A Tour of IPv6 on Windows

Let's do a grand tour of IPv6 (and IPv4) on Windows 7 in a fully IPv6 enabled subnet. 

 

My Network

My network is fully IPv6 enabled, with native IPv4 and IPv6 (at least inside my subnet). I don't really like the term "IPv6 Ready" when referring to a network already running IPv6. It is OK for equipment certified to run IPv6 (as in the IPv6 Ready Logo Committtee), as there it means the certified equipment is ready to deploy in an IPv6 network. But when referring to a live network, it sounds like the TVs in the early days of HD that were "HD Ready". This term meant you could make it fully "HD" by installing an HD-capable tuner. My network is not just "ready" for IPv6 - IPv6 is fully deployed and operational in it.

The subnet router is a SolidGate firewall. The inside NIC is at 172.20.0.1 (IPv4), 2001:470:3d:3000::1 (IPv6 Global) and fe80::290:bff:fe1b:5762 (IPv6 Link-Local). It has a Router Advertisement daemon configured and running, advertising two /64 prefixes, 2001:470:3d:3000::/64 and fda4:73c2:e5b8:1000::/64. It also advertises that stateful DHCPv6 service is available (M flag = 1). It doesn't advertise any addresses for DHCPv6, clients contact DHCPv6 using a link-local multicast address (ff02::1:2 - all DHCPv6 servers and relay agents). My local ISP is IPv4-only. The SolidGate routes a /52 block from Hurricane Electric (2001:470:3d:3000::/52) using a 6in4 tunnel. The other end of the tunnel is another SolidGate in our colo at Hurricane Electric, which has native dual stack service.

There are two Microsoft Windows 2008 R2 Servers that are fully IPv6 enabled. The first is ws3.hughesnet.local, at 172.20.0.13 / 2001:470:3d:3000::13. The second is ws4.hughesnet.local, at 172.20.0.14 / 2001:470:3d:3000::14. Both have the Microsoft DHCPv4 and stateful DHCPv6 servers enabled and configured. They also both are running the Microsoft DNS server (which supports A and AAAA records, and queries over both IPv4 and IPv6).

Both DHCP servers are configured for redundant operation - if either goes down, the other can handle the entire load. It's OK to have two DHCP servers in a subnet, so long as the address pools they manage don't overlap.

DHCPv4 on ws3 is managing the pool 172.20.1.128 - 172.20.1.254. It advertises the IPv4 default gateway as 172.20.0.1 and subnet mask as 255.255.0.0. It advertises two IPv4 addresses for DNS: 172.20.0.13 and 172.20.0.14.

DHCPv4 on ws4 is managing the pool 172.20.1.1 - 172.20.1.127. It advertises the IPv4 default gateway as 172.20.0.1 and subnet mask as 255.255.0.0. It advertises two IPv4 addresses for DNS: 172.20.0.13 and 172.20.0.14.

DHCPv6 on ws3 is managing the pool 2001:470:3d:3000::5:0 - 2001:470:3d:3000::5:ffff. It has two IPv6 addresses for DNS configured: 2001:470:3d:3000::13 and 2001:470:3d:3000::14.

DHCPv6 on ws4 is managing the pool 2001:470:3d:3000::4:0 - 2001:470:3d:3000::4:ffff. It has two IPv6 addresses for DNS configured: 2001:470:3d:3000::13 and 2001:470:3d:3000::14.

DNS is deployed for full dual stack operation on both ws3 and ws4. The authoritative domains are primary on ws3 and secondary on ws4. They have been configured to do zone transfers over IPv4 or IPv6. Client nodes can do queries against either of them using IPv4 or IPv6. Again, if either goes down, the other can handle the entire load (but new nodes cannot be added if ws3 goes down, until it comes back up). All infrastructure nodes in hughesnet.local have both AAAA and A records (as well as PTR-128 reverse records). My DNS servers do not accept  dynamic registration of all assigned addresses from client nodes (this leads to an awful mess, especially with Temporary Addresses enabled).

Exchange Server 2010 is deployed on ws4, and supports full dual stack operation. It can accept incoming mail via SMTP over IPv4 or IPv6, and do MTA to MTA transfers over IPv4 or IPv6. It also allows retrieval with IMAP (or webmail) over both IPv4 and IPv6.

ISATAP tunneling has not been configured in the network.

