Link to home
Start Free TrialLog in
Avatar of MNESupport
MNESupport

asked on

To Disable IPV6 or Not

We recently had a security audit in our environment. One of the findings was that we do not have IPV6 configured on our dhcp server but ipv6 is still enabled. This could be an issue with the MITM6 exploit.  It was recommended to either disable IPV6 all together OR to configure DHCP and DNS servers to be able to handle IPv6 so that a rogue DNS server couldn't take over endpoint settings. Im finding alot of conflicting articles about disabling it or not. Does anyone have any experience good or bad for either option? I know Microsoft is strongly against disabling it. 

Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

IPv6 is the future, but not every network needs it or needs it right now.  If you don't have the time or inclination to support it, turn it off for the time being.  You can always turn it on again when you're ready or it becomes manditory.

Avatar of Dr. Klahn
Dr. Klahn

I agree with Paul's comment above.  IPv6 is not at this time needed for a private LAN behind a firewall.  IPv4 is much easier to manage and the knowledge of how to do so is widespread, which cant be said about IPv6.
Microsoft tests all its software with IPv6 enabled.
But, it is not a requirement for any MS software except DirectAccess.

When configuring AD and Exchange, I have seen many problems corrected by disabling IPv6, and very rarely some repaired by activating IPv6.

The rule should be: if IPv6 is disabled on Domain controllers, you should disable it on other servers.
If IPv6 is enabled on Domain controllers, you CAN let it and use it on servers.

Now, configuring DHCPv6 does not help. IPv6 works well without DHCP.
If you configure DHCPv6, Dhcp clients will have a IPv6 given by DHCP and another IPv6 obtained by default. It is simply a little more complicated to manage. So, I don't advice to do so.
Avatar of MNESupport

ASKER

Thank you all for the additional insight. I think we are leaning toward disabling IPv6
ASKER CERTIFIED SOLUTION
Avatar of MNESupport
MNESupport

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial