[njibhu]

There are a lot of shortcomings of IPv6 which prevents it to be widely used (particularly on the consumer network side). First thing to know is that it shifts responsibilities. The router is not responsible anymore for assigning IPs to the network. The devices assign their own IP address using SLAAC. You could use DHCPv6, but many devices simply won't support it (windows and android to begin with).

Which brings the following issues:

- No support for multi-homing. Example: You have two connections, a slow reliable one, and a fast unreliable one. With IPv4 you can easily setup multiwan in any proper L3 router. The router will ping both routes, and if the fast one is working, using it as main gateway. When it doesn't answer anymore, the router simply change its route. Because of NAT, this is transparent to the devices behind its network. For IPv6, this doesn't work anymore, because the IP prefix is set by the provider, without NAT the second provider will simply refuse to forward any packet which originates from an IP which doesn't have their prefix. The "solution" is to have your own address space, and use BGP to change the routes (which is out of reach for all of private consumers).

- ISPs got it wrong ! I'm in Germany, tried 3 different providers, they all assign to my router a /64 subnet instead of /60 or /56 (as recommended by ARIN). The problem is that SLAAC only works with /64, below the devices usually won't assign themselves an IP anymore. So you can only have one network, you can't have a Guest network with a different prefix.

- As mentioned by the article, the design is terrible for privacy: SLAAC works by simply taking the prefix from the router and filling the rest with the mac address. Which means that anybody on the internet gets to know your mac address. EDIT: This is wrong. See throw0101a answer below.

- Captive portals: SLAAC does not directly support assigning DNS servers. So most captive portals simply break because the network's firewall blocks DNS requests as long as they don't use the proper DNS server, but the device might simply not even be able to receive it. (SLAAC has an extension where it can tell the device to receive the DNS servers from DHCPv6, but many devices simply ignore it and treat DNS like browsers do with DoH). EDIT: This is wrong. See throw0101a answer below.

- Security within networks: Because the responsibilities of who assigns IP is shifted to the devices, switches cannot prevent devices to assign themselves IP anymore. So it's very easy for malicious devices to flood routing tables of switches by telling them that they own all IPv6 for the whole /64. Makes the whole network abysmally slow, or completely down.

Most of these issues are solved by using NAT6 (or NPT), but the issue with it, is that it breaks some applications. Ipv6 promised to get rid of NAT, so some applications took the liberty to assume that their local IP would always be the same visible on the internet. Not sure if that's this particular case for SIP, but it's usually broken with NAT6.

[zekica]

It is far away from transparent. Devices behind the router can't know that a change in Public IP happened and won't reconnect active connections.

One example is Apple's APNS and Android's GCM. In IPv4 multiwan network, after the change they won't receive notifications at all for up to 30 minutes. In IPv6, the router can invalidate the old prefix, and publish a new one immediately.

[njibhu]

I think we're talking about a different issue here. MultiWAN does break consumers which do not support reconnecting from a different source IP. But the issue is the same with IPV6, if the prefix changes, the client has to reconnect anyway.

Also, I'm personally not aware of any reliable way of invalidating IPV6 prefixes except waiting for the timeout. (And if it's republishing a RA, devices don't have to listen to it, and the packet might even be lost with an unreliable wifi for example). If I'm wrong here, I'd love to know about it.

[ikiris]

Short lifetime RAs for all of the address spaces are meant to cover this.

[throw0101a]

See also "Reaction of IPv6 Stateless Address Autoconfiguration (SLAAC) to Flash-Renumbering Events":

   In scenarios where network configuration information related to IPv6
   prefixes becomes invalid without any explicit and reliable signaling
   of that condition (such as when a Customer Edge router crashes and
   reboots without knowledge of the previously employed prefixes), hosts
   on the local network may continue using stale prefixes for an
   unacceptably long time (on the order of several days), thus resulting
   in connectivity problems.  This document describes this issue and
   discusses operational workarounds that may help to improve network
   robustness.  Additionally, it highlights areas where further work may
   be needed.

* https://datatracker.ietf.org/doc/html/rfc8978

[Avamander]

> Which means that anybody on the internet gets to know your mac address.

Pretty sure all reasonable devices utilise privacy extensions.

> ISPs got it wrong ! I'm in Germany, tried 3 different providers, they all assign to my router a /64 subnet instead of /60 or /56 (as recommended by ARIN).

If it's wrong is subjective. If it's not a goal to upsell a business connection there might be technical limitations.

> No support for multi-homing. Example: You have two connections, a slow reliable one, and a fast unreliable one. With IPv4 you can easily setup multiwan in any proper L3 router.

Bit of a niche use-case and still very doable with NAT66.

> Captive portals: SLAAC does not directly support assigning DNS servers.

I haven't seen a captive portal that wasn't able to intercept DNS or that couldn't MITM all connections to display that page. It's a non-issue.

> So it's very easy for malicious devices to flood routing tables of switches by telling them that they own all IPv6 for the whole /64

IPv4 devices can conduct ARP spoofing, no biggie. If it's "very easy" to do either it's just poor switch software.

[njibhu]

> Pretty sure all reasonable devices utilise privacy extensions.

I stand corrected by throw0101a answer. This is actually not an issue

> If it's wrong is subjective. If it's not a goal to upsell a business connection there might be technical limitations.

I don't think a Guest network should be considered a business feature

> Bit of a niche use-case and still very doable with NAT66.

Yes or NPT, as I mentioned at the end of my initial answer. But it has its own con.

