> I think smartphones are a special case, because they generally cannot run public facing services that open up ports […]
Except for peer-to-peer applications, like Skype used to be originally: clients (tried to) talked directly to each other. IMHO it'd be great if we could have app(lication)s that worked like that again: less centralization.
> Compare that to a home network where, printers are shared, iot devices have open ports, computers and nas share drives.
Off the top of my head: your CPE/home router has an internal CA; you tell a local app(lication) to 'connect to' the CA and get a certificate (ACME, SCEP, etc); your home IoTs/NAS/etc also connect to the CA and get certificates; so all your personal devices have a root of trust. You 'bookmark' the IPv6 address of your printer/NAS/whatever. When you are away from home you want to connect to (e.g.) NAS, so you tell your smartphone to connect to it, and it knows the IPv6 address, but how can the CPE or NAS know that this random IP that is trying to connect is trusted?
Well, it uses IPsec negotiation and sends the X.509 certificate, and the other end of the tunnel (NAS) sees that the cert is trusted, and so allows the tunnel to be connected. If a connection attempt is made with an untrusted certificate the negotiation fails.
Of course if you don't want your NAS to allow external connections you don't enable the feature (default: off), and so it never punches a hole (PCP, UPnP IGD). And given a IPv6 subnet is /64 (the equivalent of four billion IPv4 Internets), good luck trying to scan that address space (and it is generally recommended to give residential users a /56).
As it stands now, you have to have third party tunnels (Wiregaurd, Tailscale, etc) and 'extra' protocols on top of IP (often dynamic DNS as well) to do the above, whereas with IPv6 universal connectivity can become part of the 'base network' architecture.
All that I’m saying is that the marketplace is not convinced that IPv6 works better for a local network than IPv4 with NAT and DHCP.
It’s more secure and more private for users that aren’t security or network engineers.
My prosumer $1,000 networking setup isn’t sufficient to run certificates and IPv6 firewall the way you’ve described and I don’t feel qualified to setup what you are suggesting. I can get a $50 router and setup a reasonably secure IPv4 with NAT and DHCP in 15 minutes.
> My prosumer $1,000 networking setup isn’t sufficient to run certificates and IPv6 firewall the way you’ve described and I don’t feel qualified to setup what you are suggesting. I can get a $50 router and setup a reasonably secure IPv4 with NAT and DHCP in 15 minutes.
My several-year-old Asus AC68 does IPv6 (my previous ISP had it), (Open)VPNing:
Just because you're not qualified does not mean it wouldn't be handy to those who are, but not-high IPv6 adoption is hampering them. Further, some of this would currently have to be done manually (mostly the cert provisioning: IPsec/IKEv2 can otherwise be fairly automated), but if there was more uptake there's no reason it couldn't be more automatic.
Except for peer-to-peer applications, like Skype used to be originally: clients (tried to) talked directly to each other. IMHO it'd be great if we could have app(lication)s that worked like that again: less centralization.
> Compare that to a home network where, printers are shared, iot devices have open ports, computers and nas share drives.
Off the top of my head: your CPE/home router has an internal CA; you tell a local app(lication) to 'connect to' the CA and get a certificate (ACME, SCEP, etc); your home IoTs/NAS/etc also connect to the CA and get certificates; so all your personal devices have a root of trust. You 'bookmark' the IPv6 address of your printer/NAS/whatever. When you are away from home you want to connect to (e.g.) NAS, so you tell your smartphone to connect to it, and it knows the IPv6 address, but how can the CPE or NAS know that this random IP that is trying to connect is trusted?
Well, it uses IPsec negotiation and sends the X.509 certificate, and the other end of the tunnel (NAS) sees that the cert is trusted, and so allows the tunnel to be connected. If a connection attempt is made with an untrusted certificate the negotiation fails.
Of course if you don't want your NAS to allow external connections you don't enable the feature (default: off), and so it never punches a hole (PCP, UPnP IGD). And given a IPv6 subnet is /64 (the equivalent of four billion IPv4 Internets), good luck trying to scan that address space (and it is generally recommended to give residential users a /56).
As it stands now, you have to have third party tunnels (Wiregaurd, Tailscale, etc) and 'extra' protocols on top of IP (often dynamic DNS as well) to do the above, whereas with IPv6 universal connectivity can become part of the 'base network' architecture.