IPv6 Deployment

In Local Area Networks

April 2011
Franois Kooman <[email protected]>

Revision 19

This work is licensed under a Creative Commons Attribution 3.0

n!orted "icense.
2/10

Table of Contents
1. #ntroduction........................................................................................................................................ $ 2. Con%i&uration o% 'evices.................................................................................................................... $ 2.1. #(v$ Con%i&uration...................................................................................................................... $ 2.2. #(v) Con%i&uration...................................................................................................................... $ 3. #(v) Con%i&uration.............................................................................................................................. * 3.1. +tatic Con%i&uration.................................................................................................................... * 3.2. ',namic Con%i&uration usin& +"AAC........................................................................................... * 3.3. ',namic Con%i&uration usin& '-C(v)........................................................................................ * 3.$. #( Addressin& (lan...................................................................................................................... * $. #(v) '.+ Con%i&uration...................................................................................................................... ) $.1. +tatic Con%i&uration.................................................................................................................... ) $.2. ',namic Con%i&uration usin& /'.++.......................................................................................... ) $.3. ',namic Con%i&uration usin& '-C(v)........................................................................................ ) *. /A0 /'.++ or '-C(v)1...................................................................................................................... ) ). .AT)$................................................................................................................................................. 2 2. +ecurin& #(v) .etworks...................................................................................................................... 3 2.1. .ei&hbor 'iscover,.................................................................................................................... 3 2.2. '-C(v)...................................................................................................................................... 4 2.3. +ervers and -osts....................................................................................................................... 4 3. #denti%ication o% hosts......................................................................................................................... 4 3.1. #(v$............................................................................................................................................ 4 3.2. #(v).......................................................................................................................................... 10 4. Conclusion........................................................................................................................................ 10

3/10

Intro!"ction

This document describes im!lementin& #(v) in an e5istin& "A. o% an or&ani6ation. +!eci%icall, in a network with end7user devices with #( connectivit, like deskto!0 notebooks and mobile devices. The &oal o% this document to describe how to set u! a network in%rastructure with both #(v$ and #(v) 8dual stack19 connectivit,. This document will !rimaril, %ocus on !ractical issues: 1. /e;uired modi%ications to the network in%rastructure< 2. +tatus o% #(v) su!!ort in common o!eratin& s,stems %or a variet, o% devices. As a case stud, the "A. o% + /Fnet was taken. This network contains various di%%erent t,!es o% devices which makes it a &ood test case to evaluate their #(v) 8dual stack9 su!!ort. #t is assumed that #(v) connectivit, is alread, available on the router 8at the =A. side9 connectin& to the "A.. This #(v) connectivit, can be obtained throu&h either native #(v) as !rovided b, + /Fnet2 or throu&h some tunnelin& mechanism like )to$ or )in$ i% no native #(v) connectivit, is available ,et.

2
21

Confi#"ration of Devices
IPv$ Confi#"ration

#n #(v$ networks there are two wa,s to con%i&ure an #( address on a device: 1. +tatic con%i&uration< 2. ',namic con%i&uration usin& '-C(3. To con%i&ure '.+ resolvers the same two o!tions are available: 1. +tatic con%i&uration< 2. ',namic con%i&uration usin& '-C(. The %irst o!tion is t,!icall, used %or >%i5ed? elements in the network like routers and servers. The second o!tion is !rimaril, used %or the 8automatic9 con%i&uration o% devices belon&in& to end7users.

22

IPv6 Confi#"ration

#n #(v) networks there is an e5tra wa, to con%i&ure #( addresses: 1. +tatic con%i&uration< 2. ',namic con%i&uration usin& stateless address auto con%i&uration 8+"AAC9< 3. ',namic con%i&uration usin& '-C(v). For '.+ resolvers there are three o!tions as well: 1. +tatic con%i&uration< 2. ',namic con%i&uration usin& /'.++<
1 2 3 =ith dual stack we mean the desi&n o% a network such that #(v) connectivit, is com!letel, inde!endent on #(v$ connectivit, and that both #(v) and #(v$ are %ull, active and can be automaticall, con%i&ured without an, manual intervention o% the user. .ative #(v) can be obtained 8%or no additional %ee9 b, customers o% + /Fnet as !art o% the service >+ /Finternet?. @ore in%ormation about this can be obtained at the instituteAs account mana&er. #n this document '-C( alwa,s means '-C(v$. '-C(v) is alwa,s mentioned e5!licitl,.

