Does disabling IPv6 decrease my surface area of attack and increase performance?

security ipv4 ipv6

He's 100% correct about additional overhead as each device/PC will be advertising and building an ARP cache for both IPv6 and IPv4. However the actual amount of traffic being generated is quite small (typical ARP packet size is 28 bytes).

It should be inconsequential. BUT if you have something like an NMS system that uses WMI queries, SNMP polling (traps don't create much traffic), or does netflow/Jflow exporting in an environment that is latency/quality sensitive it would make sense to remove as much background noise as possible. Particularly IPv6... Is there a possibility you are ever going to need IPv6 internally? Doubtful, as the private blocks in IPv4 provide plenty of addresses for even the largest businesses. Unless you have specific need for IPv6 in your environment, the better question would be why leave it on? I know in my environment we are leaving it off just because it is an additional layer that could be causing problems when troubleshooting.

Remember even if a network device or PC is not actively being used it is still responding and advertising NetBIOS/ARP, so there is still some albeit small traffic being generated.

I should add that, "creates less of a surface area in which attackers could potentially try to attack." It is completely nonsense... It's not like you need to add an additional firewall or WAN for the IPv6 traffic. There is still the same edge device preforming NAT whether IPv6 is on or not.


From Microsoft

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.


I think the general theory in computer security that you should disable any service you don't use holds up pretty well. If you don't need it, turn it off, has long been a standard first step in computer security and I don't see why it shouldn't apply to networking as well.

Related

RAID 1 on 2 external HDDs
Looking for a regular expression to work on a list of comma separated values
Recover Windows Opening Off Screen?
Make exact mp4 (H264) format for uploading to youtube
How do I get a TPM module for a motherboard that does not already have one?
How do I start Emacs with the debug init option?
Boot to Live CD with VMWare
Disable IPv6 Loopback on Windows 7 64 Bit
Does Lowering The Monitor Refresh Rate Save Battery Life?
sed: extracting value of a key-value pair in a URL query string
Configure conemu with Visual Studio command prompt variables
What to do with a Linux OS microSD image file?