If I were an evil threat actor, I'd be learning as much about #ipv6 as possible right now. I'm convinced that many companies that say they "aren't using" IPv6 are in reality just ignoring IPv6, and it would be easy to set up a "shadow network" consisting of IPv6 traffic where you could get away with murder. Nobody at the company is logging IPv6 traffic and events, none of the tools are configured to monitor it, and a large majority of the staff knows nothing about it.
"But we disable IPv6!"
Really? On your users mobile devices? On printers? On random IoT devices? And most of all, on your remote user's networks? Good luck, my guy.
@IvyMike Why? If I'm operating a website that sits behind e.g. cloudflare, I can just drop IPv6 everywhere I can think of, including at boundaries of my internal network and at each host. That's IMO a terrible idea from the POV of future, but it's feasible and should make any worries about IPv6 moot, no?
@robryk That might get you part of the way, but there's a lot of crap in most networks that doesn't give you the level of control you really need. Mobile, printers, IoT, etc.
Your remote users are also a tough case--yeah, they may be IPv4 thru the company VPN, but their computer is exposed to IPv6 at the remote location. Having tools/logging be aware of this is important.
Too often people will say "I turned IPv6 off and I don't need to think about it", and even if they were right at the time, one department buys new equipment and forgets to change one setting, and it's game over.
Look, maybe some companies that say "we don't have *any* IPv6" are correct , but going back to my "if I were an evil threat actor", there are a ton who are sticking their heads in the sand.
I get that nobody wants or needs more stuff on their plate. But I think it's there already.
@robryk Sure, there may be some exceptions. But any company with any significant intranet and backend is more likely than not fooling themselves.