Introduction
An application server can only be accessed via IPv6 from other computers when its host Operating System and Local Area Network (LAN) segment are IPv6-enabled. The steps required to enable IPv6 on a host Operating System (if required) and on LAN equipment are described by separate articles in the IP Transport section of the IPv6 knowledge base.
Since 2011, all Microsoft Windows application servers support IPv6. This Microsoft article reviewed Microsoft applications server and Operating Systems IPv6 support status as of Sept, 2017. The current IPv6 support status of Microsoft applications servers are given below in Further Resources. Adding IPv6 support to non-Microsoft software is discussed by the Application Conversion Introduction and Application Conversion Tools articles in the Applications section.
During Feb, 2011, Rand Morimoto published an 8-part series of articles on the NetworkWorld website. In this series, he described and gave examples of the steps required to deploy IPv6 across a Small-Medium Business (SMB) Microsoft environment. The specific application server configuration examples are applicable to any environment. These articles cover many important infrastructure elements, and are summarized below:
Part 1: Getting Serious with IPv6 in a Windows Networking Environment
Part 2: IPv6 Addressing, Subnets, Private Addresses
Part 3: IPv6 Static Addressing and DNSv6
Part 4: Setting up DHCPv6 to Dynamically Issue IPv6 Addresses in a Network
Part 5: Configuring Microsoft Active Directory to Support IPv6
Part 6: Configuring IPv6 Routing through IPv4 in a Microsoft Windows Environment
Part 7: Best Practices at Configuring Applications for IPv6 for a Microsoft Windows Environment
Part 8: Planning Your Cutover to IPv6 for Your Microsoft Windows Environment
The paragraphs below provide links to the individual NetworkWorld articles. It might be helpful to read Part8 (written last) after reading the introductory material contained in Part1 and before looking at the details contained in Part2 through Part7.
The series of articles was published based on the then current release of Windows Server, 2008 R2. Unless otherwise noted, the steps required to deploy IPv6 in Windows Server 2008 R2 apply to later releases. Since that time, subsequent releases of Windows Server have added additional capabilities supporting IPv6 including:
a. Among the capabilities new to Windows Server 2012:
Internet Protocol Address Management (IPAM) feature described here
b. Among the capabilities new to Windows Server 2016:
built-in IPv6 root hints described here
support for Software Defined Networking (SDN)
c. Among the capabilities new to Windows Server 2019:
capability to support dual-stack (IPv6 in addition to legacy IPv4) and IPv6-only SDN
d. A description of the many new and updated capabilities of Windows Server 2022 is available here.
Part 1: Getting Serious with IPv6 in a Windows Networking Environment
The article provides a quick summary of the steps necessary for an organization to implement and really use IPv6 in a Windows networking environment:
a. upgrade as necessary and then enable IPv6 on Active Directory Servers, Domain Name Servers, Dynamic Host Protocol Servers,
b. upgrade as necessary and then enable IPv6 on client systems (if necessary – most upgraded client systems will already have IPv6 enabled by default),
c. upgrade as necessary and then enable IPv6 on internal servers (for example, Exchange, Sharepoint, SQL and the like),
d. upgrade as necessary and then enable IPv6 on local internetworking equipment, and
e. enable IPv6 routing between local internetworking equipment and the external Internet.
In addition, the Getting Serious with IPv6 in a Windows Networking Environment article also includes (from the perspective of 2011):
1. a short discussion of IPv4 address exhaustion issues and
2. some answers to questions about why IPv4 address exhaustion is really a problem.
Part 2: IPv6 Addressing, Subnets, Private Addresses
The IPv6 Addressing, Subnets, Private Addresses article provides an introduction to IPv6-style Addressing, Subnetting, Private Addressing, Gateways, and Routing from the perspective of someone familiar with IPv4. For additional information about IPv6 subnetting, see the IPv6 Subnet Planning topic in the IPv6 Address Plans article in the Network Management section.
Part 3: IPv6 Static Addressing and DNSv6
The IPv6 Static Addressing and DNSv6 article provides examples of how to configure IPv6 addressing for Windows server and client systems, and an example of how to configure a Windows 2008 R2 server as the Domain Name System (DNS) server for a Windows domain.