$/10

3. ',namic con%i&uration usin& '-C(v). These methods are interchan&eable. #t is %or instance !ossible to use +"AAC %or #( address con%i&uration and '-C(v) %or !rovidin& the '.+ resolvers. #n the ne5t section the di%%erent wa,s o% con%i&urin& #(v) are discussed.

%
%1

IPv6 Confi#"ration
&tatic Confi#"ration

+tatic con%i&uration is t,!icall, used %or >%i5ed? devices in the network like routers and servers. This is no di%%erent %rom the situation in #(v$ networks. The !re%i5 o% a network is b, de%ault /64 in a "A.$. #t is !ossible to use smaller networks0 althou&h that will make it im!ossible to use +"AAC to con%i&ure devices.

%2

Dynamic Confi#"ration "sin# &LAAC

+tateless address auto con%i&uration 8+"AAC9 is documented in /FC $3)2. To ac;uire a &loball, uni;ue #( address the router !la,s an im!ortant role. The router announces a !re%i5 on a network usin& >router advertisements? 8/A9. The end7user host will choose a uni;ue #( address in this !re%i5. For #(v$ networks a !re%i5 could be %or e5am!le 192.168.1.0/24 which contains 23 8B 2*)9 addresses. #n #(v) networks a !re%i5 is usuall, )$ bits %or a 8C9"A.0 %or e5am!le 2001:610:508:109::/64. This !re%i5 contains 2)$ 8B a lot9 o% addresses. For choosin& an address in the #(v) !re%i5 usuall, the @AC address o% the 8network9 inter%ace is used. This is hel!%ul in determinin& an address because the $3 bit @AC address is 8b, de%inition9 &loball, uni;ue. This however can be a !otential !rivac, !roblem as the chosen address will be alwa,s the same 8and leaks at least the vendor identi%ication o% the network device9. For this reason recent versions o% =indows 8Cista and later9 use the #(v) !rivac, e5tensions as documented in /FC $4$1. This !revents the #(v) address %rom bein& alwa,s the same and to not correlate with the @AC address o% the inter%ace. #n @ac D+ E and "inu5 * it is !ossible to activate the !rivac, e5tensions manuall,. @obile devices do not currentl, e5!ose user con%i&urable o!tions to enable the !rivac, e5tension.

%%

Dynamic Confi#"ration "sin# D'CPv6

#n this case '-C(v) is used as documented in /FC 331*. This means that0 like in the #(v$ situation0 the '-C(v) server &ives an address to an end7user host %rom a !redetermined ran&e. #n the /A o% the router the %la& > Managed address configuration? should be set so the host knows that '-C(v) is used %or the address con%i&uration 8see /FC 2$)19. #t should be noted that it is not !ossible to announce the #( address o% the router8s9 usin& '-C(v) as is !ossible in the case o% '-C(0 but it alwa,s has to be announced usin& /A.

%$

IP A!!ressin# Plan

To care%ull, desi&n network addressin& on a site0 i% %or instance this site obtained a !re%i5 o% si6e /$30 + /Fnet wrote another document called >(re!arin& an #(v) Addressin& (lan? ). #n this document methods are !ro!osed o% e%%icientl, and meanin&%ull, desi&nin& a addressin& !lan %or a site.
$ * ) The recommended minimal !re%i5 is /)$ is %or a network 8see /FC $2419. For a site 8%or instance an or&ani6ation9 a de%ault o% /$3 is allocated 821) /)$ networks9. =ith "inu5 we actuall, mean F. /"inu5. This includes the "inu5 kernel and user s!ace a!!lications that are !art o% a "inu5 distribution like /ed -at Gnter!rise "inu5 or 'ebian. This document can be obtained %rom the + /Fnet website at htt!://www.sur%net.nl/'ocuments/handleidin&H#(v)Hnummer!lanHG..!d%.

*/10

$
$1

IPv6 DN& Confi#"ration

&tatic Confi#"ration

+tatic con%i&uration is t,!icall, used %or >%i5ed? devices in the network like routers and servers. This is no di%%erent %rom the situation in #(v$ networks.

$2

Dynamic Confi#"ration "sin# (DN&&

/ecursive '.+ +erver 8/'.++9 as documented in /FC )10) >#(v) /outer Advertisement D!tions %or '.+ Con%i&uration? is a method to announce addresses o% '.+ resolvers and search domains to end7user hosts. The addresses o% the resolvers are added to the router advertisements.

