The Year of IPv6 Security: We've Been Saying It, and We're Finally Right?

Every few years, someone in a conference hallway or a podcast studio declares with great confidence that this is the year of the Linux desktop. It never is, of course, and the phrase has become a kind of inside joke for people who have been around long enough to appreciate the humor in perpetual woulda, coulda, shoulda. IPv6 has had a similar quality to it and I recently joked about it in an interview(Automate or Die Trying). Those of us who work in this space have been waving our arms about it for the better part of a decade, predicting that organizations would eventually be burned by the protocol they deployed but never fully considered. And every year, the industry nods politely and returns to its regularly scheduled IPv4 firewall tuning.

Google has now recorded that IPv6 traffic has reached parity with IPv4, crossing the 50% mark globally(Tom's Hardware), a milestone that has been in slow motion since 1998 when the protocol was first standardized. As of April 2026, countries including France, Germany, and India are now running the majority of their traffic to Google over IPv6, and the United States, Brazil, and Japan sit at around 50%(Wikipedia). This is not a niche protocol anymore. IPv6 is the internet. The question security professionals now have to answer honestly is whether they have been treating it that way, and for most organizations, the answer is a deeply uncomfortable no.

The original promise of IPv6 was partly one of obscurity through scale. With 340 undecillion addresses available, the thinking went, enumerating the address space was computationally laughable. You could not scan it the way you scanned a /8 in the IPv4 world. This was treated as a feature, and for a while it was reasonable to lean on it, not as a security control exactly, but as a quiet comfort. If nobody could find your IPv6 addresses, the surface area felt manageable. The flaw in this reasoning was that the addresses were never actually hidden. They were just assumed to be.

DNS has been leaking IPv6 addresses for years. Certificate transparency logs, which were introduced as a mechanism for improving trust in the web PKI, have become an inadvertent inventory of IPv6-reachable infrastructure. AAAA records, when they exist, are public by design. Neighbor Discovery Protocol, the mechanism IPv6 uses to replace ARP, is a multicast-based protocol that reveals local address assignments to anyone on the same link. DHCPv6, when deployed, creates log entries and lease records that expose address assignments in ways administrators do not always account for. The privacy extensions that generate randomized interface identifiers help against some forms of tracking but do not solve the fundamental problem. Once an address appears in a certificate log or a DNS response, it is known, in the corpus, and gets ingested.

And that ingestion problem has changed character significantly in the last two years.

AI systems operating at scale are now consuming public internet data at a rate and with a depth that fundamentally alters what it means for something to be technically obscure. Algorithmic enumeration of IPv6 space based on observed address patterns, combined with the systematic harvesting of certificate transparency logs, DNS passive collection, and NDP traffic analysis, means that the security model of "nobody can enumerate my /64" is increasingly fictional. The addresses that have appeared in any public signal, even briefly, even years ago, are candidates for discovery. The sheer size of the address space no longer provides the insulation people assumed it did. Hiding in a crowd of 340 undecillion is less impressive when your interface is in a database.

What makes this particularly consequential is not just the exposure of known IPv6 addresses but the degree to which IPv6 has been an afterthought in security operations. It is not unusual to find organizations that have invested significantly in their IPv4 controls: mature firewall rulesets, well-maintained ACLs, intrusion detection tuned to IPv4 traffic patterns, DLP policies written against IPv4 flows. The same physical machine, dual-stacked as nearly all modern endpoints and servers are by default, often has an IPv6 address that bypasses every one of those controls. Not through any sophisticated attack. Simply because nobody wrote a rule for it. The firewall that carefully inspects every IPv4 packet heading toward a sensitive service may pass IPv6 traffic destined for the same service without so much as logging it, because IPv6 wasn't considered when the policy was written, or was configured as an afterthought with far less rigor.

This is the structural problem. It is not that IPv6 is inherently insecure. It is that organizations have been managing a dual-stack world with single-stack discipline, and the gap has been quietly widening as IPv6 adoption has climbed from an interesting footnote to half the internet.

Network security tooling has not kept pace uniformly. SIEMs that were built and tuned against IPv4 traffic often have gaps in IPv6 parsing(seriously), correlation, and alerting. Vulnerability scanners that do a credible job against IPv4 infrastructure frequently miss or incompletely handle IPv6 targets. Asset management systems that feel confident about their IPv4 inventory often have little reliable visibility into the IPv6 addresses assigned to the same hardware. I've operated in most large vendor SIEMs, scanners, and asset managers and as someone who deeply cares about IPv6 posture can say there's fundamental issues in indexing and reporting in all. Downstream security teams doing threat hunting or remediation are working with incomplete telemetry and may not know it.

