[tom1337]

> Medium to large businesses usually have some braindead security policies

what's the argument behind that? are they scared they might configure their firewall bad and have no NAT to safe them from accidentally making all devices public?

[whstl]

It comes from the same place as "passwords expire every 30 days".

People don't understand something and just apply the most annoying rule possible.

The craziest one I saw in Germany was "cookies are allowed, localStorage is not", that was for our app. CTO overrode the CISO on the spot and called him an idiot for making rules he doesn't understand. Interesting day.

[thyristan]

Usually there is no official justification given, just a list (in excel...) of security requirements that have to be ticked off. One of them is "Disable IPv6".

I've heard some ex-post justifications, make of them what you will: Existing infrastructure like firewalls, VPNs and routers might not be able to handle IPv6 properly. Address distribution in IPv6 is unpredictable. No inhouse knowledge of IPv6. Everything has an address in IPv6, so the whole internet can access it. No NAT in IPv6, so it is insecure. IPv6 makes things slow.