Features Configuring IPv6 on Windows Lead image: Lead Image © James Steidl, 123RF.com

Configuring IPv6 in Windows with NetShell

IPv6 on Board

Windows provides a simple dialog box for configuring IPv6, but the available settings only scratch the surface. IPv6 comes with many features that are primarily managed using the command-line tool NetShell. By Eric Amberg

The Windows input template for the network interface is fine for a basic IPv6 configuration (Figure 1). You can define values such as the IPv6 address(es), prefix (typically "/64"), default gateway(s), and DNS server. However, IPv6 offers several other features that are not controllable via the standard configuration dialog. Also, the overview you get when you press Details is very rudimentary (Figure 2). If you want to delve deeper into your IPv6 configuration, the tool you'll need is NetShell.

Figure 1: The default input mask for IPv6 provides only the basic settings.

Figure 2: The connection details for IPv6 reveal only the bare minimum.

Working with NetShell

NetShell lets you customize and view almost all network-specific parameters for Windows and the TCP/IP stack. You can configure both IPv4 and IPv6 parameters. Although IPv4 often requires no further tuning, NetShell can be very useful for customizing IPv6 settings.

Launch NetShell by typing the netsh command at the command prompt. You can either type a complete command or use NetShell in interactive mode. If you have to enter multiple commands, interactive mode will save you some typing, and an interactive session also gives you access to NetShell's detailed help resources.

Be sure to launch the command prompt in administrative mode if you want to make changes to the configuration.

Entering netsh without any parameters starts interactive mode. The context for the IPv6 configuration is interface ipv6; you need to enter this in the terminal after launching the interactive shell. NetShell then displays the prompt netsh interface ipv6.

You only need to type the command until the syntax becomes unambiguous. For example, instead of interface ipv6, you can just type int ipv6. Additionally, you can always access the contextual help by typing a question mark. The help system is simple, intuitive, and very useful. Exit quits the interactive NetShell.

IPv6 and MAC Addresses

NetShell uses show commands to display all configuration and status details for IPv6 and its subcomponents. For example, you can query the contents of the neighbor cache, which corresponds to the ARP cache in IPv4. (ARP was replaced in IPv6 by Neighbor Discovery.) When an IPv6 address is resolved into a link-layer address (MAC address), a corresponding entry is produced in the neighbor cache. Display the contents of this cache using the command:

netsh interface ipv6 show neighbor

If you are already in the right context, simply type show neighbor, or the short form sh n (Figure 3).

Figure 3: A call to "show neighbor" displays the Neighbor Cache.

For each interface, the IPv6-address to link-layer-address mappings are listed separately. Tunnel and pseudo-interfaces are given their own sections. In addition to unicast addresses, various multicast addresses are also listed.

In the line with Neighbor Unreachability Detection (NUD), each unicast record has a status, known as a "type"; possible values include:

Reachable: The entry is valid; the MAC address can be used.
Incomplete: The entry is invalid; the current MAC address could not be determined.
Stale: The entry has exceeded a timeout value (the default is 30 seconds) and must be refreshed before its next use.

Static entries can map specific IPv6 addresses to the matching link layer addresses. To map an address, specify the interface, the IPv6 address, and the link-layer address, as follows:

netsh interface ipv6 set neighbors "LAN-Connection" \
  "fd00:1234::1" "ab-cd-ef-01-23-45"

If NetShell simply says "OK," or nothing at all, the command was accepted. An entry you define in this way appears in the Neighbor Cache as a "permanent" type.

Such configuration changes, however, basically only survive until the next reboot. If you want to save the changes permanently, add the configuration command using the store=persistent option. This option then applies to all configuration commands in NetShell.