While IPv6 Static Addressing and DNSv6 does not explain why pre-assigned static IPv6 addresses for Windows 2008 R2 (or later) servers are recommended, the IPv6 Address Configuration topic in this article does. (Although written for specific versions of Windows Server systems, both the IPv6 Static Addressing and DNSv6 article and the IPv6 Address Configuration topic in this article also apply to later versions.) To suppress transmission of Dynamic Host Control Protocol (DHCP) version 6 (DHCPv6) SOLICIT messages for interfaces with pre-assigned static IPv6 addresses during on-going system operation, running PowerShell as an Administrator early in the system installation process and executing the cmdlet
Set-NetIPInterface <interface-id> -AddressFamily IPv6 -Dhcp Disabled
for each such interface is recommended.
Part 4: Setting up DHCPv6 to Dynamically Issue IPv6 Addresses in a Network
The Setting up DHCPv6 to Dynamically Issue IPv6 Addresses in a Network article provides an example of how to set up a Windows 2008 R2 server as both the DHCP for IPv4 (DHCPv4) server and DHCPv6 server for a Windows domain, how to get the routers on the LAN to play nicely as relay agents, and some troubleshooting tips if it doesn’t work at first. Also, don’t overlook the role that Router Advertisements play in configuring the network. That is A Common Mistake with DHCPv6.
Pay close attention to the “DHCP Reservations” discussion (along with this article on the differences between reservations and exclusions). These tips are not limited to Microsoft Windows-centric infrastructures. An (unrelated) article provides examples of how to set up both DHCPv4 and DHCPv6 on Windows 2012 and later servers.
While Setting up DHCPv6 to Dynamically Issue IPv6 Addresses in a Network does not explicitly mention Stateless Address Autoconfiguration (SLAAC), it does discuss enabling/disabling Stateless DHCPv6 mode. Enabling Stateless DHCPv6 mode configures the server to use Stateless DHCPv6 (originally called DHCPv6 Lite) which uses SLAAC. There are significant differences between DHCPv4 and DHCPv6, as the DHCP and SLAAC on IPv6 Networks article in the Infrastructure section explains. On IPv6-only networks in Windows 8, 8.1 and early versions of Windows 10 clients SLAAC support was problematic, but the Creator Update release of Windows 10 (Version 1703 released 11 April 2017) added SLAAC support.
This Microsoft website describes how to set up an IPv6 test lab and extend it to test DNS Zone Transfers over IPv6, DHCPv6, and IPv6-only networking.
When cloning one Windows server already set up as a DHCPv6 server to create another server, delete the values (but NOT the keys) in the cloned server for
HKLM>CurrentControlSet>services>TCPIP6>Parameters>Dhcpv6DUID
HKLM>CurrentControlSet>services>TCPIP6>Parameters>Interfaces>{INT}>Dhcpv6IAID
Part 5: Configuring Microsoft Active Directory to Support IPv6
The Configuring Microsoft Active Directory to Support IPv6 article provides a description of how easy getting Active Directory (AD) Domain Controllers (DC) and Global Catalogs (GC) set up with IPv6 can be when things are done in the right order. It is also a good practice to review pre-existing AAAA entries in DNS and remove those that do not conform to your intended DHCPv6 policies.
Part 6: Configuring IPv6 Routing through IPv4 in a Microsoft Windows Environment
The Configuring IPv6 Routing through IPv4 in a Microsoft Windows Environment article solves a problem that, since it was written, has largely gone away. It provides examples of how to configure the 6to4, Teredo, IP-HTTPS and DirectAccess IPv6 transition mechanisms. These IPv6 transition mechanisms are provided “just in case” -- most businesses will not need to use them. It also provides a discussion of Tunnel Brokers which are still occasionally helpful when getting started with an IPv6 deployment, and Hyper-V, which is helpful when configuring routing in virtualized environments. In Sept, 2008, Rand Morimoto and Jeff Guillet published a book Windows Server 2008 Hyper-V Unleashed. This chapter from that book discusses Hyper-V in Server 2008 R2. This paper discusses Hyper-V in Server 2012, Server 2012 R2 and Server 2016. This article discusses Hyper-V in Server 2019. There will not be a new version of Hyper-V for Server 2022. Instead, the version used in Server 2019 will continue to be supported in Server 2022 (and later), until January 2029.
