I have been averse to IPv6 until recently,and used to disable IPv6 altogether. Couple of weeks back, the ISP silently shifted to CGNAT, and I could no longer forward ports. Out of sheer desperation, I gave IPv6 a try and was shocked to find that the demon which I had feared all along, was in fact the solution to most of the concerns.
A few things to note though:-
1. Default router settings - as configured by the ISP - defaulted to IPv4 only. I had to change it to enable IPv6 too in the WAN settings.
2. Had to lower Firewall security levels (which in fact makes sense).
3. In firewalld, had to enable ipv6-icmp protocol
4. Technologies such as IRC (to take an example), does not support IPv6, but many torrent clients do.
ISP still has CGNAT logs and can presumably still be lawfully subpoenaed. it's a false cloak.
and in terms of identity tracking—all teh marketeers (who sleep with the CGNAT ISPs mind you) can still exceedingly accurately profile you and keep tabs on what you're up to whether behind your CGNAT ISP or CGNAT telecom alike. it's a false sense of privacy.
> see CGNAT as a feature as it obfuscates my IPv4 address - then get millions of IPv6 addresses that are not CGNAT
It's tough trying to connect to home IPv6 services - when all the locations you visit are served by an ISP that doesn't support IPv6. That's the scenario here.
> With my ISP, I see CGNAT as a feature as it obfuscates my IPv4 address.
It can become an issue when sites like The Economist don't vet their blocklists - and then someone behind the NAT does something that makes the list-author grumpy.
> Had to lower Firewall security levels (which in fact makes sense).
Sounds suspicious to be honest. If you get a direct IPv6 address to your computer (as opposed to an IPv4 behind a NAT), shouldn't you raise firewall instead of lowering?
some components, like RA and SLAAC, require specific ICMP to function properly. a properly configured IPv4 firewall on the other hand would allow no inbound and filter most outbound ICMP by default.
the only actually suspicious part of the original comment is...
Default router settings - as configured by the ISP
> a properly configured IPv4 firewall on the other hand would allow no inbound and filter most outbound ICMP by default.
A properly configured IPv4 firewall would allow at least the "destination unreachable - fragmentation needed and DF set" inbound ICMP, otherwise path MTU discovery will break; it probably should also allow the rest of the "destination unreachable" inbound ICMP, and probably also the "time exceeded" inbound ICMP, so that connection failures are instantaneous instead of having to wait for a timeout.
Allowing no inbound ICMP at all is always an incorrect firewall configuration.
a properly configured (stateful) firewall permits replies to unfiltered outbound connections. you've made no corrections to anything i said, but merely added context to "filter most outbound connections" and with fair points.
but reasonable plumbers could and certainly do disagree on whether to allow any ICMP connections initiated from outside the firewall whatsoever.
I forward/open IPv4 & IPv6 as needed, limited to trusted sources.
I allow IPv6 ICMP from approved countries. IIRC, this functionality goes beyond the needs of SLAAC and RA. It is a required criteria for IPv6 testing sites - but I'm not clear why.
> The project had its highlight in 1999, when the first-ever production-stage IRC6 server was featured on IRCnet by Project IRC6 of Europe. This resulted in a movement for more rapid evolution and evaluation of IPv6 services by IRC-users, which can still be seen as a rather interesting effect of the nature of competition in advances in technology...
A few things to note though:-
1. Default router settings - as configured by the ISP - defaulted to IPv4 only. I had to change it to enable IPv6 too in the WAN settings.
2. Had to lower Firewall security levels (which in fact makes sense).
3. In firewalld, had to enable ipv6-icmp protocol
4. Technologies such as IRC (to take an example), does not support IPv6, but many torrent clients do.