$%

Dynamic Confi#"ration "sin# D'CPv6

#n this case '-C(v) is used as documented in /FC 331*. "ike with '-C(0 with '-C(v) the '.+ resolver8s9 and !ossibl, other in%ormation can be announced. #n the /A the %la& > Other stateful configuration? should be set0 so the host knows that it should use its '-C(v) client to obtain this in%ormation 8see /FC 2$)19.

(A* (DN&& or D'CPv6+

=ith these di%%erent wa,s to 8automaticall,9 con%i&ure #( addresses and '.+ resolvers the ;uestion remains which one should be chosen. 'i%%erent o!eratin& s,stems and 8mobile9 devices su!!ort a di%%erent 8not necessaril, overla!!in&9 number o% methods. +o it will be >mi5 and match? to su!!ort all 8or at least as much as !ossible9 o!eratin& s,stems.

,peratin# &ystem -ersion &LAAC (DN&& D'CPv6 Privacy 0an"al1 D"al2stack ./tension @icroso%t =indows3 A!!le @ac D+ E A!!le iD+
10 11

2 10.).* $.2.1 2.2 10.0$.1 1$ 1*.5

Ies Ies Ies Ies Ies Ies Ies

.o .o .o .o Ies Ies .o
13 4

Ies .o Ies .o .o Ies Ies

Ies Ies .o .o Ies Ies .o

3es 3es No No 3es 3es 3es

3es No 3es No No 3es1$ 3es

Foo&le Android "inu5 8 buntu9 "inu5 8Fedora9 Cisco #D+

12

2 3 4 10 11 12 13 1$

This means whether or not it is !ossible to con%i&ure the o!eratin& s,stem manuall, %or dual stack connectivit,. =hen #(v$ is disabled manuall, in the network con%i&uration a bu& occurs with which the #(v) address o% the 8automaticall, via '-C(v)9 con%i&ured '.+ resolver corru!ts. +ee htt!://www.tunnelbroker.net/%orums/inde5.!h!1 to!icB323.0 %or more in%ormation. +u!!ort %or /'.++ will su!!osedl, be available in @ac D+ E 10.20 "ion. +ee htt!://seclists.or&/nano&/2011/Feb/1423. Tests with an i(hone 3F+ and iD+ $.2.1 on an #(v) onl, access !oint show that the i(hone is able to work without an, #(v$ con%i&uration. -owever0 sometimes !roblems occurred durin& browsin& the web in which sometimes a messa&e is dis!la,ed that the server could not be %ound. A !a&e re%resh made it work a&ain. #ssue with #(v) su!!ort in Foo&le Android: htt!://code.&oo&le.com/!/android/issues/detail1idB3334. This is 8still9 not resolved in Android 2.3 8Fin&erbread9. +u!!ort o% /'.++ and '-C(v) is e5!ected in buntu 11.0$ 8available at the end o% A!ril 20119. /e;uires the installation o% the !acka&e >rdnssd?. The de%ault %irewall blocks '-C(v) res!onses 8+ee: htt!s://bu&6illa.redhat.com/showHbu&.c&i1idB)*)33$ and htt!://www.redhat.com/archives/anaconda7devel7list/20107.ovember/ms&00122.html9. Furthermore0 the #(v) connection should be set to >Automatc? in .etwork@ana&er to enable the automatic con%i&uration o% '.+ resolver addresses usin& either /'.++ or '-C(v).

)/10

/outer advertisements are alwa,s re;uired %or ever, o!eratin& s,stem. /'.++ is su!!orted b, onl, a %ew o!eratin& s,stems as is '-C(v)0 but then a di%%erent set. This table shows that '-C(v) is reall, re;uired %or now 1*. /'.++ has limited use as onl, Fedora 8and buntu a%ter installation o% an o!tional so%tware !acka&e9 su!!ort it. -owever0 /'.++ ma, become more im!ortant in the %uture as it will make '-C(v) obsolete and will be needed %or @ac D+ E 10.2. Furthermore0 it will be o% &reat value a%ter switchin& to secure nei&hbor discover, 8see section 2.19. #t is noteworth, that it is currentl, im!ossible in @ac D+ E0 Foo&le Android and buntu to con%i&ure '.+ resolvers automaticall, or con%i&ure #(v) addresses usin& a '-C(v) server. These s,stems are able to connect to #(v) services0 but the, will alwa,s re;uire the #(v$ '.+ server that was obtained usin& '-C( 8or #(v) '.+ resolver that was con%i&ured manuall,9 %or the resolvin&.

