IMHO IPv6 is an ISP problem, I don't need every (any, really) of my devices accessible from outside my personal VPN, and IPV4 private space is more than sufficient for that.
IPv6 is overly complex, therefore insecure. Thanks to the US Patriot Act I dont even trust the VPN stuff tbh.
I'm being a bit pedantic about this since you're right that in practice, setting up stuff for IPv6 is in-fact complex since support for it is all over the place.
But I want to stress that IPv6 as a protocol is much simpler, more intuitive and much more versatile than IPv4. I'd even go so far as to say that it's actually fantastically suited for local networks, especially so in complicated setups with multiple subnets (in an alternate reality where everything supports it).
It's really, truly, a genuine shame that it never gained the momentum it could have.
Makes it obvious why it still hasn't gotten anywhere, _no one_ wants to dig through all that unless they really really have to.
Security depends on securing the routing and address allocation. So it is hardly surprising very few were/are willing to step up a declare IPv6 installations safe for service.
Combine that with most users being happy and comfortable with 1 IP address and there was no mass market appeal for IPv6 hardware or software.
I'd go so far as saying the vast majority of people do not even realise their machines can be accessed from the outside world when they only have one public address behind their "firewalled super safe ISP router", and would be terrified to find out they can.
> Combine that with most users being happy and comfortable with 1 IP address and there was no mass market appeal for IPv6 hardware or software.
The mass market appeal for IPv6 is the fact that we do not have enough IPv4 to actually give one internet connection a unique IP. CGNAT is getting ever more present in the marketplace as a result of this.
Major providers are rolling out IPv6. eg in the USA, several major cable/fibre providers provide v6, several mobile networks provide IPv6 using things like 464xlat. It's the same in the UK - BT for example provide IPv6 on consumer internet connections, EE (a major phone carrier) provide v6 and use 464xlat to provide v4 connectivity to handsets.
Usually, inbound IPv6 are firewalled by the ISP router just fine. As far as I know, there is UPnP with IPv6 though there seems to be some work into that direction. Also, current CGNAT setups tend to close connections before they should according to RFCs: https://anderstrier.dk/2021/01/11/my-isp-is-killing-my-idle-...
All the IPv6 routing security has to be done with IPv4 as well. ARP -> NDP, prevent source address spoofing, DHCP guard/ RA guard are basically two sides of the same coin. Serious networking hardware supports this for years or there are firmware updates supporting it. For about the last 5 years, supporting IPv6 became much easier, almost as easy as supporting IPv4 for most of the real world use cases. Anyway, the reality is, we don't really have much choice other than to migrate to IPv6 sooner or later.
@yesco is right that practice is all over the place for IPv6 if it works at all. But in general, IPv6 as a protocol is just fine, at least equally secure as IPv4 and not more complex than IPv4 in many practical cases. I would even go so far to say it is way easier to do a clean address plan with IPv6. Usually, IPv6 inbound access is blocked by default on the ISP routers firewall.
In practical networks, IPv4 tends to be set up in some way and usually seems to work correctly - until you discover all the atrocious hacks people have commited over the ~ 25 years of practical, widespread use. Quite often multiple levels of NAT without much reason for it, UPnP where it shouldn't be, payment for even single IP addresses (great, we are paying for numbers other people got basically for free) and more - IPv4 are often handled like pets. Compared to IPv6, it is much harder to do a simple split into security groups based on prefix with IPv4. (In IPv6, you can usually just give every broadcast domain a /64 and will not do a huge mistake - they are a single security group. Sometimes, you might want to hand out a /64 or even shorter prefix to every client though.)
There are some great resources for modern and practical IPv6 too: https://knihy.nic.cz/#IPv6-2019 (4th edition in Czech by Pavel Satrapa, but can be translated using Google Translate and is more or less ok as a translation: https://docs.google.com/document/d/10CRjSRBLcdqtGjJgaW5Sct5h...) there are older books in English that are also mostly relevant still. The free IPv6 course by RIPE NCC is also a good way to get up to speed and avoid (spreading) FUD.
“Overly complex, therefore insecure”
Has to be the most incorrect understanding I’ve ever seen in computing...
And I’ve seen people talking to their mice...
OP is not talking about disabled by default, he’s talking about disabled permanently, i.e. you literally cannot turn uPnP on because the ISP disables the functionality. I know that AT&T does this with their BGW210-700. Security is good, but locking people out of basic features is not.
IPv6 is overly complex, therefore insecure. Thanks to the US Patriot Act I dont even trust the VPN stuff tbh.