Also often perfect security isn’t required. Doors with locks are good, but useless if the burglar just breaks the full length glass window next to it. They still serve a purpose, but don’t need to be an absolute comprehensive solution.
Literally all of the security issues caused by the public cloud network architecture instantly evaporate with IPv6, as well as much of the configuration complexity.
No more private networks with non-routable addresses! Instead you get a public-routable IPv6 block.
No more split-routing issues.
No more "gateways" or "peerings" or "service endpoints".
No more Private DNS Zones that may or may not work across virtual network boundaries.
No more copying DNS records into on-premises Active Directory DNS.
Every VM can get a globally unique address. So can every service, of any type! No more conflicts. No need to carefully "carve up" and "allocate" addresses. Just let the system take care of it...
No more sharing IPs with other customers. Every resource, no matter how tiny can get a dedicated address. Got an S3 bucket with 1KB of files in it? You get your own IP!
Every VM or service sees the real client IP, not the reverse proxy IP.
No need for SNI, ESNI, or even host headers since every web server can have a dedicated IP.
No reverse proxy means that load-balancers can simply set up the TCP handshake and then everything runs directly at wire speed. There is never a need to "scale" a load balancer.
The IPv6 addresses are consistent, globally. The IP address of the cloud VM is the address you register on-premises to SSH to it. No NAT magic involved at any point.
Adding a private link (e.g.: ExpressRoute) doesn't change your address ranges. They're the same, only the routes change. This would be a completely transparent change to your firewall rules of whitelisting setup.
Etc...
PS: The current Azure IPv6 architecture reproduces all of the limitations of their IPv4 architecture. They even NAT the addresses! You literally cannot have any of the above, ever, with Azure using IPv6 as it is now. They even limit the number of IPv6 addresses to further restrict you. If they do fix it, you'll have to redo your entire IPv6 setup. It's insanity.
Pi-hole type filtering is then implemented based on IP blocks instead of DNS queries. Any unrecognizable IP address is default denied. Tracking, analytics, and ads could still be proxied by a remote host, but that can already happen anyway.
Of course, your ISP (or VPN, or anyone else along the network path) could employ the exact same approach to determine the services you connect to. Which leads me right back to DoH being largely pointless and Tor or similar being a hard requirement for actual privacy. Unless I'm missing something?
The solution of dedicated IPv4/IPv6 is necessary for proper network control. But for the reasons above many won’t do so.
Also IPv6 is fundamentally not ready for real world use within small/medium businesses and homes IMO. I know you were talking about IP networking within clouds, forgive me, this rant isn’t aimed at that, it’s just my general IPv6 is not ready rent. At least not without NAT. Why?
- Can’t just simply put one IPv6 router/firewall behind another. Not all IPv6 routers support DHCP-PD, and even if they did, you could have 2-3-4 levels of routers/firewalls at a business. I’m not making this up- retail/gas/food industries often have a plethora of networks at a location, and the business/franchise owner is not tech literate, or even if they were, the equipment is managed by third party vendors and they don’t want to customise their IP network for each location. It makes for messy deployment and maintenance.
- Can’t just simply open a firewall rule on the main site router to forward say HTTPS to an internal service. Why? Not all ISPs give static IPv6 prefixes, not all PCs/servers/devices support DHCP6 for static leases, and then there’s IPv6 privacy addresses. Yes, you can statically configure (only if ISP is static too!). No, I don’t want to open the port to all devices on the LAN and no I can’t rely on each device to be running their own firewall (let alone a properly configured one!).
- WAN failover / multiple ISPs is hard. You have a fibre primary feed, and a secondary cellular/5G feed. Each has different IPv6 addresses. How do you ensure the right ISP is used at any given point? IPv6 shifts this decision to the client. This makes load balancing and policy based traffic routing (eg VoIP over fibre 1, FTP over fibre 2, etc). Also the cost of using a multi-homed IPv6 subnet & BGP in a SME/retail business is out of the question (plus the cellular ISP wouldn’t support it anyway).
All the above works fine out of the box with IPv4 and NAT. It’s bread and butter easy. At the cost of not having dedicated unique public IPs but these places simply don’t need them.
What IPv6 should have done to ensure a smooth migration is allowed for NAT from the very start. That would have let everyone who needed public IPs get them straight away, and those that didn’t to still migrate anyway with as little drama as possible. But it’s just not the case, NAT has been slowly added but it’s support is far from ubiquitous that IPv4 has.
"No one can have glass windows in their homes, because a few people like to walk around naked at home, and they're worried about their privacy."
or
"You can't have steak, because if a baby were to eat it, they might choke."
> Right now CDNs provide this privacy
Nothing at all stops you using CDNs with IPv6.
> Also IPv6 is fundamentally not ready for real world use within small/medium businesses and homes IMO.
The protocol has been ready for 10+ years. I'm on an IPv6-enabled home network right now, and it works just fine.
As for the rest of your arguments: They're a side-effect of there being insufficient pressure on ISPs to do their jobs.
If public cloud providers primarily used IPv6, that would very rapidly force ISPs to get their act together and fix their woeful IPv6 support!
This problem goes back a lot further than that — even prior to having CDNs in common usage you had plenty of different clients sharing IP space at hosting companies and the really malicious stuff just using compromised computers. It's also not fully covering the threat model here: for example, if you are concerned about privacy there are whole classes of device which you simply cannot allow because blocking one feature simply means that the vendor will run everything through the same endpoints required for the device to work.
> Also often perfect security isn’t required. Doors with locks are good, but useless if the burglar just breaks the full length glass window next to it. They still serve a purpose, but don’t need to be an absolute comprehensive solution.
Perfect is the enemy of the good but you have to also think about the asymmetry here. Trying to hijack DNS is only useful when you control the network but neither the client or server. Trying to stop malware by politely asking them to play nicely is a losing game and the IoT devices many people worry about have entire teams devoted to bypassing you as well (e.g. if any significant number of people tried to block a TV from reporting your viewing activity, the endgame is that viewing history and software updates would both go through samsung.com, not that they'll give up millions of dollars in revenue). That leaves you with cases where you do control the client and thus have less invasive alternatives such as installing an ad blocker or using a different browser.
This is a very common scenario in retail and SME businesses where you can’t control the on site hardware, eg fuel pumps or CCTV or cash registers or footfall counters or vending machines or whatever, and you can’t control what IPs they talk to. But you still have an obligation to minimise their network access.
Unfortunately they use services hosted on the cloud in dynamic IPs, so you either need to MITM TLS (can’t, no way to change the trusted CA list in these devices), or you need to MITM DNS / SNI. It’s not perfect security, and ideally the business simply wouldn’t buy such poorly securable products, but technology decisions are very rarely vetoed by security considerations, especially when cost is a factor. This is an example of the appropriate level of security for the business risk appetite. Telling the business to buy products that can be locked down perfectly is normally a non-starter.
