Dual-stack network is going to be here for a very long time, at least 20 to 30 years more. IPv4 are going to be around and will never go away. Equipment vendors like Cisco/Huawei/ZTE/Nokia et. al has already done the needful therefore maintaining a dual-stack network is not double the work or trouble over maintaining an IPv6-only network or ones that features things like 464XLAT. Disabling IPv6 firewall is a worse thing to do than to completely disable IPv6. Just disable IPv6 when push come to shove.

The massive problems TM will face if it goes 464XLAT far outweigh the work and trouble running a dual-stack network. A Malaysia mobile network operator that I will not name here has trialled it some time back and in the end they goes nope.avi and cancelled the trial.

And if you think client-level firewall is good enough to prevent hacking or unauthorized access or anything like that, then you have a very optimistic view of Internet security. routerOS default IPv6 rules doesn't do NAT, where on earth did you see that?

Since when iptables emulates NAT to allow established connection while dropping everything else?

Of course I will bring up XLAT464 and Cisco because you say dual-stack network should go away. When you tell the public that dual-stack network is bad, be very prepared to be pushed back. Dual-stack network is the only way to offer IPv6 connectivity without breaking customers' applications and appliances. TM already has problems with their current consumer setup and ditching it for an IPv6-only network will make things much worse.

If you insist that dual-stack network has to go away, I for sure will call you out again, and again, and again.

From https://help.mikrotik.com/docs/display/ROS/...+First+Firewall



Pretty much self-explanatory I say for anyone who understand iptables.
What you don't understand is that very many IPv6-supporting client devices has no security whatsoever or very poor at it. A good example would be Playstation 5. If a PS5 got a public IPv6 address via DHCPv6 or SLAAC and the router has no firewall, better pray to Jesus or Allah or Buddha or flying spaghetti monster that there are no zero days for the PS5 that will turn it into part of a botnet. The Xbox has done better in this aspect. If you go to sites like insecam or even Shodan, you will see that client-side security is not exactly a given. Good for you if you can guarantee that all devices has top-notch security, but that's not always feasible.

iptables can emulate NAT, but iptables did not use that feature to accept established connection while dropping everything else.


Stateless NAT64 and NAT46? Oh boy, damn. Thanks god TM isn't going to implement this because the 100 line, and the Maya live chat and Facebook direct message support lines are going to be swamped with "Why my [insert device's name here] doesn't work?" questions.

Apparently you just glossed over the Playstation 5 example.

Don't tell me that you did not know that the firewall rule is just a wrapper for an iptables command, or ip6tables to be exact. That's why I mentioned iptables directly instead of routerOS firewall.

When I talk about Shodan, I am talking about client-level security in general, not IPv6 only to be exact. The devices you see in Shodan are all devices with lousy client-level security implementations, but you assume that all devices out there has stellar client-level security implementations, at least for IPv6. You rely too much on the hope that device manufacturers will implement robust security on their IPv6-supporting devices, but not all will do so, just like Sony.