If one is considering disabling IPv6, then one should know the drawbacks of doing so.  Rather than disabling IPv6, we recommend learning about it, understanding how to securely activate it correctly, and moving forward rather than backwards.

Reasons People Might Consider Disabling IPv6

The Internet is complex.  We get it.  And we all desire to make things simpler and reduce complexity by disabling features we don’t think we need.

Lack of Network Engineering Knowledge

Everyone in the IT industry must have some sense of IPv6 and what it does by now.  IPv6 has been coming “any day now” for decades.  However, the reality is most IT staff haven’t dedicated much time, if any, learning about IPv6 and how it may be subtly different than the IPv4 they are familiar with.

The impetus to disable IPv6 typically starts with a fundamental lack of understanding of IPv6 and how dual-protocol hosts and applications behave.  When running IPv4 and IPv6 simultaneously and there are connectivity issues, it is human nature to dive right into a process of elimination.  This leads to people suspecting that the technology they don’t understand is the culprit and disabling it eliminates one more possibility.

Lacking any understanding of IPv6 makes it nearly impossible to correctly diagnose the problem and restore proper IPv6 connectivity.  They don’t understand IPv6 or understand how Happy Eyeballs (RFC 8305) functions on dual-protocol host operating systems and within applications.  They may not know the difference between link-local and global IPv6 addresses.  Maybe there is a problem related to IPv6 and the DNS.  Maybe there is an IPv6 end-to-end routed connectivity issue.  Maybe there is a Path MTU Discovery issue related to dropping ICMPv6 error messages.  By disabling IPv6 they’ll never know the true root cause.

Disabling IPv6 on the end-node will force the computer to only use IPv4.  However, the IPv6 issue still exists and will need to be dealt with in the future when IPv6 is needed.  People are unable to troubleshoot it effectively because of this lack of knowledge of IPv6.  Their knee-jerk reaction is to simply disable it as a “quick fix” but then they realize that action really isn’t fixing anything.

Concerns About Security

It is prudent to be cautious about the security implications of any new technology.  Running IPv4 and IPv6 simultaneously on a computer seemingly doubles the attack surface.

The Microsoft Windows 11 TCP/IP Remote Code Execution Vulnerability CVE-2024-38063 from August 13, 2024, caused many people to consider disabling IPv6.  In fact, Microsoft’s own documentation about the vulnerability stated “Systems are not affected if IPv6 is disabled on the target machine.”  This is contrary to earlier-mentioned Microsoft recommendations to keep IPv6 enabled.  A better approach is to keep software patched for all vulnerabilities.

Removing IPv6 as a protocol adapter from a wired or wireless interface doesn’t completely disable IPv6.  Windows customers are unable to de-compile the protocol out of the kernel, and IPv6 is still active within the computer's inner protocol stack.  This can be demonstrated by disabling IPv6 on all physical interface(s) and observing that it is still possible to “ping ::1” running on the loopback interface.

Without a global IPv6 address on a physical interface, it is still possible for an IPv6-inside-IPv4 tunnel to be constructed to control the host or exfiltrate data.  Connections to the attacker’s command-and-control can use a tunnel interface to obfuscate their activities.  It is also feasible for the attacker’s malware to simply re-enable IPv6 in the compromised host.

It is also worth considering if IPv6 traffic could be breaking out of a VPN connection.  If a VPN has only been configured to use IPv4 and the no-split-tunneling rules are only enforcing IPv4 traffic to traverse the VPN, then IPv6 traffic could be bypassing the VPN.

Some popular VPN services do not yet support IPv6.  NordVPN is famous for their lack of IPv6 support and rather than enable IPv6 they have an extensive page showing steps to disable IPv6.  Recently, it was discovered that PureVPN was also allowing IPv6 traffic to bypass the VPN.  PureVPN acknowledged the bug, showed their customers how to disable IPv6, and pledged to correct the issue by the end of the following month.

There are many better approaches to preventing IPv6 VPN Breakout than to try to disable the protocol.  The best approach is to intentionally configure IPv6 on the VPN and configure split tunneling policies for IPv6 to control the traffic, just as is done for IPv4.

Social Media’s Influence

Typically, in our experience and observations from the modern-day network engineering space, we find the most common source of misinformation is social media.  Various content creators advocate for disabling IPv6 claiming that it ‘fixed’ their issue to increase their social media clout.