The IP Helper service should only be enabled on a server supporting an IP-HTTPS or DirectAccess IPv6 transition mechanism. In other cases it should be turned off and disabled.
Part 7: Best Practices at Configuring Applications for IPv6 in a Microsoft Windows Environment
The Best Practices at Configuring Applications for IPv6 in a Microsoft Windows Environment article focuses on Operating System configuration and host naming issues, but does not provide any specific guidance for individual application servers. For such guidance, see Further Resources below. For some Microsoft Windows application servers, IPv6-enabling its host Operating System and LAN segment may be all that is required.
Guidance on managing connections to system services on Windows Server 2016 or 10 Enterprise and later is provided in this article. Guidance on disabling system services on Windows Server 2016 or later with Desktop Experience is provided in this article. Beginning with Windows Server 2019, system services are configured in accordance with that guidance by default.
Part 8: Planning Your Cutover to IPv6 for your Microsoft Windows Environment
The Planning Your Cutover to IPv6 for your Microsoft Windows Environment article describes some additional steps to take before, during and after steps described in Part 2 through Part 7.
For reference purposes, NetworkWorld subsequently made the entire 8-part series available in a single document (although the articles appear in a different order than listed above).
Further Resources for Enabling IPv6 in Microsoft Windows Application Servers
The following links are for specific versions of Microsoft Windows application servers and software tools that support IPv6. Later versions will also support IPv6, even though they may not be explicitly listed below.
The learn.microsoft.com website can be a valuable resource when enabling IPv6 in Microsoft Windows software, although it may take some searching to find the guidance you need.
Additional deployment guidance for older versions of DirectAccess, Exchange, and Sharepoint, along with deployment guidance for file serving, print serving, and Active Directory is available here.
Azure Application Gateway (v2). IPv6 support is documented here
Azure Basic Load Balancer (same support is provided in Standard edition). IPv6 support by specific Azure features is documented here
Azure Virtual Network
DirectAccess (Windows Server 2008 R2 or earlier) – The NetworkWorld article referenced in Part 6 above contains links to a Deployment Guide and a video about deploying DirectAccess with IPv6, both prepared by Rand Morimoto
DirectAccess (Windows Server 2016 and later) – This article describes how to support DirectAccess on a multihomed server. This article describes how to migrate from the Routing and Remote Access Service (RRAS) role service in Windows Server 2012 or earlier (now combined with DirectAccess) to the Remote Access server role
DirectAccess (Windows Server 2016 and later) – articles describing how to support DirectAccess in an enterprise
Endpoint Configuration Manager – all versions
Exchange 2010 – An IPv6-only configuration is not supported (a dual-stack configuration is)
Exchange 2013 – An IPv6-only configuration is not supported (a dual-stack configuration is)
Exchange 2019 and later - This is available as either a standalone product or a licensed subset of Microsoft 365 (which was previously known as Office 365)
Internet Information Server (IIS)
IP-HTTPS – All releases
Lync 2010 (and its predecessor Office Communications Server 2007) – No IPv6 support.
Lync Server 2013 (In 2015, Lync was rebranded as Skype for Business)
Microsoft Deployment Toolkit (MDT) (Support for IPv6 varies with software being deployed and target environment. See a book like Mastering the Microsoft Deployment Toolkit by Stokes and Singer for more information.)
Microsoft Teams – IPv6 support is determined by the environment provided by the components used when configuring Teams, such as Microsoft 365
Microsoft Services 365 (previously Office 365) – Multiple versions exist and all support IPv6 with some limitations (IPv6-only devices require translation technologies such as DNS64 or NAT64, for example). A Microsoft 365 IPv6 URL and IP address ranges document is available, as is a Microsoft 365 IPv6 test plan. Inbound and outbound mail transport via IPv6 is supported upon request. As of April 2020, Office 365 became officially known as Microsoft 365
Microsoft 365 operated by 21Vianet in China – IPv6 is supported. There is an Microsoft 365 IPv6 URL and IP address ranges document specifically for 21Vianet in China separate from the one for Microsoft 365 mentioned above
Office 2013 – Multiple versions exist and all support IPv6.
