[ZeroSolstice]

Aren't these comments getting a bit old at this point? Running dual-stack should not be any more difficult than just running IPv4. There is a plethora of automated deployment tools and I'd hardly think people are DHCP'ng addresses to their servers. You don't have to use SLAAC and can statically assign addresses just like IPv4. Even for your dual stacked devices getting IPv6 addresses via RA can be tracked back to their IPv4 DHCP bootp requests.

I'm making the assumption here that anyone concerned about their network attack surface is actively capturing network or netflow data in which tools like openargus[1] or Arkime[2] make all of this collectable/searchable. Additionally most network devices support mirror/monitoring to offload data if you aren't working on the scale of needed dedicated taps/aggregators.

[1] https://openargus.org/ [2] https://arkime.com/

[yonz]

In the context of network intrusion detection and providing secure online services, I agree with you.

However, if this guidance is trying to influence government office routers and internet gateways... It's a different story.

A transition from IPV4 to IPV6 creates a new per device tracking capability that leaks internal network structure. This in my opinion is worse than internal domains getting certs from Let's Encrypt https://crt.sh/?q=twitter.com cr: https://shkspr.mobi/blog/2022/01/should-you-use-lets-encrypt...

The dual stack, DHCP and SLAAC can go a long way in adding some anonymity.

[ZeroSolstice]

Realistically though what information can you glean from a hosts IPv6 address that wouldn't already be part of WHOIS? With IPv4 you already know there are only (3) rfc1918 reserved ranges. Anyone can use them as they see fit so seeing a 10/8 address in a email header doesn't automatically mean the company is huge its just what they picked. Myself, i've just never really bought into the whole "dns naming" or discovering private address ranges giving anything away. With existing NAT device tracking moved onto more unique features such as browser, screen size, etc. such that IP address tracking is probably not as accurate.

[jeroenhd]

> A transition from IPV4 to IPV6 creates a new per device tracking capability that leaks internal network structure.

I doubt it. Your load balancers will be the only addresses that will be addressable anyway. Your IPv4 load balancers will also be "leaking" IP addresses.

[wmf]

You're thinking of the server side, not clients.

[jeroenhd]

Clients that aren't misconfigured will use random IPv6 addresses that rotate. The usual default is once per day but that's a mere preference, you can make your computer take a new IP every minute if you want.

[wmf]

You can still see subnets though which was the original point.

[jeroenhd]

With many ISPs handing out /64s and others handing out /48s and /56s to households, it's difficult to tell a subnet from another IP.

Even still, this information is pretty useless. So what if you know my current subnet is 3a80? That won't help you get past the firewall.

[jiggawatts]

Clients use random IPv6 suffixes.

[sn0wf1re]

They do feel a bit old. Especially considering that is not the "TL;DR" of the paper. The paper makes no statement on whether or not it is a good idea to use ipv6, only that the US Government is transitioning and some guidelines on how to do that.