Does disabling IPv6 decrease my surface area of attack and increase performance?

Question

I have colleague that is on this whole kick of disabling IPv6 while leaving IPv4 on each new machine that comes in before deploying in our environment. He takes his personal anecdotal evidence and claims that disabling IPv6 helps with network perfomance because there's less "advertising/request" packets the backbone and the nodes have to process. He then quickly adds that it also creates less of a surface area in which attackers could potentially try to attack.

While these arguments sound good on paper, I question the anecdotal evidence provided and the security "precaution" that disabling IPv6 may provide. Heck, I even found this post where one of the posters mentions the IPv6 could even provide a marginal improvement. Differences in networks aside, do these claims hold water?

Answer 1

From Microsoft

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.

Answer 2

He's 100% correct about additional overhead as each device/PC will be advertising and building an ARP cache for both IPv6 and IPv4. However the actual amount of traffic being generated is quite small (typical ARP packet size is 28 bytes).

It should be inconsequential. BUT if you have something like an NMS system that uses WMI queries, SNMP polling (traps don't create much traffic), or does netflow/Jflow exporting in an environment that is latency/quality sensitive it would make sense to remove as much background noise as possible. Particularly IPv6... Is there a possibility you are ever going to need IPv6 internally? Doubtful, as the private blocks in IPv4 provide plenty of addresses for even the largest businesses. Unless you have specific need for IPv6 in your environment, the better question would be why leave it on? I know in my environment we are leaving it off just because it is an additional layer that could be causing problems when troubleshooting.

Remember even if a network device or PC is not actively being used it is still responding and advertising NetBIOS/ARP, so there is still some albeit small traffic being generated.

I should add that, "creates less of a surface area in which attackers could potentially try to attack." It is completely nonsense... It's not like you need to add an additional firewall or WAN for the IPv6 traffic. There is still the same edge device preforming NAT whether IPv6 is on or not.

Answer 3

I think the general theory in computer security that you should disable any service you don't use holds up pretty well. If you don't need it, turn it off, has long been a standard first step in computer security and I don't see why it shouldn't apply to networking as well.