none
How can I turn off IPv6 temporary addresses in a enterprise environment

    Question

  • So in a default configuration Vista and Windows 7 clients will use IPv6 temporary address (per RFC 3041), but I would like to be able to disable this with a GPO.

    I know I can do this by using a startup script tied to a GPO using the netsh interface ipv6 set privacy state=disabled store=persistent but I really do not want to run a logon script especially when as you can see in the command it is a persistent setting.

    Any ideas on using a registry based GPO for this?

    Wednesday, June 01, 2011 10:40 PM

Answers

All replies

  • Just curious here, why?
    Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
    Thursday, June 02, 2011 1:11 PM
  • Just curious here, why?
    Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

    Accountability and tracking. The temporary addresses can live on a NIC for a few seconds to a few days. It is regenerated (with a new address) every time the IPv6 stack is initialized. These addresses do not register with DNS or DHCP regardless of how you set the M flag in a SLAAC RA configuration.

    Imagine a situation as a network/systems engineer and your boss comes to you and says "I need to know what MAC address used by this IPv6 temporary address". If you are lucky its still live on the switch fabric, if you are lucky your tracking and monitoring applications captured the information and you can answer your boss. If you are unlucky you have to go back to your boss and tell him that you can not track that address any closer than subnet it came from which may have a few users or a few hundred.

    Tools out there today are not well suited to capture and correlate those short lived temporary addresses. The ones that are out there use SNMP to query the switch fabric at regular intervals. These queries can be quite the burden on the CPUs of the switches potentially impacting performance, even uptime if the queries are ran too often, e.g. every 60 seconds.

    The ideal solution is to have a easy (read registry based GPO) to turn the use of temporary IPv6 addresses off, or make them register in DNS. If this is not possible then your tracking application will have to sniff each L2 segment for NDP traffic looking for these temporary IPv6 addresses as they go through the DAD process to create/assign them to the NIC. Sniffing every L2 segment in a enterprise network can be just as bad as hammering your switches with SNMP queries. Either way it becomes a expensive and time consuming issue to be dealt with. If there was a GPO based method to turn them off though... it becomes pretty much a non-issue with little expense or man-hours to deal with.

    Thursday, June 02, 2011 6:38 PM
  • So I did some more lab testing on this today, and have found that those temporary (RFC 3041) addresses are indeed registering in DNS.

    So that is a step in the right direction, but still not ideal.

    I will have to do some research and see if there is a IPAM solution out there that will query DNS and correlate them to hosts/MAC addresses or if this is something "that has yet to be invented".

    Thursday, June 02, 2011 9:30 PM
  • Unfortunately, there is no GPO or a registry value that can be set with a GPO to disable temporary addresses on Windows-based computers.

     

    Thursday, August 25, 2011 4:28 PM