> I haven't seen a captive portal that wasn't able to intercept DNS or that couldn't MITM all connections to display that page. It's a non-issue.

I also stand corrected by throw0101a, this is a non-issue.

> IPv4 devices can conduct ARP spoofing, no biggie. If it's "very easy" to do either it's just poor switch software.

The actual "switch software" in IPv4 which handles that, is to use an authoritative DHCP server. This does not exist/work in IPv6.

[Avamander]

> This does not exist/work in IPv6.

Well obviously, but a proper switch, instead of DHCP snooping, has SLAAC and DHCPv6 snooping.

[njibhu]

A lot of devices (android/windows) simply don't support DHCPv6. And SLAAC's RA delegates the responsibility of the IP to the device itself, so doing something like DHCP snooping is simply not possible because the RA packet doesn't tell the switch which IP belongs to which device.

SLAAC-snooping protects against ARP poisonning, not against ARP table overflow.

[Avamander]

If it doesn't protect against ARP table overflow then that is again a missing feature in that software. Just like it's not IPv4's fault if there are no protections against someone sending a thousand DHCP requests and depleting the pool or filling some tables.

[toast0]

> - No support for multi-homing.

It's not really that there's no support. It's more that the support isn't very good.

In theory, you send router advertisements, with priorities for all your routes, and when a connection drops, you stop sending that route's advertisements or start sending announcements showing that prefix is now didabled. And all the clients would do useful things with it.

But of course, they don't. They'll use an address from Prefix A and send it through router B. Or prefer the first announcement they see rather than the most preferred route. And that's assuming you can convince your CPE to set the preferrences you want.

[throw0101a]

> For IPv6, this doesn't work anymore, because the IP prefix is set by the provider, without NAT the second provider will simply refuse to forward any packet which originates from an IP which doesn't have their prefix.

Is multi-WAN without a static IPv6 assignment common? For home users, generally you get one assignment. If you do need this, then you can use IPv6 ULA internally and NPTv6 for prefix translation. You can still get mostly end-to-end connectivity because the external-internal is stateless. See "IPv6 Multihoming without Network Address Translation:

* https://datatracker.ietf.org/doc/html/rfc7157

> SLAAC works by simply taking the prefix from the router and filling the rest with the mac address. Which means that anybody on the internet gets to know your mac address.

Except that this hasn't been how its worked on most OSes by default for several years; see "Temporary addresses", "Cryptographically generated addresses", and "Stable privacy addresses":

* https://en.wikipedia.org/wiki/IPv6_address#Stateless_address...

> - Captive portals: SLAAC does not directly support assigning DNS servers.

For SLAAC to work you need Router Advertisements (RAs), and and with-in those you can put DNS servers (and have since 2010):

* https://datatracker.ietf.org/doc/html/rfc6106

> So it's very easy for malicious devices to flood routing tables of switches by telling them that they own all IPv6 for the whole /64. Makes the whole network abysmally slow, or completely down.

And the same thing can be done with in the IPv4 world by trying to overflow a switch's ARP table. I think switch manufacturers have figured that out.

> Most of these issues are solved by using NAT6 (or NPT), but the issue with it, is that it breaks some applications. Ipv6 promised to get rid of NAT

Except that NAT re-writes both the IP and port and thus you have to use state tracking for replies and port mapping with IPv4 NAT. Whereas NPTv6 is stateless:

   This document describes a stateless, transport-agnostic IPv6-to-IPv6
   Network Prefix Translation (NPTv6) function that provides the
   address-independence benefit associated with IPv4-to-IPv4 NAT
   (NAPT44) and provides a 1:1 relationship between addresses in the
   "inside" and "outside" prefixes, preserving end-to-end reachability
   at the network layer.

* https://datatracker.ietf.org/doc/html/rfc6296

So you can send a message to a packet to a public IP:port combo and it will be mapped to an internal IP:port without much fuss since only the first /64 needs to be re-written. Of course only if your router/firewall is configured to allow new connections, which most consumer CPEs are not by default: they only allow replies to previous outgoing connections.

IMHO, most of the problems you describe haven't been a problem for years.

[yardstick]

> Is multi-WAN without a static IPv6 assignment common?

Yes, it’s incredibly common in the small business/retail/food/shop business with fibre primary and cellular backup. These places don’t have the budget for BGP, but can afford an extra €$£20-50/month for a backup cellular circuit. They don’t need static IPs, they just need working outbound internet access. And they want failover to occur within a few seconds, not 30s or 2-3mins.

[njibhu]

> And the same thing can be done with in the IPv4 world by trying to overflow a switch's ARP table. I think switch manufacturers have figured that out.

Not really though, because in Ipv4, a DHCP server can be authoritative, and switches can ignore IPs which are not assigned by the DHCP server. That's how it's usually figured out for Ipv4.

> Except that NAT re-writes both the IP and port and thus you have to use state tracking for replies and port mapping with IPv4 NAT. Whereas NPTv6 is stateless.

Yes, I didn't meant to state anything contrarily to that, but you still break applications which assumes that the local IP is the same than what is visible from a remote server on the internet.

For the captive portals, I stand corrected, and wasn't aware that you can now embed DNS directly in RAs, but stayed with the original implementation which delegates the DNS part to DHCP.

I probably have an outdated understanding of Ipv6, but to be fair it's quite a challenging exactly because of all the amendments that you linked. These are only some of the problems I encountered personally, and as you showed, each individual problem has a different RFC to solve it. You never know how stable they are and if they are properly implemented. And most of the time the safe default is to only work with the initial standard.