| Windows IPv6 Questions So I'm running an he.net tunnel from my juniper firewall to provide ipv6 to my LAN. Everything on the LAN is dual stack. Router adverts working, DHCPv6 working. All in tandem with v4. Wonderful, great, awesome.
Odd behavior though:
I've manually configured my PC's host yet Windows has not only used the advertised prefix to generate a "temporary" address, but it also created a global address.
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Manual Preferred infinite infinite 2001:470:1f07:115d::dead:beef
Public Preferred 29d23h59m41s 6d23h59m41s 2001:470:1f07:115d:9c4a:4a32:8100:3fa1
Other Preferred infinite infinite fe80::9c4a:4a32:8100:3fa1%10
I've disabled the "temporary" address by disabling the privacy extensions, but I can't seem to prevent it from auto generating a "global" address.
Also interestingly enough, it did this:
Active Routes:
If Metric Network Destination Gateway
10 276 ::/0 fe80::210:dbff:fe80:d732
10 276 ::/0 2001:470:1f07:115d::1
Which I don't quite understand why it did this either...Well, I understand *what* is happening, I just don't know why it's not ignoring stateless config with a static address. |
|
| said by magamiako:I've manually configured my PC's host yet Windows has not only used the advertised prefix to generate a "temporary" address, but it also created a global address.
Right, that is what is supposed to happen with SLAAC. It is taking the RAs from your firewall and generating a global address. First question is why wouldn't you want the global address?
If for whatever reason you don't want a global address and SLAAC to auto generate addresses, the easiest thing to do is to go into the firewall and disable RAs. |
|
| said by lestat99:said by magamiako:I've manually configured my PC's host yet Windows has not only used the advertised prefix to generate a "temporary" address, but it also created a global address.
Right, that is what is supposed to happen with SLAAC. It is taking the RAs from your firewall and generating a global address. First question is why wouldn't you want the global address? If for whatever reason you don't want a global address and SLAAC to auto generate addresses, the easiest thing to do is to go into the firewall and disable RAs. The idea is that I have a statically configured address for this machine for providing services on the net. While the rest of the LAN gets autoconfigured.
I already configured a global address manually in TCP/IPv6 properties for "Local Area Connection".
I'm not quite sure why it's using autoconfiguration *in addition* to the manual configuration.
See the point yet? |
|
| I shall further elaborate on the conundrum.
Technically speaking, left to its devices I'd end up with 2 configured default gateways, 3 global addresses, and the standard link-local address.
My statically configured information (global)
a self-generated address (global)
and the generated "temporary" address (global) |
|
| Well, I guess what I didn't know is that in a static configuration you have to manually go in and disable routerdiscovery. The proper command on Windows is to go and type the following
netsh int ipv6 set interface <IFIndex, usually 10> routerdiscovery=disabled |
|
| You can disable the routerdiscovery if you want and it will no longer generate the global address, but it isn't necessary.
It's fine to have the machine multihomed. In IPv6, multihomed interfaces are the norm. Other machines on the network can refer to that machine by any address they want to.
I have a Windows Server (2008R2) up at home in a very similar network setup. Yes, it's interface eventually gets 4 addresses: Link-local, temporary, the RA-generated global, and the static I assigned it. It runs fine. |
|
| Just to follow up with SomeJoe on this since I'm sure others may ask the question. While applications work fine with multi-homing, you may want some applications to take one address over another. Perhaps you have specific firewall policies on your edge device that point to a specific address? What if the application binds itself to the other address and can't receive requests?
You could argue host-based firewalls, but a lot of business structure places the firewall rules into the hands of the network team and not the systems team.
I think for most people whom update to v6 will want to turn off stateless configuration for any device that is a permanent "server" and simply statically configure them. |
|
| If you have a firewall policy on the edge router that only allows a certain IPv6 address for inbound communication, then you control the client's use of that address through DNS. Your published AAAA record will only contain the statically-assigned address, and that's the one that should be configured as the firewall pinhole.
By default, applications almost always bind to every address and interface on the machine. You have to go out of your way to change that.
The bottom line is that no one but your internal admins will see the RA global, temporary, or link-local addresses. External clients won't even know those exist. |
|
| reply to magamiako
said by magamiako:I'm not quite sure why it's using autoconfiguration *in addition* to the manual configuration. Because it can. That's the way most hosts will work; it's seen as more reliable to configure using all means available.
Ignore what others said about turning off RAs entirely -- that is a recipe for breaking things. If you're routing IPv6 data, you should *always* be issuing the appropriate RAs.
If you don't want any hosts to do SLAAC (and instead have them all rely on DHCPv6 or manual settings for address configuration), change your router advertisements to tell them that: set the A flag to 0 in the prefix section. This will tell hosts that they should NOT perform SLAAC using that advertised prefix.
"Temporary" addresses are an extension of SLAAC to handle privacy issues. If hosts are told not to do SLAAC, the temporary addresses will also disappear.
The main drawback about setting A=0 (which may or may not affect you) is that not all IPv6-capable hosts come with out-of-the-box DHCPv6 support (notably Mac OS X). Hopefully this will change in the coming year. |
|
