Reading Time: 4 minutes

IPv4 (Internet Protocol version 4) is a widely used protocol for network communication and is a core component of the TCP/IP stack. But it has some limits, one is the limit in terms of available addresses, expecially if we are talking about public IP.

IPv6 (Internet Protocol version 6) was design to resolve all the limitation of IPv4. IPv6 is designated by the Internet Engineering Task Force (IETF) as the successor to IPv4 providing the following benefits:

  • Increased address length. The increased address space resolves the problem of address exhaustion and eliminates the need for network address translation. IPv6 uses 128-bit addresses compared with the 32-bit addresses used by IPv4.
  • Ability for improved address autoconfiguration of nodes.

While IPv6 has been available for many years, its adoption has been slow, and IPv4 remains the dominant protocol.

But almost all systems are configured both with IPv4 and IPv6 and usually both are enabled by default.

Some years ago I wrote a post about disabling IPv6 or not on ESXi hosts.

Now, considering that IPv6 can be used as an attack surface and bugs my be present in the implementation (as the recent Windows bug demostrate) the asnwer may be: if you don’t need it don’t enable.

If we look at the genesis of the TCP/IP implementation in the first 10 years there were a lot of bugs (for example, do you remember the ping of death?). But IPv6 implementation is already older than 10 years… so should be mature enough… or not? Maybe not enough as recent bug demostrate.

Let’s consider some cases.

Microsoft Windows

Microsoft does not recommend disabling IPv6 that is enabled by default:

” We do not recommend that you disable IPv6 or its components, or some Windows components may not function.” (https://support.microsoft.com/en-us/kb/929852)

And it’s not so easy disable IPv6! Should be done via registry or group policy.

Of you can remove the binding from each network interface card (but in this case it remain enabled for new interfaces).

Note that some services (like Direct Access) may require IPv6!

But, if you don’t need them, and considering the recent Windows bug could be save disable IPv6!

VMware vSphere

What about VMware position on IPv6? There isn’t a clear position and it’s enabled by default both on ESXi and vCenter Server.

Note that you can disable it, but on ESXi it require a reboot!

You can disable it from vSphere Client, from the CLI or also from the DCUI:

In the past there were some bugs with possible PSOD if IPv6 was not enabled… but recently I’ve notice some issues with vSphere 8.0.2 and vSphere HA that was not working properly if IPv6 was enabled with default options.

Note also that certain vSphere features do not support IPv6:

  • vSphere Management Assistant and ESXCLI connected to Active Directory.Use LDAP to connect the vSphere Management Assistant or the ESXCLI to the Active Directory database.
  • vSphere DPM over Intelligent Platform Management Interface (IPMI) and Hewlett-Packard Integrated Lights-Out (iLO). vSphere 6.5 and later supports only Wake-On-LAN (WOL) to bring a host out of standby mode.
  • Authentication Proxy

Linux

Also Linux has, by default, a dual stack for IPv4 and IPv6 and on Linux is a little tricky disable IPv6.

You should modifiy the /etc/sysctl.conf file, for example with vi:

sudo vim /etc/sysctl.conf

And add the following lines to it:

net.ipv6.conf.all.disable_ipv6 = 1 
net.ipv6.conf.default.disable_ipv6 = 1

Now you need to reload the sysctl.conf with the following command:

sysctl -p

And finally you can verify that IPv6 is disabled by running the following command:

ip a | grep inet6 
Share