Office 2019 and later - This is available as either a standalone product or a licensed subset of Microsoft 365
OneDrive – For individual accounts see this Quick Start guide and for business accounts and storage management go here. (Formerly known as SkyDrive)
OneDrive for Business – IPv6 support is also available (only in China) on 21Vianet. (Formerly known as SkyDrive Pro)
Project 2019 and later -- This is available as either a standalone product or a licensed subset of Office 365/Microsoft 365
Remote Access Service (see DirectAccess)
Sharepoint 2010 and later
Skype – Mobile clients (but only on 21Vianet in China).
Skype For Business Server 2015. Upgrading Skype for Business to Microsoft Teams is discussed in this article
Structured Query Language (SQL) Server 2014
Structured Query Language (SQL) Server 2016
Systems Center Configuration Manager 2012 – Starting in version 1910, SCCM became part of Endpoint Configuration Manager. A Microsoft ECM Frequently Asked Questions (FAQ) is available.)
Systems Center Operations Manager 2012 R2
Systems Center Virtual Machine Manager 2012
Windows Server Update Services (WSUS) – 4.0
The Microsoft website (www.microsoft.com) is another authoritative source for enabling IPv6 in specific application servers, although it may take considerable searching to find the guidance you need. Other Microsoft websites that can be useful are the IPv6 Survival Guide wiki and the Test Lab Guides.
This Cloud Computing using IPv6 article contains 7 topics:
- What is Cloud Computing?
- Secure Cloud Computing
- Cloud Service Providers that support Internet Protocol version 6 (IPv6)
- Open Source Cloud Computing Platforms
- United States Government (USG) IPv6 Cloud Policy and Guidance
- Cloud Computing available under General Service Administration (GSA) contracts
- Department of Defense (DoD) Cloud Computing
In addition, the SDN Lessons Learned, Training, and Testing article in the SDN Knowledge Base section provides some lessons learned while deploying cloud computing. Look for lessons learned with "cloud" in the title.
1. What is Cloud Computing?
The definition of computing has been slowly evolving for centuries. The concept of cloud computing has been rapidly evolving ever since it first appeared in 1996 or so. Since “cloud computing” is an even vaguer concept than “computing”, it is not realistic to expect a comprehensive yet terse description.
Many attempts have been made to describe the concept anyway. Here are some examples: The National Institute of Standards and Technology (NIST) offered an early terse technical description in 2011 and has since published several documents related to cloud computing. A company called ZDNET offered a broader, less-technical description with examples in 2022. Wikipedia articles offer even longer descriptions including a history of cloud computing and related concepts.
Cloud computing resources (often referred to as cloud native) are services and applications that are built specifically for use in a cloud computing environment. Cloud computing resources are variously called:
distributed (which includes edge computing and a superset of edge computing called fog computing),
private,
public,
hybrid,
multi-cloud (also called multicloud or multi),
and several other variations.
Cloud computing illustrates one of the most powerful forces in technology today: virtualization. An application accessing data residing in a cloud does not need to know:
- the physical storage media the data resides on (solid-state disc, mechanical disc, tape, or compact disc),
- the network protocol being used to access the data (IPv6 or IPv4) (when access occurs remotely), or
- the physical location of the storage media (in the next room, on the other side of the world, or even not on this planet).
2. Secure Cloud Computing
An informal overview of several of the technical concerns that must be addressed to achieve and maintain data security in cloud computing are described in this article, while an informal overview of several management concerns that must be addressed to achieve and maintain security are described in this article. Some approaches to maintaining technical security in the cloud include:
- Cloud Access Security Brokers (CASBs) support for IPv6 is described in this article,
- The Cloud Security Posture Management (CSPM) concept is discussed in this article, while several CSPM tools are described in this article, and
- Security Service Edge (SSE) is defined and discussed in this article.
