Microsoft pulls plug on IPv6-only Wi-Fi network over borked VPN fears
Plus: Sysadmin sets up public shaming site for IPv4 laggards
Microsoft has scrapped plans to go IPv6-only on one of its internal networks over fears its campus visitors would be unable to use their virtual private networks (VPNs).
The decision to mothball a full shift to the new protocol for that particular network was detailed by Microsoft network architect Veronika McKillop on Monday.
As part of the Windows giant's gradual transition from a dual stack of IPv6 and IPv4 to pure IPv6-only, it planned to make its wireless guest network IPv6-only. However, that had to be stopped because it appeared said guests would be unable to use their VPN clients on the overhauled Wi-Fi service. Without said clients, visitors wouldn't be able to securely access their own corporate networks and gateways, which would be rather annoying.
"Unfortunately, we had to stop this work because we came across something that the previous internal testing had not uncovered," she revealed. "A team member attended a conference where internet access was provided as IPv6-only and 99 per cent of attendees could not get their VPN clients to connect on this network."
In other words, a Microsoftie went to a location that had already rolled out an IPV6-only guest network, and it broke everyone's VPN clients – and Redmond wasn't keen to repeat that on its own guest wireless service.
This is the second time Microsoft has had to delay its plans for an IPv6 network because of software refusing to work with the protocol. Last January, the company explained that a flaw in its own Windows 10 operating system made it "impossible" to roll out a new network.
This time it is at least third-party software causing the problem. McKillop points out that this issue has long been known about but has left the team with little option but to delay plans and go dual-stack.
"Deployment of IPv6 by other companies is out of our control and therefore this network is currently undergoing a less radical makeover to dual stack," she despairs. "IPv6-only is on-hold for production even though we intend to pilot it to assess the real impact on Microsoft visitors."
To their credit, the engineers at Microsoft tried multiple different ways of getting IPv6-only to work before finally conceding that it was going to have delay things.
Walk towards the light
"We also tried to test IPv6-only Client pool, which means no IPv4 inside the VPN tunnel," McKillop notes. "We found out that the VPN vendor did not support IPv6-only client profile at the time and we are waiting for a new VPN gateway code version to be released in the next six months."
We've found another problem with IPv6: It's sparked a punch-up between top networksREAD MORE
Microsoft's IPv6 efforts have now effectively turned into a test bed that "simulates consumer home environment" and "helps test apps to meet the requirements." She notes: "We can then work with the application owners to resolve this."
The IPv6-only network has its own SSID and runs in parallel with the main dual-stack wireless network at eight different Microsoft offices across North America and Europe.
And highlighting just how much work there is to be done before anyone can move to IPv6-only – even a tech company like Microsoft – McKillop points out the company has already found bugs in their wireless vendors code. "We have since deployed new code versions with the appropriate fixes (8.5 MR3 for Cisco and 18.104.22.168 for Aruba)."
Which may make anyone out there who is trying, and failing, to get IPv6 up and running at their company feel a little better. But it does explain how come Microsoft's main webite – Microsoft.com – is not IPv6 only.
The website comes 46th on the global top websites according to Alexa, but still doesn't have an IPv6 AAAA record, according to a new service that has had enough of the endless encouraging, positive IPv6 tracking efforts and has decided to name and shame instead.
"It's currently 2018 and it has been nearly 25 years since the work began on the IPv6 protocol specifications," notes the new site WhyNoIPv6.com, run by Norwegian sysadmin Lasse Haugen. "Sadly, only a fraction of the top one million websites today is IPv6-compliant."
Haugen's approach? "We need to start shaming. Shame! Shame! Shame!" He points out that out of the top 1000 Alexa sites, just 251 has IPv6 enabled, and 718 of them use nameservers with IPv6 enabled. "Of the total 902,708 sites only 16.1 per cent of them have IPv6. This is a huge shame!"
It is actually pretty shocking how few websites run by multi-billion-dollar corporations can handle IPv6.
And yes, yes, yes, before you point it out, The Register is still not IPv6 compatible either. We're working on it. Really. ®
Sponsored: Becoming a Pragmatic Security Leader