 

My Node

My node is a powerful desktop computer running Microsoft Windows 7 Professional. IPv4 is enabled, and currently uses DHCPv4 for configuration ("Obtain an IP address automatically" and "Obtain DNS server address automatically"). IPv6 is enabled, and currently uses SLAAC and DHCPv6 for configuration ("Obtain an IPv6 address automatically" and "Obtain DNS server address automatically"). The Teredo tunnel interface has been correctly configured, even though I have joined a domain. The nodename is Lawrence-PC.hughesnet.local. The Local Area Connection interface is connected to the subnet using Ethernet. The MAC address of that interface is 50-46-5D-6B-7A-54.

The IPv6 settings are currently the defaults:

Randomized Identifiers = Enabled
Temporary Addresses (privacy) = Enabled
Router Discovery (SLAAC) = Enabled
 

Output from ipconfig

First, let's issue an ipconfig command and analyze the output from it:

C:\Windows\system32>ipconfig /all

Node Information

Windows IP Configuration
   Host Name . . . . . . . . . . . . : Lawrence-PC
   Primary Dns Suffix  . . . . . . . : hughesnet.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hughesnet.local

Local Area Connection Interface Information

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : hughesnet.local
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 50-46-5D-6B-7A-54
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000::4:57db(Preferred)
   Lease Obtained. . . . . . . . . . : Wednesday, August 07, 2013 2:22:47 AM
   Lease Expires . . . . . . . . . . : Monday, August 19, 2013 2:22:47 AM
   IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000:2030:9139:9cd5:ab52(Pref
erred)
   IPv6 Address. . . . . . . . . . . : fda4:73c2:e5b8:1000:2030:9139:9cd5:ab52(P
referred)
   Temporary IPv6 Address. . . . . . : 2001:470:3d:3000:957e:3107:ba48:86b7(Pref
erred)
   Temporary IPv6 Address. . . . . . : fda4:73c2:e5b8:1000:957e:3107:ba48:86b7(P
referred)
   Link-local IPv6 Address . . . . . : fe80::2030:9139:9cd5:ab52%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.20.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Wednesday, August 07, 2013 2:37:30 AM
   Lease Expires . . . . . . . . . . : Wednesday, August 07, 2013 10:37:30 AM
   Default Gateway . . . . . . . . . : fe80::290:bff:fe1b:5762%11
                                       172.20.0.1
   DHCP Server . . . . . . . . . . . : 172.20.0.14
   DHCPv6 IAID . . . . . . . . . . . : 240141917
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-BA-30-56-50-46-5D-6B-7A-54
   DNS Servers . . . . . . . . . . . : 2001:470:3d:3000::14
                                       2001:470:3d:3000::13
                                       172.20.0.13
                                       172.20.0.14
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       hughesnet.local

Teredo Interace Information

Tunnel adapter Teredo Tunneling Pseudo-Interface:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:c1:1b64:53eb:fef6(Prefer
red)
   Link-local IPv6 Address . . . . . : fe80::c1:1b64:53eb:fef6%22(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

ISATAP Interface Information

Tunnel adapter isatap.hughesnet.local:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hughesnet.local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
 

Node Information

At the top are some items about the node, independent of interface. The nodename is Lawrence-PC, the DNS suffix is hughesnet.local, and the DNS search list is hughesnet.local.

Local Area Connection Interface

The next section is for the "Local Area Connection" interface (zone ID = 11), which is an Ethernet adapter.

The first item of interest for the Local Area Connection interface is the MAC address of the interface, which is 50-46-5D-6B-7A-54.

It then shows that DHCPv4 is enabled. Autoconfiguration (APIPA) is also enabled, so if no DHCPv4 server had been found, the node would have generated a unique IPv4 address from block 169.254/16.

Next is the IPv6 unicast global address the node obtained from DHCPv6 on ws4: 2001:470:3d:3000::4:57db. This address is currently in the Preferred state. The DHCPv6 lease was obtained on Wednesday August 07, 2012, at 2:22:47 AM. It will expire 12 days later, on Monday, August 19, 2012, at 2:22:47 AM.

The next item of interest is the two IPv6 global unicast addresses, generated on the node during SLAAC (one for each advertised prefix). These were generated by appending the suffix of the autonomously generated Link-Local address 64-bit suffix (::2030:9139:9cd5:ab52) to the two prefixes from the Router Advertisement message received from SolidGate. Both of these addresses are still in the preferred state. Although it is not shown, they were generated with a 7 day preferred lifetime and a 30 day valid lifetime (default IPv6 settings).

Since the privacy ("Temporary Addresses") option was enabled, there are also two Temporary IPv6 global unicast addresses. These were also generated on the node, by appending a randomly generated suffix (::957e:3107:ba48:86b7) to the two advertised prefixes. These have a 7 day lifetime, after which a new 64-bit random suffix will be generated, and the two temporary addresses updated with it. Both of these addresses are still in the Preferred state.