Note: The CSPM concept discussed in item (2) above is quite different than the NIST cybersecurity program (CSP) concept discussed in this article.
Guidance about secure deployment of clouds may be found here:
- Cloud Security Alliance publications,
- The Cybersecurity and Infrastructure Security Agency (CISA) concept Cloud Security Technical Reference Architecture version 2.0, June, 2022 and Trusted Internet Connections 3.0: TIC Core Guidance Volume 3: Security Capabilities Catalog version 2.0, Oct, 2021
- NIST Cloud Computing Related Publications, ongoing
- NIST Zero Trust Publications, ongoing
- National Security Agency (NSA) Mitigating Cloud Vulnerabilities, January 2020
- Five CISA and NSA Cybersecurity Information Sheets on Cloud Security Best Practices, March, 2024.
3. Cloud Service Providers that support IPv6
it is important that clouds be accessible via IPv6, as this article explains. There are many lists of cloud service providers and the services that these providers offer varies widely. Some early lists that specifically did include providers accessible via IPv6 are available: here, here and here published in 2015. Since those lists were published, most cloud service providers have added support for or expanded their support of IPv6. It may not even be specifically mentioned in their marketing material. This is the case for Software-Defined Cloud Interconnect (SDCI) service providers. A survey of SDCI service providers is available here.
Leading cloud service providers typically also support hyperscale computing, and this article explains why.
Content and applications that only support IPv4 access may (or may not) become dual stack (IPv6 in addition to legacy IPv4) accessible when hosted by a cloud service provider that supports IPv6. Verify that content and applications that natively support IPv4-only will become dual stack accessible. Verify the additional cost for IPv6 support (if any). Verify that connectivity via IPv6 to the cloud service provider’s locations is available from the geographic locations included in your IPv6 deployment effort.
If IPv4-only content and applications will not become dual stack accessible, then you might want to consider using one of the other services or products described in the Content and Applications Delivery over IPv6 article in the IPv6 and IoT Frequently Asked Questions (FAQ) section. As was the case with cloud service providers, the services these platforms offer varies widely.
4. Open Source Cloud Computing Platforms
There are many, many open source cloud computing platforms and more are being announced all the time. This article lists several of them. As was the case with cloud service providers, the services these platforms offer varies widely. The Software for Open Networking in the Cloud (SONiC) is an open source network operating system (NOS) under the auspices of the Linux Foundation (The LF) (which was rebranded as the Mplify Alliance in Jun, 2025). It runs on switches and application-specific integrated circuits (ASICs) from multiple vendors. As was the case with cloud service providers, the services these platforms offer varies widely.
5. USG IPv6 Cloud Policy and Guidance
The requirements of the Federal Acquisition Regulations as amended in Dec, 2009 (as described in the IPv6 Boiler Plate Acquisitions Language article in the Deployment section) always apply.
Information about the Federal government’s security assessment, authorization, and monitoring of cloud vendors may be found on GSA’s FedRAMP website. Among other documents available on the FedRAMP website (see this listing) is an Agency Cloud Procurement Best Practices guide (also called "Creating Effective Cloud Computing Contracts for the Federal Government"). A listing of current FedRAMP Authorized Cloud Service Providers (CSPs) is also available on the FedRAMP website.
Policy and guidance about secure deployments of clouds may be found here:
- CISA Secure Cloud Business Applications (SCuBA) Project documents, ongoing
- Defense Information Systems Agency (DISA) Information Assurance Support Environment (IASE) DoD Cloud Computing Security website,
- Department of Homeland Security (DHS) Cloud Security Guidance version 0.2 document, and more recently in the Cloud Interface Reference Architecture documents (see the IPv6 and Trusted Internet Connections article for details),
- Federal CIO Council (CIOC) Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies V0.41, July, 2011
IPv6 support may not always be an explicit requirement in recent government documents such as the Federal Cloud Computing Strategy, June, 2019, also called “Cloud Smart”, but it is required.
