[hdgvhicv]

Prices have been coming down for years in nominal terms, let alone real terms. Cg nat does everything that’s needed, there are no significant ip6 only services, there are plenty of ip4 only services, so you have to support ip4 anyway, so why bother with ip6

My company has just turned off all ip6 connectivity for its corporate laptops because it’s considered a security risk. I disagree, but I do agree that having 4 and 6 is a higher risk than 4 alone or 6 alone, and 6 alone sadly still doesn’t work reliably.

All the “promise” of ip6, direct connections etc, were lost when stateful firewalls became required and memory became cheaper than $20 a megabyte. Some bespoke old protocols don’t like ports changing, which can be a problem, but it’s a very small number and easier to work around with modern protocols than support a dual stack environment securely for the majority of places that struggle securing a single stack.

[throw0101a]

> My company has just turned off all ip6 connectivity for its corporate laptops because it’s considered a security risk.

If your corporate laptops are running Windows, then you're going against the officially supported configuration of the vendor (Microsoft):

> Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions.

> We don't recommend that you disable IPv6 or IPv6 components or unbind IPv6 from interfaces. If you do, some Windows components might not function.

* https://learn.microsoft.com/en-us/troubleshoot/windows-serve...

> Cg nat does everything that’s needed […]

Except for making it convenient for end-user to, say, play P2P video games, or host Mindcraft servers, etc.

> […] and 6 alone sadly still doesn’t work reliably.

It's so unreliable that half of all Internet traffic uses it. It's so unreliable that Microsoft has been going IPv6-only in their corporate networks (a decade ago):

* https://labs.ripe.net/author/mirjam/ipv6-only-at-microsoft/

It's so unreliable that Google is now 99% IPv6-only/mostly on their corporate networks:

* https://www.youtube.com/watch?v=UTRsi6mbAWM

[inigyou]

Everything that's needed besides letting computers talk to each other, that is.

With ipv4 you have a two tier internet. Computers talk to servers, servers talk to servers, computers can't talk to computers so every video call must be routed through a server.

[ghusto]

I hear this as a cited as a benefit of IPv6 a lot. Honest question: Isn't this at least a privacy issue, at most a security issue? SLAAC seems like what we already have with extra, breakable steps, which doesn't effectively address the privacy issue anyway.

[TheDong]

Where's the privacy issue?

That the server can figure out that two computers in the same house are different since your laptop and phone no longer share the same ipv4 address but instead have two ipv6 address?

Your phone and laptop can just have multiple ipv6 addresses and rotate through them regularly... as apple does by default https://support.apple.com/en-ca/guide/security/seccb625dcd9/...

Security? NAT is not a firewall, you need a firewall, and switching to IPv6 does not remove your firewall.

Before IPv6: The server gets "1.2.3.4:56789" for your device. After IPv6: the server gets "1:2:3:4::56" or whatever for your device. In either case, if the server makes a connection to 1.2.3.4:56789 or 1:2:3:4::56, your router sees the packet and firewalls the connection. Cool.

Want to give me a concrete example of where IPv6 is hurting my privacy or security, because I've been using it for over a decade with zero mishaps, zero privacy issues, zero security issues (to my knowledge at least)

[inigyou]

They used to recommend using the MAC address. This was ok 30 years ago when a computer sat in an office on a desk but it makes it very easy to fingerprint a moving computer as it moves across different networks.

Using a random address (Privacy Extensions) solves this problem though, but do we expect everyone to know what that is and check it's enabled? Mine wasn't enabled by default (on Linux) and I only noticed when a bittorrent site warned me.

[throw0101a]

As mentioned by GP, Apple enables privacy extensions on all their OSes:

* https://support.apple.com/en-ca/guide/security/seccb625dcd9/...

As does Windows (since Vista), and Android (8+).

So why are we still talking about this?

[TeMPOraL]

Everything useful is a security issue. Security is a trade-off, not a positive stat you maximize. Every security tightening removes some utility from a system; the hope is that this disproportionally disrupts the "bad actors" over "good ones".

(All of that hinges on the key question that people seldom ask: what is being protected, and from who. The "two-tier" Internet is, in a way, pointing out a case where regular users are seen as threat actors.)

[ikari_pl]

And wasn't that THE POINT of the internet and it's decentralised design?

[inigyou]

Yes. Letting anyone talk to anyone was the point of the internet. It's been co-opted by these massive centralising forces and you know what? They're right. With IPv4 everything has to be centralised, we don't even have the faintest chance to avoid it. With IPv6 at least we have a chance to take it back.

Some people will mention stateful firewalls. They're pretty easy to holepunch through because you just need each side to send a packet to the other, then each firewall sees it as an outgoing connection and allows it. It's nothing like IPv4 NAT.

[somat]

The comparison between a statefull firewall and NAT is often because they feel like they are doing the same thing from a mechanical point of view.

For example here is how to achieve the same result in PF, note the single additional operator needed to specify nat.

block in on $EXT_IF

#NAT

pass in on $INT_IF to any rdr-to $EXT_IF

#statefullfirewall

pass in on $INT_IF to any

[jampekka]

> My company has just turned off all ip6 connectivity for its corporate laptops because it’s considered a security risk. I disagree, but I do agree that having 4 and 6 is a higher risk than 4 alone or 6 alone, and 6 alone sadly still doesn’t work reliably.

I had a very concreteish security risk with IPv6 and openvpn. At least in Debian config openvpn tunneled only IPv4 by default. I only noticed this by being surprised I got results tailored to my origin country instead of the VPN out node country.

It's eternal (dual stack) paper cuts like this why just turning IPv6 off makes life a lot easier.