NAT6$

"ookin& ahead towards a situation with an #(v) onl, "A. it is almost certainl, re;uired to maintain connectivit, to the #(v$ !art o% the #nternet. This will be !ossible0 %or instance0 usin& a .AT)$/'.+)$ &atewa,. This is a successor to the obsolete .AT7(T solution as documented in /FC 22)). The idea behind .AT)$ is that a '.+)$ server creates a >virtual? AAAA record %or host names i% there currentl, is no AAAA record %or that host. The virtual AAAA record !oints to a &atewa, machine in which the last 32 bits o% the #( address encode the #(v$ address o% the host. + /Fnet has an e5!erimental .AT)$7&atewa, at #( address 2001:610:2001::6101). J, usin& this address as a '.+ resolver 8either in the '-C(v)0 /.'++ con%i&uration or manuall, s!eci%ied9 the .AT)$ &atewa, will be used %or tar&ets that do not su!!ort #(v). Jelow an e5am!le o% two tar&et hosts is shown. #n the case o% www.surfdiensten.nl there is no AAAA record available and one is added b, the '.+)$ server. #n the case o% www.surfnet.nl there alread, is a AAAA record so it is not modi%ied b, the '.+)$ server.
$ host www.surfdiensten.nl www.surfdiensten.nl as address 194.1!1.5".6 $ host www.surfdiensten.nl 2001:610:2001::610 #sin$ domain ser%er: &ame: 2001:610:2001::610 'ddress: 2001:610:2001::610(5" 'liases: www.surfdiensten.nl www.surfdiensten.nl as address 194.1!1.5".6 as )*%6 address 2001:610:2001:610::c2a+:"506

$ host www.surfnet.nl www.surfnet.nl as address 194.1!1.26.20" www.surfnet.nl as )*%6 address 2001:610:1:80e1:194:1!1:26:20" $ host www.surfnet.nl 2001:610:2001::610 #sin$ domain ser%er: &ame: 2001:610:2001::610 'ddress: 2001:610:2001::610(5" 'liases: www.surfnet.nl www.surfnet.nl as address 194.1!1.26.20" as )*%6 address 2001:610:1:80e1:194:1!1:26:20"

1* As intermediate solution +"AAC could be used %or #(v) address con%i&uration and '-C( %or the 8#(v$9 '.+ resolvers. +,stems then will be able to communicate with #(v) hosts0 but it cannot be considered %ull, dual stack. 1) This e5!erimental .AT)$ &atewa, is onl, accessible %rom the + /Fnet network.

2/10

The .AT)$ &atewa, will take care o% translatin& between #(v) and #(v$. An im!lementation is available %or "inu5 and D!enJ+' and can be %ound in the Gcd,sis !roKect 12. #t should be noted that a .AT)$ &atewa, has !roblems with some so%tware0 in !articular so%tware that !asses #(v$ addresses as data inside the !a,load o% the #( !ackets. +ome e5am!les o% this are (2( so%tware0 +#( tele!hon,0 +k,!e and online &ames. An #GTF document about #(v) onl, e5!eriences has some more in%ormation on this 13.

&ec"rin# IPv6 Networks

Lust like with #(v$ networks0 on #(v) networks there can be both local attacks 8b, local users9 or remote 8!erimeter9 attacks. #n this section onl, local networks are considered as the situation %or securin& the !erimeter is similar to that o% #(v$ networks and out o% the sco!e in this document. Common attacks on #(v$ "A. networks are A/( cache !oisonin& attacks and ro&ue '-C( servers. For #(v) the situation is somewhat more com!le5.

