Well, I wouldn't put _any_ service on a public network, unless it is explicitly required. Firewall is all well and good, but security in depth is even better.
Private networking is good. IPv6 doesn't help here at all.
The easiest firewall in the world is one that is set up to deny all traffic from all sources. Which is how any decent firewall is configured by default anyway.
I'm not saying that running a private network doesn't provide genuine security value, only that it drastically complicates your networking architecture for very little security benefit. Organizations can decide whether that trade-off is worth it, for organizations with deep threat models like militaries and banks, it's probably worth it. For 99% of the private sector, it's folly.
"Private networking" as defined by assigning private-range IP addresses are only private as long as there is no route to your network, or as long as it's isolated on a dedicated vlan (even then, there could be some rogue machines).
In the first case, you need a firewall for IPv4 anyway. In the second case, that would also work with IPv6.
Disclaimer: I know nothing about Azure/AWS internals.
This phrasing is really problematic. Using internet addressing (vs ambiguous addresses) does not make your network "public". Just like using unique MAC addresses doesn't. Confusing global addressing with public reachabiliy is exactly the rhetoric used by AWS, Azure etc to scare people into building mazes of ambiguously addressed 10.x networks.
Private address ranges doesn’t make a network private. Firewall does.
If I know the external, publicly addressable IP address of your router (e.g. 135.77.9.106), and no firewall whatsoever, there’s nothing at all preventing me from doing `ip route add 10.0.0.0/8 135.77.9.106`, and voila, I’d have a route to your “private” network.
Using private addresses vs globally unique offers no security benefiy whatsoever.
> If I know the external, publicly addressable IP address of your router (e.g. 135.77.9.106), and no firewall whatsoever, there’s nothing at all preventing me from doing `ip route add 10.0.0.0/8 135.77.9.106`, and voila, I’d have a route to your “private” network.
This only works if you are on the same L2 segment as 135.77.9.106, or control and install this route on every router between you and it. Otherwise, 10/8 will get routed to the next hop for 135.77.9.106, i.e. your local gateway, which won't know anything about the intended 135.77.9.106 destination and will route it normally (which likely means dropping it).
It's true that firewall rules should be in place to prevent this attack from your direct neighbors, but it's not possible to perform it over multiple hops that you don't control.
It only takes one, but most likely all the routers in between your network and the remote private network already drop the Martian packets, and you don’t have an interface directly connected to the remote private network, so the route you have configured would not work.
(Though that WP page seems also to have self-coined the "private network" phrase and I don't think it's an estabilished term in this meaning. The first and second references off the leading paragraph talk about "private internets" and "unique local addresses" respectively).
"Public network" can mean many things, but in context of IP addresses it usually means a network, that uses a globally addressable IP range.
Now, that doesn't mean that the network is globally accessible. It can be tightly firewalled.
Therefore job security of old school network administrators is the main factor against IPv6 coverage.
Hopefully one of the big cloud providers figures it is in their best interest to have a much bigger address space and make all this busywork sinecure obsolete.
I’m one typo away from accidentally allowing IPv6 access to every machine in my network with my pf config on my home router. (I know this because I’ve done it one time, and didn’t notice for about a week.)
There is no such typo i could make with my single shared public ipv4 address because it’s just one address. Saying “allow” by accident isn’t enough, I’d have to somehow accidentally configure the particular ingress port to NAT to a particular internal machine, and even then it would only affect that machine and no other.
(Full disclosure, i actually like IPv6 and am in full favor of everything moving to it. This is in spite of the above, but i at least recognize that the above is the case.)
I work with Fortune 50s in cloud, and they can barely manage ipv4. If you're in a digital native it's different, but in my experience most behemoths do not inspire confidence with how on top of their network infrastructure they are.
This is a bit like saying “customers can barely manage driving a stick shift with a manual choke — we shouldn’t let them drive automatics!”
IPv6 isn’t amazing, but it makes many of these problems simply disappear. Of course [0] networks should be isolated, but this should be achieved with a firewall that, by default, disallows connections between the public Internet and private networks. And that’s about it — every VM has a globally unique address, routing just works, one company (if permitted) can connect to another company’s endpoints, firewalls can be deployed where they make sense instead of being forced to exist exactly where inconsistently-addressed networks meet, etc.
The entire mess of designing and negotiating allocation of extremely limited IPv4 addresses for private systems simply disappears!
Private networking is good. IPv6 doesn't help here at all.