The monitoring and metrics gap matters as much as the control gap. You cannot defend what you cannot see, and IPv6 visibility in most enterprise environments is considerably worse than IPv4 visibility by almost any measure. Logging is inconsistent. Alerting thresholds are uncalibrated. Baselines do not exist. When an incident occurs on an IPv6 address, investigators frequently discover they have dramatically less forensic data available than they would have had for the same event on an IPv4 address, not because the data could not have been collected, but because nobody configured the collection.

The comparison to the Linux desktop is apt in one important way: the warning has been accurate for a long time, and the industry has simply not acted on it. But it diverges in a critical way too. The Linux desktop prediction was wrong about timing but arguably wrong in ways that were low stakes. IPv6 security is a prediction about exposure, and the exposure is real and growing in direct proportion to the adoption numbers that Google and others are now publishing. As IPv6 traffic crosses 50%, the attack surface that organizations have been deferring now represents half of their network reality.

The moment to treat IPv6 security as a first-class concern is not next year. It was several years ago, and the organizations that are honest with themselves about this will spend the next twelve months in audit mode: reviewing firewall policies for IPv6 parity, enumerating their own external IPv6 attack surface before someone else does it for them, instrumenting their detection stack to actually see IPv6 traffic, and stress-testing whether their incident response playbooks make any assumptions about IPv4 that break under an IPv6 incident. These are not novel activities. They are the same disciplines applied to a protocol that finally demands the same professional respect its adoption numbers have earned.

This is not the year of the Linux desktop. But it is very likely the year that IPv6 security debt comes due, and the organizations that have been carrying that debt are about to find that the interest has been compounding.

Popular posts from this blog

The Fallacy of Cybersecurity by Backlog: Why Counting Patches Will Never Make You Secure

By a Former Engineer Turned Cybersecurity Leader For much of my twenty years as a software and security engineer, and now as a cybersecurity executive, I have watched organizations cling to a deeply flawed belief: that security maturity is reflected in the length of the patch backlog, the volume of vulnerabilities closed, or the number of tickets resolved in a quarter. Entire cultures are built around these metrics. Dashboards glow green when patch counts dip. Leaders celebrate the deletion of Jira, SNOW, etc. tickets as if the act of closing them somehow hardened the enterprise. But this fixation on downstream remediation creates an illusion of control while masking the fundamental problem upstream, there is an innovation pipeline that lacks guardrails, architectural clarity, and secure defaults. The symptom becomes the scorecard, and the root cause remains untouched often under a guise of promoting freedom. Security teams often find themselves in a perpetual treadmill of “forever f...
Read more

IPv6 White Paper I: Primer to Passive Discovery and Topology Inference in IPv6 Networks Using Neighbor Discovery Protocol

Introduction IPv6 drastically reshapes the surface of network reconnaissance, replacing the narrow 32-bit address space and broadcast semantics of IPv4 with expansive subnets and a multicast-centric control architecture. In this new model, Neighbor Discovery Protocol (NDP), Multicast Listener Discovery (MLD), and ICMPv6 signaling collectively define how hosts announce their presence, interact with routers, form addresses, resolve local neighbors, and verify reachability. Although this model was engineered for efficiency and stateless configuration, its reliance on predictable multicast traffic introduces a rich layer of metadata that can be quietly harvested by a passive observer. This paper explores the extent to which NDP, and its associated control protocols, leaks meaningful information about a network’s hosts, topology, addressing structure, and operational state. It also outlines how these behaviors can be transformed into the foundation of a silent IPv6 reconnaissance system cap...
Read more

This is Cybermancy

Image
Preface This document is a manifesto, not a tutorial. It is written for practitioners who live inside systems rather than around them. It is for those who build, test, trace, break, and repair complex machinery at scale. It is not concerned with tools, techniques, or exploits, but with the way of seeing that precedes all of them. The worldview here is neither criminal nor romantic albeit a bit poetic and whimsical in my own way. It is operational. It emerges naturally in those who understand that modern systems fail not because they are attacked, but because they are misunderstood. What follows is a statement of posture, responsibility, and discipline for those who recognize that sight itself is the rarest capability on the Grid. Cybermancers are not defined by exploits, hardware, or street legend. Those tangentials  are the residue and not the essence. A cybermancer is defined by how they see the Grid  not as fortresses, maps, gates, and walls, but as a breathing lattice of...
Read more