Next is the autonomously generated Link-Local address, fe80::2030:9139:9cd5:ab52. Although it isn't shown, it was generated (like all automatically generated Link-Local addresses) with an infinite Preferred Lifetime and infinite Valid Lifetime. This means it will never expire, and will always be in the Preferred state.

Now we have some IPv4 information. The unicast (private) address obtained from DHCPv4 (on ws4) is 172.20.1.9. It is in the preferred state. Although it is not shown, it was generated with a 7 day Preferred Lifetime and 7 day Valid Lifetime. The subnet mask is 255.255.0.0 (/16 in CIDR notation). The DHCPv4 lease was obtained on  Wednesday, August 7, 2012, at 2:37:30 AM. It will expire 8 hours later, on Wednesday August 7, 2012, at 20:37:30 AM.

Now both IPv4 and IPv6 default gateways are shown. The IPv6 default gateway is the Link-Local address of the inside NIC of the SolidGate firewall (fe80::290:bff:fe1b:5762), obtained using Router Discovery during SLAAC. The IPv4 default gateway is the IPv4 address of the inside NIC of the SolidGate firewall, 172.20.0.1. This was obtained from DHCPv4 on ws4.

The DHCPv4 server used was at 172.20.0.14 (ws4).

The next two items have to do with DHCPv6. They appear only if the Managed Address option is set (in this case, from the M flag in the received Router Advertisement message). The first is the DHCPv6 IAID (Identity Association Identifier). The second is the DHCPv6 client DUID (DHCP Unique Identifier) for this node. Note that the last 6 bytes of this are the node's MAC address (50-46-5D-6B-7A-54).

The last interesting item for the Local Area Connection interface is four addresses of DNS. The two IPv6 addresses (2001:470:3d:300::14 and 2001:470;3d:3000::13) were obtained from DHCPv6 (on ws4).  The two IPv4 addresses (172.20.0.13 and 172.20.0.14) were obtained from DHCPv4 (also on ws4).

Teredo Interface Information

Following the information for the Local Area Connection interface, there is information on the Teredo tunnel interface (zone ID 22). I happen to be joined to a Microsoft domain (HUGHESNET), which normally would disable Teredo. I had previously enabled it even though I am joined to a Microsoft domain. If you are not joined to a Microsoft domain, Teredo will be enabled by default. In general, it is a bad idea to use any automated tunneling if your node has native IPv6 (like this one). I enabled it just to show configuration. If Teredo is enabled, it will generate an address and work without any configuration in the network. Many people are already communicating over IPv6 because of this, and don't even know it.

My node automatically generated a unicast Teredo address of 2001:0:9d38:6ab8:c1:1b64:53eb:fef6. All Teredo addresses are from the block 2001::/32. That address is currently in the Preferred state.

Decoding this address using an online Address Calculator yields the following:

Teredo prefix:    2001::/32
Teredo server:    157.56.106.184
Teredo flags:     Non Cone NAT (193)
Client IPv4:      172.20.1.9
Client UDP port:  58523

The Teredo interface also automatically generated a Link-Local address (fe80::c1:1b64:53eb:fef6). The suffix is the same as for the Teredo address. It is also currently in the Preferred state.

ISATAP Interface Information

The final section shows configuration for the ISATAP tunnel interface. Since I have not configured ISATAP in my network, no address was generated.

 

Network Configuration for Local Area Connection Viewed with NetConf

Here is the IPv4 Settings page:

netconf ipv4 1

Note the IPv4 Unicast address is the one from DHCPv4, and the source is DHCP. The DHCP Status is "IP Dynamic, DNS Dynamic".

Here are the IPv6 Settings:

netconf v6settings 1

The gateway is the one obtained during SLAAC, and the IPv6 addresses of DNS are the ones obtained from DHCPv6, after SLAAC (based on M and O flags in Router Advertisement message).

And here are the IPv6 Unicast addresses:

netconf v6unicast 1

The Link Local address source is "automatic", and the lifetimes are both Infinite. The address from DHCPv6 has preferred lfietime of 7 days and valid lifetime of 12 days. The source is DHCP. The next two addresses were generated by the node during SLAAC, and have a preferred lifetime of 7 days, and valid lifetime of 30 days. The final two addresses were also generated by the node during SLAAC, and have preferred lifetime of 7 days and valid lifetime of 7 days. It doesn't show here, but when they expire, they will be regenerated with a new random suffix and the preferred and valid lifetimes will both be reset to 7 days.

