differences in networks aside, do these claims hold water?

Chad Harrison

Posted 2012-05-14T16:32:02.920

Reputation: 5 759

1+1 for superuser/skeptics question. Makes me curious about the proposed theme. – Diogo – 2012-05-14T16:40:16.403



He's 100% correct about additional overhead as each device/PC will be advertising and building an ARP cache for both IPv6 and IPv4. However the actual amount of traffic being generated is quite small (typical ARP packet size is 28 bytes).

It should be inconsequential. BUT if you have something like an NMS system that uses WMI queries, SNMP polling (traps don't create much traffic), or does netflow/Jflow exporting in an environment that is latency/quality sensitive it would make sense to remove as much background noise as possible. Particularly IPv6... Is there a possibility you are ever going to need IPv6 internally? Doubtful, as the private blocks in IPv4 provide plenty of addresses for even the largest businesses. Unless you have specific need for IPv6 in your environment, the better question would be why leave it on? I know in my environment we are leaving it off just because it is an additional layer that could be causing problems when troubleshooting.

Remember even if a network device or PC is not actively being used it is still responding and advertising NetBIOS/ARP, so there is still some albeit small traffic being generated.

I should add that, "creates less of a surface area in which attackers could potentially try to attack." It is completely nonsense... It's not like you need to add an additional firewall or WAN for the IPv6 traffic. There is still the same edge device preforming NAT whether IPv6 is on or not.


Posted 2012-05-14T16:32:02.920

Reputation: 8 643

1Additionally, I mess up IPV6 traffic with Wireshark at my work and I saw a lot of DHCPV6 and ICMPV6 packets comming from a lot of sources.. – Diogo – 2012-05-14T16:59:38.470


From Microsoft

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.


Posted 2012-05-14T16:32:02.920

Reputation: 54 203

Although to be fair, anyone deploying computers really does need to know whether their OS is using ipv6, so, "applications that you might not think are using IPv6" and "Microsoft does not perform any testing to determine the effects of disabling IPv6" might be considered a bit risky. On a corporate routed network, with no ipv6 on the routers, does that mean those features will or won't work properly. – EightBitTony – 2012-05-14T17:02:46.370

@EightBitTony - In time those routers will be replaced. At which time they will support IPv6 if they don't already support it. I can understand the reasons Microsoft would decide not to run tests with IPv6 disabled, the future is IPv6 all equipment going forward should support it, it would be like testing IPv4 being disabled while IPv6 is enabled. – Ramhound – 2012-05-14T17:08:16.083

@Ramhound yes they will be replaced, in a controlled manner, at which point the organisation may take a decision to enable some ipv6 services or not, but IT organisations hate unplanned, unexpected change. Adding a new router shouldn't suddenly allow traffic around you weren't expecting. – EightBitTony – 2012-05-14T17:11:34.173

@EightBitTony: I believe Microsoft uses Teredo to get IPv6 over UDP when there is no working IPv6 route. – Zan Lynx – 2012-05-14T21:15:12.077


I think the general theory in computer security that you should disable any service you don't use holds up pretty well. If you don't need it, turn it off, has long been a standard first step in computer security and I don't see why it shouldn't apply to networking as well.


Posted 2012-05-14T16:32:02.920

Reputation: 3 741

3This just leads an entire industry delaying the switch from IPv4 to IPv6 for additional 5 years allowing a problem that should have been solved by the switch ( IPv4 blocks all being allocated ) to actually become a problem. This is the reason that in 2012 I am still not assigned a IPv6 address by my ISP. – Ramhound – 2012-05-14T17:10:08.967

1Sorry, but totally disagree. We're not talking about internet services here, we're talking about internal networks. Switch on desired services, switch unnecessary ones. If you want ipv6 turn it on, if you don't need ipv4 turn it off. – EightBitTony – 2012-05-14T17:12:49.133


Here's an anecdote for you.

At one of my previous employers (a fortune 500 company), the network administrator made a mistake when defining the IPv6 firewall rules.

The result? All of our internal IPv6-enabled networks were exposed to the internet. Until I pointed it out to him, and he promptly fixed it.

This guy wasn't an idiot, either. It's just that the no-NAT nature of IPv6 makes this a hell of a lot easier to do by mistake. So... increase in attack surface? Hell yes.

Now, granted, the likelihood of someone discovering this security hole is rather slim. It's not easy to port scan a block of IPv6 hosts. But if you notice traffic from what appears to be someone's internal network, you can always talk back to the host that you just saw talking.


Posted 2012-05-14T16:32:02.920

Reputation: 931

"All of our internal IPv6-enabled networks were exposed to the internet." The real question here: why was this such a serious issue? I know people who have given up (I am not making this up, they told me explicitly they have given up) on knowing 1) what's installed 2) what's listening on a socket 3) what's a potential vulnerability, and I think it's terrible. Defense in depth in one thing, but you need to know which processes have listening sockets and potential vulns, or worms could spread from inside the border firewall (or NAT device). – curiousguy – 2014-08-31T15:22:03.747