I recently disabled it on my router because dns would fail to work after a day or 2. When I did more research, it looked like others were running into the same issue, but there was no known fix, so the easiest solution was to disable ipv6 entirely.
I used to go out of my way to get ipv6 working (back when it was "new" I used a bridge service to get access), but I simply do not have the time to figure out what might be wrong with it anymore.
Firewalls are more complex on IPv6 (you need to pass a bunch of ICMPv6 through, to make it work), and some residential routers have very bad or even zero firewall support for ipv6, so your devices, that would otherwise be "protected" (not really) by NAT are now directly visible to everyone on the internet.
This usually isn't a problem for power users (who know how to set up and (re)confgure a firewall) nor for most basic users (windows firewall does that for them), but people "in the middle", who install some service and just fully disable the OS's firewall to be able to connect to it, are now vulnerable.
> Firewall rules work exactly the same in IPv6 land as they do in IPv4 land.
Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.
> Indeed you shouldn't block ICMPv6, but that is not really making anything "more complex".
But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890
> Is there a proven set of routers that go through the trouble of supporting IPv6 routing but not include a firewall?
Yeah, a bunch of ISP CPEs have just a single checkmark "IPv6 firewall" on/off, and some older ones not even that (i'm talking about old sagem and innbox equipment i came in contact with, not sure about other telcos and the shity cpes they give out to the customers).
> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.
The same is typically true of IPv6 for default configurations. You aren’t required to allow IPv6 hosts to accept unsolicited incoming traffic.
> But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890
With the exception of home agent, mobility and other IPv6-specific messages, many of these recommendations also hold true for IPv4. It’s just that nobody really bothers to think that deeply about it, block all ICMP and then are shocked_pikachu_face when Path MTU discovery etc don’t work.
> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back
Yeah and? How do you think IPv6 works, it’s exactly the same.
My router’s firewall’s ipv6 section help: “All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic. Any other inbound traffic must be specifically allowed here.”
People keep saying "the sky is falling, with ip6 all the hosts are open to the internet" but not really it is usually one rule.
on openbsd pf
block outside connections from initiating connections to your hosts
block in on $external_if from any to $ip6_network
on ip4, if the world was just you would have the same rule(in ip4). however the world is not just and you usually only get one address so you have to pull some shenanigans to spoof that address across all your hosts
match out on $external_if from $internal_net to any nat-to $external_if
Really we all have a sort of Stockholm syndrome and think yes, this is normal, this is correct and being able to end to end address a host is weird and wrong.
But it is not, because you have to let ICMP pass through, for IPv6 to work (eg. for path MTU discovery to work (no more "classic" fragmentation in ipv6)).
So it's one rule to block incoming traffic, and a bunch of rules to properly allow ICMPv6 to pass through to the internal network (look at the RFC linked above)
This is what stops me from turning on IPv6 from my provider. The modem has a reasonable IPv4 firewall but jack for IPv6 and I don’t have the time to figure it out.
Not a residential user, but I ran a small p2p gateway for a few hundred users, and I ended up having to disable ipv6 resolution for remote servers because so many servers would just advertise an AAAA address that didn't work, so we got tons of timeouts. I would say this affected maybe 10% of servers. A lot of them seemed to be hosted on Hetzner, but I never got a good sense of the root cause—mostly seemed to be lack of testing or usage, like users who had typoed an ipv6 address or moved their servers and updated their A record without remembering to update their AAAA.
I've disabled it on my router. My reasoning is that I don't know what kind of firewall rules, if any, the router has for ipv6 traffic. If it's just going to forward any valid incoming ipv6 dst address, that would seem like a new risk. I'm happy to be convinced otherwise by knowledgeable folks.
Yes, there are situations like "The crap VPN (hello AnyConnect) my work makes me use doesn't work if IPV6 is enabled. And I could troubleshoot it, but it's easier to disable IPV6 on my PC".
Default config, last I checked, for AnyConnect is to block all ipv6 even if split tunneling it enabled, the client will block all ipv6 unless it has been specifically configured to allow
There's all sorts of things controlled at the head end. As mentioned, didn't troubleshoot it. But, disabling ipv6 on my PC, and then everything works. Turn it back on, nothing works.
Even worse, to this day, Ubiquity still does not support Android IPv6 clients because their internal-facing RA dnsmasq configuration has a bug. It would take an engineer a few hours to fix it; it's a one-line change. It's been reported and tracked internally in their support queue for more than two years; nothing has come of it.
Stuff breaks. I fought this fight a few years back just to educate myself, and the mere presence of IPv6 on the network, DHCPv6 addresses being handed out, AAAA records being returned from the local caching DNS, etc... made all sorts of software loopy. One I remember in particular was that if you hit a default openssh configuration from the local (!) network, even on a link-local address, it would try to do a RDNS lookup and take 6 seconds or somesuch to time out.