11

Nei#4bor Discovery

#n #(v) networks A/( is re!laced b, nei&hbor discover, 8.'9. There are di%%erent kinds o% .' !ackets0 %or e5am!le: router advertisements 8/A9 and du!licate address detection 8'A'9. =hile desi&nin& #(v) the insecure "A. was not considered0 no attacks were e5!ected on the local >trusted? network. +ee %or more in%ormation section 11 >+ecurit, Considerations> o% /FC $3)1 and also /FC 32*) >#(v) .ei&hbor 'iscover, 8.'9 Trust @odels and Threats>. The most im!ortant attack is !robabl, a @#T@ attack 14 to redirect tra%%ic. This can be done usin& ro&ue router advertisements as described in >#(v) /outer Advertisement Fuard? 20 and >/o&ue #(v) /outer Advertisement (roblem +tatement? 21. The conclusion and solution accordin& to this /FC: >=hile a number o% the miti&ations described above have their a!!eal0 the sim!lest solutions !robabl, lie in switch7based AC"s and /A7Fuard st,le a!!roaches. =here mana&ed switches are not available0 use o% the /outer (re%erence o!tion and 8more so in mana&ed deskto! environments9 host %irewalls ma, be a!!ro!riate. #n the lon&er term wider e5!erience o% +e.' will be bene%icial0 while the use o% /A snoo!in& will remain use%ul either to com!lement +e.' 8where a switch runnin& /A Fuard can !otentiall, be a +e.' !ro5,9 or to assist in scenarios %or which +e.' is not de!lo,ed.? +e.' is documented in /FC 3421. #t used !ublic ke, cr,!to&ra!h, to secure .' and a (K# %or router discover,. n%ortunatel, there are no workin& im!lementation available that can be de!lo,ed ri&ht now0 however0 Cisco does have an im!lementation %or their e;ui!ment. The Cr,!to&ra!hicall, Fenerated Address 8CFA9 o% +e.'0 documented in /FC 34220 works as %ollows: ever, station &enerates a !ublic/!rivate ke, and uses this to &enerate an #( address in a 8!ublished9 network !re%i5 usin& 8secure9 hashin&. Thus it will be im!ossible to choose ,our own #( address0 avoidin& takin& 8over9 an #( address %or which the matchin& !rivate ke, is not available. To veri%, /As the advertisements would have to be si&ned b, some trusted (K# root. (ossibl, this can be combined with /(K# router certi%ication 22 8(K# %or JF(9 or '.++GC. Tools to e5!eriment with %or instance nei&hbor discover, and ro&ue router advertisements
12 +ee htt!://ecd,sis.via&enie.ca/. 13 +ee htt!://tools.iet%.or&/html/dra%t7arkko7i!v)7onl,7e5!erience700. 14 @an7#n7The7@iddle attack: in this attack tra%%ic is 8tem!orar,9 redirected throu&h a machine controlled b, an attacker to snoo!0 modi%, or block tra%%ic without the user noticin& this. 20 +ee htt!://datatracker.iet%.or&/doc/dra%t7iet%7v)o!s7ra7&uard/. 21 +ee htt!://datatracker.iet%.or&/doc/dra%t7iet%7v)o!s7ro&ue7ra/. 22 +ee htt!://www.ri!e.net/certi%ication/.

3/10

can be %ound in the T-C7#(C)7ATTACK7TDD"K#T23. To monitor .' the tools .'(@on 2$ and +"AACer2* are available. #t will monitor 8and o!tionall, lo&9 all 8multicast9 .' messa&es on the network and can be used to re!ort on sus!icious activit,.

12

D'CPv6

#n both #(v$ and #(v) networks '-C(8v)9 works usin& '(. #n the case o% #(v$ via broadcast0 in the case o% #(v) via multicast. For #(v$ this is documented in /FC 2131 and %or #(v) in /FC 331*. A !roblem o% '-C(8v)9 is that it is !ossible to create a ro&ue '-C(8v)9 server. Gver, s,stem on the same 8!h,sical9 "A. can do this. #% the ro&ue '-C( server res!ond be%ore the authoritative server res!onds this can result in a broken con%i&uration or !ossibl, @#T@ attacks. This can alread, ha!!en b, accident b, enablin& >#nternet Connection +harin&? on some o!eratin& s,stems. To solve this it is !ossible to block all '-C(8v)9 res!onses comin& %rom other hosts than the authoritative '-C( server in the "A.. This can be done on switches that su!!ort la,er73 %ilterin&. +ee %or e5am!le >#(v) First -o! +ecurit,M(rotectin& Iour #(v) Access .etwork? written b, Cisco2). For wireless networks0 direct communication between hosts should be disabled0 this can be done b, enablin& access point isolation. To detect ro&ue '-C(8v)9 servers i% blockin& them is not !ossible0 can be done %or '-C( wi the tool d c,-,ro+e22. #t should not be too di%%icult to create a tool like this %or '-C(v)0 but so %ar im!lementations are not known.

1%

&ervers an! 'osts

To secure end7user hosts and servers on the network #(v) should be considered as well. Firewalls should work %or both #(v$ and #(v). #n case this is %or&otten it mi&ht be !ossible the server and end7user hosts are secured a&ainst attacks via #(v$0 but o!en %or attacks usin& #(v). Dn "inu57s,stems i,6ta+les should be used as well as i,ta+les. Dn =indows7s,stems the de%ault %irewall will also block #(v) tra%%ic the same wa, it blocks #(v$ tra%%ic. -owever some third !art, =indows %irewall solutions either block all #(v) tra%%ic or Kust let it !ass throu&h un%iltered. The %irst can result in broken connections0 the second can result in 8more9 insecure s,stems as with #(v) one usuall, &ets a !ublic #( address.

