In my personal life I will probably “never” intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than “it’s hard”
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There’s no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
If you don’t have ipv6 internally, you probably can’t access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix
In my personal life I will probably “never” intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than “it’s hard”
It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
Just a heads up, you linked to the same article twice
Clipboards are also hard
That’s odd, but truly sorry.
And I would consider a detailed argument on why it is more secure to disable it to be a good reason.
Personally? I consider an IT team who don’t know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.
Yeah, I run dual stack without much trouble myself. I believe it is mainly difficult for people because eyeball diagnostics are impossible with 6.
Don’t see how that is anymore vulnerable then up 4.
But you could do the same thing with a rogue DHCP server I IPv4… With similar methods to prevent the misbehavior on networks
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There’s no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
If you don’t have ipv6 internally, you probably can’t access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix
I’m pretty sure stateful gateways do exist, but it’s a massive ball of complexity that would be entirely avoided if people just used native v6.
you sir/maam have not seen the netflix talk on using IPv6 for their full internal stack because of inefficiencies allocating IPv4 ranges i’m guessing