 

Static Address Configuration

Now let's change both IPv4 and IPv6 to manual address configuration.

For IPv4:

v4staticconfig

And for IPv6:

v6static config

Note that I did not configure a Default Gateway, or IPv6 addresses for DNS.

Here is the updated output of ipconfig for Local Area Connection:

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : hughesnet.local
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 50-46-5D-6B-7A-54
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000::2:1(Preferred)
   IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000::4:57db(Preferred)
   Lease Obtained. . . . . . . . . . : Wednesday, August 07, 2013 2:22:47 AM
   Lease Expires . . . . . . . . . . : Monday, August 19, 2013 2:22:47 AM
   IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000:2030:9139:9cd5:ab52(Pref
erred)
   IPv6 Address. . . . . . . . . . . : fda4:73c2:e5b8:1000:2030:9139:9cd5:ab52(P
referred)
   Temporary IPv6 Address. . . . . . : 2001:470:3d:3000:957e:3107:ba48:86b7(Pref
erred)
   Temporary IPv6 Address. . . . . . : fda4:73c2:e5b8:1000:957e:3107:ba48:86b7(P
referred)
   Link-local IPv6 Address . . . . . : fe80::2030:9139:9cd5:ab52%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.20.2.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::290:bff:fe1b:5762%11
                                       172.20.0.1
   DHCPv6 IAID . . . . . . . . . . . : 240141917
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-BA-30-56-50-46-5D-6B-7A-54
   DNS Servers . . . . . . . . . . . : 2001:470:3d:3000::14
                                       2001:470:3d:3000::13
                                       172.20.0.13
                                       172.20.0.14
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       hughesnet.local

Note the following differences from the previous ipconfig (with full autoconfiguration).

For IPv4: Now DHCP is not enabled, although Autoconfiguration still is. The IPv4 address is now 172.20.2.1 (manually configured). There is no DHCPv4 lease information. The default gateway is still 172.20.0.1 (but is now manually configured). The IPv4 addresses of DNS are still 172.20.0.13 and 172.20.0.14 (but now are manually configured).

For IPv6: There is now a new IPv6 unicast address (2001:470:3d:3000::2:1) before the DHCPv6 assigned address. The DHCPv6 assigned address and lease information are still there. The four unicast addresses generated by SLAAC are still there. The Link-Local Default Gateway is still there (found during SLAAC). The two IPv6 addresses for DNS are still there (obtained from DHCPv6).

The IPv4 changes are as expected. However, the IPv6 changes may be surprising. We selected manual configuration of the IPv6 address, and that happened, but the SLAAC and DHCPv6 addresses were still configured. We did not specify any default gateway, but it still obtained the correct one via Router Discovery. We did not specify any IPv6 addresses for DNS (in fact, "Obtain DNS server address automatically" was grayed out), but we still got two IPv6 addresses of DNS, from DHCPv6, as before.

It seems that Microsoft tried to make the GUI IPv6 network configuration dialog look like the GUI IPv4 network configuration dialog, but in reality, IPv6 network configuration is quite different. If your Router advertises that DHCPv6 is available (stateful or stateless), your node uses it, whether or not you do manual address configuration. If your node has enabled Router Discovery, it will configure a default gateway and generate unicast addresses whether or not you do manual address configuration. The IPv6 GUI configuration tool is very misleading.

Viewing Configuration with NetConf

Here are the new IPv4 settings:

netconf v4static

Note the DHCP Status is now IP Static, DNS Static. The IPv4 address is the one we specified, and the source is manual. The Gateway Address is the same as before (but manually specified). The IPv4 addresses of DNS are the same as before, but manually specified.

Here are the new IPv6 settings (same as before, and the gateway and IPv6 addresses of DNS are even obtained the same way):

netconf v6settings 2

And here are the new IPv6 Unicast addresses:

netconf v6static

All the old SLAAC and DHCPv6 addresses are still there, with the same characteristics. There is now a new manually configured Global unicast address (2001:470:3d:3000::2:1) with infinite Preferred Lifetime and infinite Valid Lifetime. When you specify an IPv6 address manually with the Microsoft GUI tool, it will always set both lifetimes to infinite.

 

Testing IPv6 Connectivity

There are two websites that are very handy for testing your IPv6 configuration and connectivity. They are www.test-ipv6.com and www.ipv6-test.com. It is easy to confuse the two with such similar names, but they are actually from two different organizations. All you have to do is surf to the above URLs, and both with test your IPv4 and IPv6.

Here is the summary from www.test-ipv6.com

test-ipv6

Here are the results from www.ipv6-test.com

ipv6 test