Interfaces and Addresses

The ipconfig /all command provides a good general overview of the most important IP(v6) parameters, but it only scratches the surface. To obtain a comprehensive list of settings, you need NetShell. If you want an overview of your IPv6-enabled interfaces, use the command:

netsh interface ipv6 show interfaces

See Figure 4. This command also displays the index number and the correct name of the interface. If the index of the interface is Local Area Connection 11, the command described above for a static neighbor cache entry would read as follows:

Figure 4: NetShell showing the existing IPv6 interfaces.

netsh interface ipv6 set neighbors 11 "fd00:1234::1" \
  "ab-cd-ef-01-23-45"

A comprehensive overview of the interface addresses is provided by the following command:

netsh interface ipv6 show addresses

See Figure 5. In addition to displaying the address type, this command also shows the validity and status. This information is particularly relevant in the context of autoconfiguration and it goes far beyond ipconfig /all's ability to provide meaningful information.

Figure 5: The "show addresses" command tells NetShell to indicate the validity and status of IPv6 addresses.

Of course, you can again tweak various interface and address parameters. If you want to permanently add the IPv6 address 2001:db8:face::1 to your LAN connection interface with an index of 11, the command is as follows:

netsh interface ipv6 add address 11 2001:db8:face::1/64 store=persistent

If this address is an anycast address, add anycast to the command.

An existing address is removed in a similar way. If you want to delete the address, try the command:

netsh interface ipv6 delete address 11 2001: db8:face::1

Caution: Do not enter a prefix, or NetShell will simply output an error message telling you that it needs a valid IPv6 address.

Autoconfiguration, Yes, but…

Autoconfiguration is enabled by default. If an IPv6 router uses a router advertisement to return a prefix or other configuration information, they are processed by Windows. The Windows host then automatically creates IPv6 addresses for itself. By default, the host automatically generates two addresses:

Public address: Used to make the host accessible via a fixed address.
Temporary address: Created based on the RFC 4941 Privacy Extensions and used for outbound communication from the host.

In contrast to the public address, the temporary address has a randomly generated interface ID.

Although the public address is created again after reinitialization of the interface, it always has the same interface ID. The Windows system generates this "randomized identifier" once only during the initial installation of the operating system.

In contrast to the EUI-64 method, in which the MAC address is used as a basis to form an interface ID, this method randomizes the identifier and will not allow any conclusions about the MAC address.

In some scenarios, you might want to work around the randomized identifier and instead use EUI-64 for forming the interface ID. To disable the randomized identifier, enter:

netsh interface ipv6 set global randomizeidentifiers=disable

The randomized identifier can only be deactivated globally. The output of the command:

netsh interface ipv6 show global

now shows the randomize identifier as "disabled" (Figure 6).

Figure 6: You can disable the randomization of interface IDs.

You can also suppress the creation of a temporary address via Privacy Extensions. To do so, type the following command:

netsh interface ipv6 set privacy disabled

If you display the help for this command, you will notice that this is the short form of the command:

netsh interface ipv6 set privacy state=disabled

These two forms of the same command underscore the fact that NetShell often uses abbreviations. You also can adjust the validity period for temporary addresses, which is seven days by default. The validity period is expressed in days. Use:

netsh interface ipv6 set privacy maxvalidlifetime=1d

if you want to restrict the validity period to one day.

Gateways and Routing

The following command sets the default gateway to "2001:db8:affe ::4711":

netsh interface ipv6 add route ::/0 "LAN-Connection" \
  2001:db8:affe::4711

You can also look at the routing table outside of NetShell using the route print or netstat -nr commands. The output is divided up neatly into IPv4 and IPv6. Within NetShell, you can view the IPv6 routing table with:

netsh interface ipv6 show route

You can configure additional static routes in the same way as you create the default route. Just pass in the routing destination with an appropriate prefix. For example, using

netsh interface ipv6 add route 2001:db8::/48 11 \
  fe80::20f:23ff:fef5:68eb

routes the prefix 2001:db8::/48 via the interface with an index of 11 to the link local address fe80::20f:23ff:fef5:68eb on the router.

Managing DNS

One of the pillars of the Internet is name resolution with DNS, the Domain Name System. IPv6 addresses are harder to read than IPv4 addresses, so even greater importance is attached to name resolution. You can easily add DNS servers via the input box for an interface.

