[reincarnate0x14]

It's bizarre to me that there is still so much effort spent on resisting IPv6 implementations, we were converting some industrial control networks to it almost 10 years ago and those organizations are basically defined by ancient equipment. Rather than byzantine v4 NAT coordination we mapped entire plants and substations to V6 addresses and put in 6to4 for the PLCs that were old enough to vote, so that multiple sites that all used the same 10.x.y.z blocks because of course they did could be routed together. Had V6 available from my house to pretty much anywhere I cared about in 2017.

[esseph]

As a business, especially a small business, there is no financial reason to do so in the United States for the vast majority of businesses. This gets talked about on NANOG all the time.

It doubles the workload and knowledge required, doubles the security attack surface, and because of the 2nd part, doubles the security risk.

Right or wrong that's the calculation for most spots.

[reincarnate0x14]

re: the attack surface, I will say that I see such a tiny fraction of probe attempts and common exploit scripts hitting V6 spaces that I open some services on V6 only.

At my house I've had SSH open to the V6 internet for 8 years and have the logger set up to email me for any connections, and I have never once seen an attempt that wasn't me. For popular sites with well known DNS names that's obviously different, but I keep DNS current and can SSH by name to that V6 listener from anywhere so it's not my ISP trying to save me from myself either. And that's not even a host with the normal automatic temporary addresses, it's been a fixed interface id portion with an effectively static V6 prefix for years.

For a while I had several other services open as well, at one point we even played around with using NFS and iSCSI over IPv6 on the internet just for giggles, no actual important data. I can imagine some sysadmin's face twisting in horror just reading that knowing the carnage that would have ensued doing that with V4, where we commonly drop entire geo-blocks just to curtail the log spam of all the various automatic admin portal and VPN login scans.

There are of course techniques to gather live V6 addresses but between the vast space and temporary addresses on most end-user devices it really has been a night and day difference.

[esseph]

It's more likely when you have public DNS pointing to ipv6 enabled hosts, not so likely with a random scan because of the sheer number.

[immibis]

You're banned from being a federal contractor if you don't. Isn't that pretty important since that's where all the money is?

[esseph]

All the money is in federal contracting?

Did it for a decade, and that's news to me.