6. Cloud Computing available under GSA contracts
In October, 2010, the United States (US) General Services Administration (GSA) awarded 11 vendors spots on the first government-wide contract for cloud computing. The initial ordering period has ended for these blanket purchase agreements for infrastructure-as-a-service (IaaS), which included cloud storage, virtual machines and web hosting services with support for IPv6. Details for currently available cloud acquisition vehicles are available on the GSA website. More information about federal cloud computing is available on the Cloud.CIO.gov website. A Best Business Practices for US Government (USG) Cloud Adoption guide is available on the GSA website.
Also available from the 18F office of GSA’s Technology Transformation Services for use by Federal Agencies is the platform-as-a-service Cloud.gov, which is built on top of the open source Cloud Foundry cloud computing platform. Support for IPv6 by Cloud.gov is documented on its Compliance page: IPv6, HTTPS, DNSSEC, and Certificates. Gaining access to cloud.gov is documented on its Access page: Get access to cloud.gov.
7. DoD Cloud Computing
Some websites and documents that provide policy and guidance for cloud computing use and several platforms for use by DoD and its departments and agencies are listed below.
Websites and Documents
- The Army Cloud Plan, Oct, 2022
- US DoD Enterprise Cloud website
- Defense Information Systems Agency (DISA) Information Assurance Support Environment (IASE) DoD Cloud Computing Security website,
- Department of the Navy (DoN) Data Center and On-Premises Commercial Cloud Policy, Oct, 2022
- DoD Secure Cloud Computing Architecture (SCCA) Functional Requirements, Jan, 2017
- DoD Cloud Strategy, Dec, 2018
- DoD Cloud Computing Acquisition Guidebook, Defense Acquisition University, Nov, 2019
- DoD Use of Commercial Cloud Computing Capabilities and Services, Institute for Defense Analyses (IDA), Nov, 2015
- DoD and Air Force Continue to Define Joint Command and Control Efforts, Government Accountability Office (GAO), Jan, 2023
- Audit of the DoD’s Compliance with Security Requirements When Using Commercial Cloud Services, DODIG‑2023‑052, DoD Office of Inspector General, Feb, 2023
Platforms
- Defense Enterprise Office Solutions (DEOS)
- Cloud One by Air Force
- DoD Cloud Native Access Point (CNAP) Reference Design (RD), July, 2021, built using a DoD Enterprise Development, Security, and Operations (DevSecOps) RD, Mar, 2021, to access any of the Cloud Native Computing Foundation (CNCF) certified Kubernetes implementations, as described in this article.
- Joint Warfighting Cloud Capability (JWCC) multi-vendor Indefinite-Delivery, Indefinite-Quantity (IDIQ) contract managed by the Hosting and Compute Center (HAC).
The Infrastructure section provides a wide variety of information for individuals and organizations interested in benefitting from the experience of others for configuring software that implements network and infrastructure services. Examples of such services are cloud services, domain name service (DNS), host naming (DHCP), mail transport (SMTP), Microsoft Active Directory (AD), multicast, Postfix, Sendmail, Stateless Address Autoconfiguration (SLAAC), Virtual Private Networks (VPNs) and various web servers.
IPv6 and Virtual Private Networks (VPNs)
Enabling IPv6 in Microsoft Windows Application Servers
DHCP and SLAAC on IPv6 Networks
Note: A 2022 tutorial on the many aspects of IPv6 can be found in this All Things TECH IPv6 on Linux article.
Enabling IPv6
Open Software-Und-System-Entwiklung (openSUSE) Linux and SUSE Linux Enterprise Server (SLES) maintain parallel coordinated development tracks. Internet Protocol version 6 (IPv6) in openSUSE and SLES was enabled by default beginning in version 10.1. The system setup and configuration Yet another Setup Tool (YaST) fully supported IPv6 since version 10.3.
To enable IPv6 in openSUSE Linux version 11.4 and later, see this SDB: Native IPv6 article. Reboot when done. IPv4 will continue to run.
To enable IPv6 in SLES version 12 SP5 and later, see paragraph 17.2 IPv6 – The Next Generation Internet in chapter 17.2 of the SUSE Linux Enterprise Server 12 SDP Administration Guide. Reboot when done. IPv4 will continue to run. Also, in the absence of applicable policy or guidance about hardening SLES to guard against potential IPv6-related attacks, a guide for configuring SLES 12 and later to prevent IPv6-related attacks is provided by this article.