Maybe someone heard from someone else that they disabled IPv6.  They trustingly believe this will be the solution to the network connectivity problem they are dealing with.  They are blindly following the advice of others on the Internet without doing their own research and really understanding the reasoning behind this recommendation.

However, even if IPv6 was not the root cause of the issue, oftentimes they forget to undo this configuration attempt after finding that disabling IPv6 didn’t actually fix the problem. Unfortunately, combatting misinformation is difficult as there aren’t as many sites discouraging this behavior, such as this one (https://howtodisableipv6.com/).

Drawbacks to Disabling IPv6

When people consider disabling IPv6, often they don’t consider the negative consequences of their actions.  Before anyone considers disabling IPv6, they should first understand the ramifications and what could result from trying to wholesale turn it off.

Masking a Problem

By disabling IPv6, they just swept the problem under the rug.  This is akin to having a flickering lightbulb in a house and rather than replace the bulb or correct the faulty wiring, they simply turned off the light switch.  Eventually, they will need to enable IPv6, and they’ll have to deal with the issue that was causing the IPv6-related issue.  They merely delayed having to discover the root cause and correct the issue.

Microsoft’s Recommendations and Receiving Technical Support

Microsoft recommends leaving IPv6 enabled, and they have also alluded to denying organizations technical support services if IPv6 has been disabled in their host operating systems.  Microsoft says that IPv6 is a mandatory feature in their operating systems and discourages people from disabling it.  Microsoft’s Joseph Davies provides “The Argument against Disabling IPv6.”  Furthermore, Microsoft’s article titled “Stop hurting yourself by: Disabling IPv6, why do you really do it?” sounds pretty self-explanatory.

Microsoft’s software is written to work on hosts where IPv4 and IPv6 are both enabled, which is the default configuration.  If IPv6 is disabled, then applications may not behave as Microsoft intends.

Microsoft does describe a “Prefer IPv4 over IPv6” configuration setting rather than trying to disable IPv6 altogether.  It is worth researching if this is really what is required before making this configuration setting.  Again, people running into these networking problems should try to determine the root cause of the IPv6 connectivity failures before trying to demote IPv6.

More Difficult to Disable Than Expected

It is actually extremely difficult to fully disable IPv6 on every device in any sized network environment.  There isn’t any universal setting in an enterprise network to wholesale disable it so this may involve visiting each end-node in the environment and manually trying to disable it.

However, many devices such as printers, IoT devices, cameras, and other embedded devices already come with IPv6-enabled by default.  Often there is no method to disable IPv6 on these devices.  There is no single setting or configuration that completely disables IPv6.  For many end-node host operating systems, there isn’t any configuration method to disable IPv6.  It is not possible to de-compile IPv6 from the kernel of these embedded devices.

It might be possible to use a GPO for Microsoft hosts or try to use a software configuration automation method (like Ansible) to disable IPv6 on data center computers.  However, these methods may not reach all computers and widely scattered devices.  There are also external computers used by remote workers or contractor computers where the organization lacks administrative access.  Furthermore, organizations may end up using an Internet-based application, or cloud service that comes with IPv6 enabled automatically by that vendor.

The amount of effort that is expended trying to disable IPv6 everywhere will become substantial and might even end up becoming a full-time job.

IPv6 Performs Better Than IPv4 on the Internet (on Average)

The performance benefits of using IPv6 have been widely documented by multiple authorities such as APNIC.  IPv6 end-to-end communications do not need NAT for dealing with a scarcity of public addresses.  Therefore, traffic can take a direct route and not need to be backhauled through a NAT.  As a result, IPv6 can be faster than IPv4 (Part 1, Part 2).

If IPv6 is disabled and a client mobile device continues to solely rely on IPv4, then the others around the world that have moved onward to IPv6-only networking will need to pass through DNS64/NAT64 systems or use 464XLAT to reach an IPv4-only system and application.  This will negatively impact their performance reaching that app from the client’s IPv6-only nodes.  Their IPv6 traffic will need to be backhauled through a stateful NAT64 or a 464XLAT PLAT which will add latency.  It is important to first consider how others on the Internet will reach your services and recognize that the clients may already be using IPv6.

Being an IPv6 Technology Laggard

Everett Rogers famously documented how technology trends evolve and how the adoption can fit onto a bell-shaped curve.  His “diffusion of innovations” is applicable to the worldwide adoption of IPv6.