I!entification of 4osts

#t is use%ul %or network administrators to be able to trace !roblems with hosts in the network. #n case a s,stem is in%ected with a virus or con%i&ured in a wron& wa, and >attacks? other s,stems on the #nternet. +ometimes it ma, even be necessar, to trace an attack to a certain user as the @AC address o% a network device can be mani!ulated and cannot be considered a uni;ue ma!!in& to a host or user.

51

IPv$

An a!!roach used in #(v$ networks is creatin& a white list o% network devices that are allowed to connect based on the @AC address o% said device. #n this case the user has to re&ister their devices at the hel! desk so the, can be linked to the owner so it is !ossible to %ind out who is
23 +ee htt!://%reeworld.thc.or&/thc7i!v)/ and the !resentation slides durin& Chaos Com!uter Club 22C3 con%erence at htt!://www.,outube.com/watch1vBc2h;2;$KNIw 820107127229. 2$ +ee htt!://.'(@on.source%or&e.net/. 2* +ee htt!://www.di&ri6.or&.uk/slaacer. 2) +ee htt!://www.cisco.com/en/ +/!rod/collateral/iosswrel/!s)*32/!s)**3/white!a!erHc117)0213*.html. 22 +ee htt!://www.net.!rinceton.edu/so%tware/dhc!H!robe/.

4/10

res!onsible %or the device i% !roblems occur. This t,!icall, onl, works i% the user uses a %i5ed !ort on the wired "A.. #% %or instance students take all kinds o% 8mobile9 devices to the universit, it will become ver, cumbersome to re&ister them all. #n case 302.1E is used on the 8wireless9 network0 linkin& a user to a device 8@AC address9 becomes much easier. Access !oints ca!able o% 302.1E will usuall, send the #( address 8and @AC address o% the device9 to the access !oint controller 8or /A'# + server9.

52

IPv6

Access !oint controllers we investi&ated0 that su!!ort 302.1E0 do not re&ister the #(v) address in the /A'# + lo& like the, do %or #(v$. This is because the, do not !er%orm '-C(v) rela,in& like in the #(v$ situation. D% course0 it will remain to be seen whether or not all networks de!lo,in& #(v) will actuall, also de!lo, '-C(v) as it is not strictl, necessar,0 so it is unknown how this will be solved in the %uture. -owever0 i% dual stack networks are created and a host &ets both an #(v$ and #(v) address it will be !ossible to use the link created %or #(v$ 8between @AC address and #(v$ address9 to use this knowled&e to determine the actual user o% an #(v) address b, anal,6in& the nei&hbor discover, messa&es over the network8s9. Tools that can do this are %or e5am!le .'(@on and +"AACer.

Concl"sion

To de!lo, >dual7stack? #(v) networks in an or&ani6ation and su!!ort as man, as !ossible !lat%orms it is necessar, to de!lo, both stateless address auto con%i&uration 8+"AAC9 and '-C(v). '-C(v) is then used onl, %or !assin& the '.+ resolvers to the hosts. Jelow a list o% o!eratin& s,stems and whether or not the, are >dual stack? ca!able. #% the column >'ual stack? sa,s >Ies? this means that the #nternet connection remains workin& even when the #(v$ connectivit, is com!letel, dro!!ed. #% it sa,s >.o? that means an #(v$ connection is still re;uired to be able to communicate with #(v) services. #n this table manual con%i&uration was not considered as that does not scale in or&ani6ations with lots o% hosts on the network.

,peratin# &ystem -ersion D"al stack @icroso%t =indows A!!le @ac D+ E A!!le iD+ Foo&le Android "inu5 8 buntu9 "inu5 8Fedora9 Cisco #D+ 2 10.).* $.2.1 2.2 10.0$.1 1$ 1*.5 3es .o 3es .o .o 3es 3es

/i&ht now0 the + /Fnet o%%ice network is a real dual stack network. #% at some !oint it is decided to com!lete disable #(v$ on the "A.0 the dual stack o!eratin& s,stems as shown in the table able will kee! workin&. The list will be more !ositive in the near %uture0 e5ce!t in the case o% Android where no 8short term9 !lan is known %or im!rovin& #(v) su!!ort.

10/10