So when and how will IPv6 become the absolute standard? I presume an act of government law would do it, otherwise, if tech companies got together to force the change en masse, that would also do it.
I don't understand why IPv6 has not become more prevalent over the coming years. Seems like we're taking baby steps and growing in our dependence on IPv4 IPs, although based on other comments here it sounds like at least Linux and Mac have a way to handle this transparently, not sure about Windows.
IPv6 has been silently growing. If Hacker News supported IPv6, there is a good chance you would be accessing it with IPv6. The problem is that may have hit a plateau with the easy migrations. The issue is that there is no incentive for most businesses to make switch.
I was thinking that there should be movement that IPv6 is the new default protocol. That includes requesting IPv6 from sites. Also, lots of docs on how to enable IPv6 with routers, program to label gear as IPv6-ready, and persuading manufacturers to enable IPv6 by default.
Finally, have best practices for IPv6 on corporate networks. With NAT64, it is possible to have IPv6-only network with IPv4 on the edge. I think it needs docs that describe how to do it, and lots of work in changing opinions of network engineers.
All of the best practices seem to be in place in the consumer space. Several major consumer ISPs (mobile carriers) are IPv6-only and there hasn't been that much trouble. iOS requires IPv6 support in App Store certification because of this.
The trouble is definitely corporate networks. Changing opinions is hard, especially when network engineers have sunk cost fallacies and bad security training to worry about. Probably the only thing that's going to start making a difference for corporate networks is to let IPv4 costs continue to increase until enough corporate accountants start to notice that in financial reports and start to ask hard questions. Too bad there's no easy way to associate a market cost to 10.0.0.0/8 somehow.
Possibly never, because security. NAT at least tries to hide insecure IoT device on your grandma's wifi.
shodan.io has support for ipv6. With ipv4 you're somewhat restricted to devices that get public ip (corporate networks) or devices that drill a hole (uPnP/port forward). IPv6 devices are publicly visible by default and you need to manually setup firewall to filter this out (not trivial - especially for UDP and ICMP)
Every firewall I’ve dealt with since forever has default deny on inbound traffic, state full allow for outbound connections. Regardless of NAT or not, and regardless of how cheap it is.
Name one vendor? I can name you 3 that don't. Zyxel, Ubiquiti, Mikrotik. Also anything wrt based (eg. dd-wrt).
In fact one of the warnings on dd-wrt official IPv6 tutorial:
""" Keep in mind it can be dangerous to enable IPv6 without also having a firewall on each client that handles IPv6 packets, or having ip6tables on your router to filter incoming connections. ip6tables is NOT included by default with DD-WRT, which means your clients will be directly exposed to the Internet once you have enabled IPv6. """
Ubiquiti do -- and it's very nice to be able to punch holes in it when I do want to let HTTPS traffic in to specific addresses, rather than need to try to shoehorn everything onto a single IPv4 address.
IPv6 support is sufficiently widespread that pretty much the only place I can't access IPv6-only services from is the office :P.
This is my concern too. NAT is nice because it's stupid and secure by default. No matter how you misconfigure it, the router simply doesn't know where to forward inbound packets to, unlike a firewall which has to actively block. My assumption for routers is that they won't handle firewalls right, especially the many cheapo ones.
It's not actually secure; your router will route inbound packets to whatever IP is in the packet's destination header, and that can be a machine on your LAN. This remains true whether or not you're applying NAT to your outbound connections.
If anything, NAT makes you less secure by tricking you into a false sense of security.
(It's also worse if you're deliberately running servers, because it catastrophically reduces the search space needed for a hostile actor to find those servers via network scanning. At least, it does on v6 -- on v4 the search space is already too small to be a relevant factor.)
The routers. My ISP can't route dst=192.168.1.2 to anywhere, and even if someone managed to splice the packet in between my router and the ISP, my router won't take that dst. That address doesn't exist on the WAN.
Okay, but since that's RFC1918 you'll need to give me access to your immediate upstream network in order to send the packet to your router. How do you want to do that?
I don't understand why IPv6 has not become more prevalent over the coming years. Seems like we're taking baby steps and growing in our dependence on IPv4 IPs, although based on other comments here it sounds like at least Linux and Mac have a way to handle this transparently, not sure about Windows.