To add a DNS server in NetShell, you should enter the interface, the DNS server address, and, optionally, an index number to set the DNS server's priority. An example is as follows:

netsh interface ipv6 add dnsservers= "LAN-Connection" \
  fd00:abcd::ff index=2

NetShell automatically tries to find the DNS server and outputs an error message if it fails, but it still adds the server. Using:

netsh interface ipv6 show dnsservers

outputs the DNS server configuration.

Prefix Policy

The prefix policy of an IPv6 host sets the priority for using various types of addresses. For instance, the policy might ensure that IPv6 addresses are used before IPv4 addresses, and that tunnel addresses and other temporary address types take lower priority. To view the prefix policy, type:

netsh interface ipv6 show prefixpolicies

The first column Precedence shows the priority – a higher number is considered more important. The ::/0 prefix stands for an arbitrary IPv6 address; ::/96 designates an IPv4 address. 6to4 tunnel addresses with a prefix of 2002::/16 are not used unless no native IPv6 addresses exist.

Teredo addresses with a prefix of 2001::/32 are only used, as per the prefix policy, if other addresses are not available.

This behavior, however, might not be ideal. For example, several sites automatically build an IPv6 tunnel to a tunnel broker (Hurricane Electric or SiXXs) as soon as an Internet connection is available.

Opening an IPv6 tunnel can have a dramatic effect on performance, so it might be desirable to give tunnel broker addresses a lower priority than IPv4 addresses. If the tunnel broker prefix is 2001:db8:1234::/48, you can downgrade its authority using the following command:

netsh interface ipv6 add prefixpolicy \
  2001:db8:1234::/48 3 6

In the preceding command, the number 3 states the priority (which is very low), and the number 6 represents the formal ID of the entry, known as the label, in the prefix policy. IPv4 addresses now take priority over the tunnel broker addresses.

More IPv6 Data Structures

IPv6 uses cache-style tables to optimize individual processes. In addition to the neighbor cache, which I described earlier in this article, the destination cache (also known as the route cache) is another important IPv6 cache.

The destination cache shows the addresses used for delivering or forwarding IPv6 packets to their destinations. The entries in the cache could refer to the actual destination, if it is located on the local subnet, or to the next-hop address. The destination cache also displays the path MTU (PMTU) that represents the smallest maximum transmission unit (MTU) en route to the target. To view the destination cache, type:

netsh interface ipv6 show destinationcache

The list of potential routers is another cache. The following command displays the potential routers:

netsh interface ipv6 show potentialrouters

This list contains all IPv6 router addresses from which router advertisements have been received. These routers are potential routes out of your own subnet.

IPv6 and Tunnels

IPv6 provides various mechanisms to enable smooth migration and parallel operation with IPv4. These mechanisms include various tunnel technologies and dual stack mode. Key tunnel technologies include:

6to4: 6to4 routers and relays are used to transport IPv6 packets between IPv6 islands on the IPv4 Internet. This technology is regarded as obsolete today, but it is still in use.
ISATAP: A tunnel technology that targets corporate network infrastructures and uses the IPv4 infrastructure as a virtual link-layer to transport tunneled IPv6 packets. ISATAP was designed primarily for testing purposes by Microsoft; Microsoft itself does not recommend production operation.
Teredo: Designed to overcome NAT restrictions of other tunnel techniques, Teredo has proved to be almost totally unsuited to production use. Despite the problems, Windows operating systems may use Teredo tunnel interfaces.

As a general rule, Windows creates virtual interfaces in order to use these tunnel technologies. However, this behavior is not desirable in many cases, so disabling these mechanisms is key. To disable 6to4, type:

netsh interface ipv6 6to4 set state disabled

You can switch off ISATAP with:

netsh interface ipv6 isatap set state disabled

And, entering:

netsh interface ipv6 set teredo disable

will disable Teredo.

Conclusions

NetShell is Microsoft's Swiss Army knife for managing IP networking parameters. Although NetShell works with both IPv4 and IPv6, you will need to use it more for the more complex IPv6.

The versatile NetShell offers a huge number of configuration options, and the context-sensitive help structure is very well designed. If you invest just a little time learning to speak NetShell, you will save time in the future and as you plumb the depths of your IPv6 configuration.