Disabling IPv6
To disable IPv6 in openSUSE Linux version 11 and later, see the How to Disable IPv6 article. Reboot when done for the reason given in this article. IPv4 will continue to run.
To disable IPv6 in SLES version 11 and later, see the How to Disable IPv6 article . Reboot when done for the reason given in this article. IPv4 will continue to run.
Note: A 2022 tutorial on the many aspects of IPv6 can be found in this All Things TECH IPv6 on Linux article.
Enabling IPv6
Linux systems built with a Linux kernel 2.6 or later will have Internet Protocol version 6 (IPv6) enabled by default, including Red Hat (Desktop or WS 3.0 or later and Enterprise (RHEL) 5.2 or later), Mandrake 8 or later, Fedora 9 or later, and CentOS 7 or later systems. IPv4 will continue to run. You must be logged in as root to make these changes. Also, in the absence of other policy or guidance about hardening RHEL to guard against potential IPv6-related attacks, a guide for configuring RHEL servers 6.6 and later to prevent IPv6-related attacks is provided by this Linux Security Guide for Hardening IPv6 article.
The following guide explains the steps involved with enabling IPv6 in earlier versions of Red Hat Linux. These instructions also work for the Mandrake, Fedora, and CentOS Linux distributions.
Considerations: If you depend on iptables for securing the system make sure to appropriately apply ip6tables rules. See link at end of this section.
Quick Start Instructions:
1) Test to see that the ipv6 kernel module is loaded: lsmod |grep ipv6
If it’s not loaded, load immediately as follows:
modprobe ipv6
To have the module loaded when the system starts, edit /etc/modules.conf and add the following line:
alias net-pf-10 ipv6
2) Edit: /etc/sysconfig/network, add:
NETWORKING_IPV6=yes
3) For each of the /etc/sysconfig/network-scripts/ifcfg-ethX files, add:
IPV6_AUTOCONF=yes
to enable Stateless Address Autoconfiguration (SLAAC) addressing, or, if you want to manually configure things, instead add:
(remembering to use square brackets and colons in the IPv6 addresses).
4) Privacy extensions are not enabled by default. For each configured interface ethX where privacy extensions are being enabled, add the line:
IPV6_PRIVACY=rfc3041
to the /etc/sysconfig/network-scripts/ifcfg-interface ethX file for that interface. Then create the file /etc/sysctl.d/ipv6_privacy_extensions (if it does not already exist), containing the lines
net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2
5) This LINUX IPv6 HOWTO document discusses additional aspects of enabling IPv6, such as routing and DNS.
6) Then issue a "service network restart" command. (This may disconnect you temporarily as networking reloads)
7) Then try pinging:
# ping6 -n ipv6.test-ipv6.com
The output should be similar to this:
Pinging ipv6.test-ipv6.com [2001:470:1:18::115] with 32 bytes of data:
Reply from 2001:470:1:18::115: time=687ms
Reply from 2001:470:1:18::115: time=719ms
Reply from 2001:470:1:18::115: time=702ms
Reply from 2001:470:1:18::115: time=700ms
ip6tables information can be found in the Enabling IPv6 in ip6tables and other Linux-based Firewalls article in the Security section.
Disabling IPv6
In releases built with a Linux kernel 2.6 and later, IPv6 is enabled by default. This includes Red Hat (Desktop or WS 3.0 or later and RHEL 5.2 or later), Mandrake 8.0 or later, Fedora 9 or later, and CentOS 7 or later systems. IPv4 will continue to run. You must be logged in as root to make these changes. To disable IPv6:
1. Edit the file /etc/modprobe.conf
2. Add the following lines to the file
alias net-pf-10 off
alias ipv6 off
3. Write the file, save it, and exit the editor
4. Edit the file /etc/sysconfig/network
5. Change the following line in the file
NETWORKING_IPV6= yes
so that it looks like
NETWORKING_IPV6= no
6. Write the file, save it, and exit the editor
7. Reboot