The global transition to IPv6 is inevitable, has already begun, and is well on its way.  IPv6 implementation has been underway for 20 years now and will continue regardless of any attempt to disable IPv6 on one computer.  It is estimated that worldwide IPv6 adoption is around 50% which puts any organization who is just now enabling IPv6 into the “Late Majority” stratification.  If an organization views itself as “tech-forward” then their late adoption of IPv6 says otherwise.

There is no IPv7 on the horizon.  Even if we were able to invent and fully standardize an IP version 10 it would take at least 20 years for it to be implemented globally into every router, server, mobile device and into all the content services.

Disabling IPv6 (and re-enabling it) is actually delaying an organization’s transition to IPv6.  This intentional or unintentional delay is further compressing an organization’s IPv6 deployment timeline.  If they continue to disable IPv6, then eventually they will be one of the few remaining organizations still clinging to IPv4.  This will further isolate their organization from the rest of the Internet and all other organizations connected to the Internet.

Eventually Re-Enabling IPv6

Eventually everyone who disabled IPv6 will need to re-enable IPv6.  When it comes time to enable IPv6, they’ll need to remember all the places they turned it off and how that process was performed.  This will just require more work to activate IPv6 when the time comes.  Disabling IPv6 in the near term is wasted effort.

The amount of time it takes to disable IPv6 and then re-enable it could be equal or greater than the time it takes to completely activate IPv6 on the network and hosts.  For example, if a person spends 100 hours trying to disable IPv6 on end-nodes, then eventually they will spend another 100 hours trying to re-enable IPv6 on those end-nodes.  Then they will still need to work on enabling IPv6 on the routed network and establishing end-to-end IPv6 Internet reachability.  That 200 hours was a complete waste of effort that would have been better spent toward the proper enablement of IPv6.

The Recommended Approach

The recommended alternative to disabling IPv6 is to leave it enabled, effectively troubleshoot it, and proceed to securely deploy it.  With this productive approach you are spending time moving forward, not backward.

Modernizing IT Infrastructure

If an organization considers itself a “tech-forward” company, then why not become informed on the evolution of the TCP/IP protocol and develop a plan.  This puts an organization in a more advantageous position rather than trying to delay the inevitable.

Enterprises should work toward modernizing their IT infrastructure rather than locking into technology from the 1990s.  Not having a plan to proactively enable and secure IPv6 represents a significant risk to the enterprise.  Intentionally or unintentionally ignoring IPv6 is irresponsible and could possibly be considered negligence.

Build a Business Case for IPv6

All organizations should understand their unique business case for enabling IPv6.  Developing a plan to move forward with IPv6 is better than delaying or avoiding it.

If an organization is connected to the Internet, then they need to prepare to deploy IPv6 sooner rather than later.  Companies will want to enable IPv6 to be able to communicate with the broadest population of customers, partners, vendors, suppliers, employees, and everyone else.  Companies should be planning to transition to IPv6 to preserve Internet business continuity.

Starting with a business case is a great first step in getting teams aligned on the goal of IPv6 deployment and helps organizations prioritize those parts of their networked environments that could derive the greatest benefit from IPv6.

Learn About IPv6 and How to Troubleshoot It

One of the critical first steps is for people to become knowledgeable about IPv6, so they can effectively troubleshoot it.  Organizations should build an IPv6 training plan to educate their teams about IPv6 so they know how to enable it properly rather than trying to disable it.  This IPv6 knowledge is valuable to IT support personnel in the near-term because IPv6 is used on much of the Internet already.  Those helpdesk staff are vital to support remote workers who are already using IPv6 on their mobile devices for work activities.

Beginning a Secure IPv6 Implementation

The most common advice is to start by enabling dual-stack connectivity first, as many organizations do not need to go all the way to IPv6-only.  There are many sources of sound advice for organizations to create a plan for deploying IPv6.  One solid example is IETF RFC 7381 “Enterprise IPv6 Deployment Guidelines”.

Just like IETF RFC 7381 recommends, start at the Internet edge and bring IPv6 inward toward the private networks.  The disciplined and methodical approach will start with a network design and a security plan.  The next steps are to create an IPv6 network design that will establish contiguous end-to-end reachability across the core network.

Organizations should aim to proactively secure IPv6 rather than try to disable it everywhere.  This means creating a comprehensive IPv6 security strategy rather than being fearful of something unknown and trying to disable it.