I remember a coworker telling me about a TV that would request and accept a DHCPv6 address and then fail hard getting to the internet. Wifi router firmware likewise messes things up, etc...
It frankly just wasn't worth the hassle. Mobile networks that can control and enforce the full stack have been able to make it work. My guess is home/wifi environments will be IPv4/NAT until the end of time, frankly.
Because its an over-engineered pile of shit. The only thing required was an increase in the address space, but we got IPv6 instead, which everyone sane resists to this day. Defaulting to hex addressing only a sheltered engineer would do.
It's not very over-engineered; most parts of it work the same as v4 does, just with bigger addresses.
Writing the addresses in hex is because doing so is easier. It lines up with the binary better which makes subnetting easier, and do you really want to deal with addresses that look like "32.1.13.184.133.163.0.0.0.0.138.46.3.112.115.52"?
In the past there have been cases where firewall defaults were configured incorrectly for IPV6 and stuff would get inadvertently exposed. I don't think that's as common now but I could see just entirely disabling ipv6 to avoid this if you don't want to specifically test to make sure the configuration is correct.
We're still at a point where at least 60$ of users (according to Google) are still IPv4-only. I imagine we're still a little far from the tipping point where IPv4 becomes less valuable.
I recently disabled IPv6 on my home network to make firewall rules more manageable, and I was always under the impression IPv6 adoption was slow. So I was pretty surprised to check and see Google user's adoption has reached 40%. I feel like ISPs are a big push for that.
Yes I turn it off because it's always causing unpredictable problems. I actually tried to switch to all IPv6 and that was worse than ipv4 because you still need to run a full ipv4 stock to visit almost anything on the web without a proxy
I did it before because I assumed it was causing issues and not configuring things on my network properly.
I was wrong and the issues were elsewhere, but it remained disabled on the router for a long time.
I’m generally a person who resists change and I can’t tangibly see the benefits of ipv6; until I realised that “port-forwarding” is an exclusively NAT problem and it’s much easier with ipv6 to just natively open a port on the firewall if I want.
I do. I don't know why, but when debugging some network issues I discovered just shutting IPv6 down fixed the issue. Could it have been a buggy implementation on a single device on the network messing everything up? Maybe. But since I have no real benefit for IPv6, it was trivial to turn off.
It also lets me wait until other people (hopefully) build better privacy systems.
IPv6 has had privacy built in for years now, on every OS available. Your inbound address will remain static and possible MAC address derived, but unless you're hosting anything on it (or disabled your firewall) your network traffic will be perfectly private.
I've noticed several websites where IPv6 has lower latency than IPv4. The ease of accessing different VMs on cloud providers that will hand out a single IPv4 address, though alternatives like Betternet/Tailscale/Tor will also work around that problem.
"IPv6 has had privacy built in for years now, on every OS available. Your inbound address will remain static and possible MAC address derived, but unless you're hosting anything on it (or disabled your firewall) your network traffic will be perfectly private."
I've tested with IPv6 on and off on several machines over the course of months. Google's search results become wild and unpredictable on the same machines soon after switching to IPv4.
My theory is that they rely on that IPv6 address to know exactly who they are providing results to and thus selling to.
If that theory didn't hold water, there would be exactly zero difference in search results after switching to all IPv4.
I've switched between IPv4 and IPv6 and Google's search results are practically equally bad after switching between either. Unless you're behind CGNAT, I suppose.
I've noticed that many IPv6 address blocks have more up to date location information from parties like Maxmind.
RFC3041 (Privacy Extensions for Stateless Address Autoconfiguration in IPv6) and it's successors have been around for 20 years now and are supported in every major operating system.
In fact, macOS is so aggressive about using temporary addresses that I had to turn off SLAAC in order to be able to ssh back into my desktop.
Yeah, we've disabled it at our SMB at the router-level. No real benefit from using it and it causes DNS issues. We were actually advised to do this by our commercial ISP.
Yep, I do. About once a year I try IPv6, and give up after a couple weeks when I keep having weird transient errors that I can't pin down accessing websites and other remote hosts, all of which go away the moment I turn off IPv6.
Maybe it's me, maybe I have a bad config or bad hardware, but it just doesn't work for me.
I have AT&T fiber. I've been running IPv6 for about 2 years now and haven't had any issues at all. iCloud Private Relay also works via IPv4/IPv6, but I have had to disable it once or twice. Who is your ISP? How do sites like https://ipv6-test.com/ and https://test-ipv6.com/ score your connection when you have IPv6 enabled?
Yes. Actually no, not disable, I use Local-Local, there's a rare application here and there that needs to see an IPv6 stack is available then connects normally over IPv4. Google and anyone touting IPv6 can take IPv6 and have a nice day.
