True, it's just kicking the can down the road - partially and temporarily solves one problem, while creating new more serious ones.

Many large companies have serious problems with overlapping address space, squatting on address space that isn't theirs and was previously unallocated - for instance one company i've worked with recently used 20.x address space because "its was unused" and they had run out of 10.x, only now a lot of the 20.x space is owned by Microsoft and used for Azure leaving this company with random Azure-hosted resources they cannot reach because 20.x gets routed internally.

But my comment was in reference to the previous comment:

In practice today you can't use legacy IP as it was intended, you're forced to use NAT unless you have a huge budget.

You could just have easily retained the public IPs, while putting a firewall in front of them. NAT was just added complexity providing no benefit other than reducing the number of legacy addresses required.

By hiding vulnerable machines behind a firewall you've not actually solved the problem, as those machines will become instantly infected if someone introduces a single infected machine behind the firewall.

In these days of mobile devices and wifi it is actually FAR more common for this to happen - totally unrelated devices find themselves on the same public wifi network. All it takes is for one employee to travel somewhere and connect to public wifi where an already infected machine is, then bring his laptop back to the office. A public wifi might have NAT for outside access for cost reasons, but that doesn't prevent other users of the same network from connecting to each other. It also doesn't prevent users from opening arbitrary ports via UPNP, or tunneling to outside networks and thus providing a route inside etc. If you're connecting to someone else's wifi you have absolutely no control over what the network manager does, or what the other users do.

The reason worms don't propagate in this way so commonly is not down to NAT, it's due to more sensible defaults (eg windows firewall enabled by default).

Nowadays most end user malware does not rely on inbound connections, it exploits outbound connections made by the user (eg phishing, browser exploits etc). There is still malware which makes inbound connections but it tends to target servers (which by their very nature need to have services open) and embedded devices. The vast majority of this kind of malware exclusively uses legacy IP.

Meanwhile this method of propagation is not actually practical with v6 due to the huge address space, so even if machines were vulnerable the chance of them being discovered and exploited is extremely slim.

When doing enumeration against v6 networks you have to rely on public information such as DNS records, certificate transparency logs, or access logs if you can convince a user to access a site under your control. In the former cases you'll typically only find servers which are inherently meant to be public, and in the latter case you'll only get temporary addresses of end user devices (which as previously mentioned don't have any listening services for you to attack these days anyway, and if you already convinced a user to access your site that inbound connection is a far more useful attack vector irrespective of network configuration). If someone happens to have a random embedded device exposing default credentials on an SSH service good luck finding that device on a /64 network.

Even users who don't do self hosting do use things that benefit from p2p (voice/video calls, gaming, etc).
If self hosting was more accessible, more users would do it. There are plenty of things that you might want to have at home and access remotely - for instance CCTV and NAS appliances. Because of widespread NAT, users are steered towards cloud based services with all the privacy, security and longevity implications thereof, and you will find many stories here about breaches or shutdowns turning devices into bricks.

And even if only a few users benefit from it, v6 needs to be ubiquitous or those benefits are limited. What use is someone being able to self host via v6 if other users can't reach their site (and have no idea why they cant reach it because they get a generic error message instead of one explaining what the problem is)?

No they are completely different things designed for different purposes:

6in4 - allows tunneling v6 traffic over legacy networks, intended for testing/development rather than production deployments.
6to4 - maps a /48 of v6 space to every legacy address, deprecated
6rd - a facility for automatically setting up a v6 tunnel, intended for isps running antiquated equipment that can't support native v6, it's also a big red flag because any equipment too old to support native v6 is going to be well outside of its support window. We recently retired a bunch of old cisco equipment that's EOL, and it all had native v6 support.
nat64 - a backwards compatibility system allowing v6 native networks to reach legacy resources, cheaper and scales better than providing dual stack with nat44
teredo - a tunnel system with automatic configuration and nat traversal, because 6in4 and 6to4 were made on the assumption of users having routable legacy ip - you can blame legacy ip for this rather than v6.

Legacy IP is even more of a mess...

Multiple automated address configuration scheme doing the same thing - RARP, BOOTP, DHCP etc.
Multiple ways to handle variable MTUs - on path fragmentation, nested fragmentation, don't fragment bit, path mtu discovery.
Arbitrary subnet sizes.
No standard way to find out your public address from behind NAT - multiple kludges exist, usually relying on external third party sites.

Yes people on low incomes, and yet the ISPs serving them are faced with the additional costs of buying legacy address space *and* the additional cost of CGNAT, costs that older providers in western countries don't have. These extra costs have to be paid for by the users who are least able to afford the costs.

Plus CGNAT means that p2p doesn't work locally, pushing more burden onto expensive international transit links instead of cheap local peering.

Remember these people are poor and the big streaming services tend not to target their countries. The lack of regulation makes it quite easy to cover their cities in new fibre strung up on poles, if these users had routable addressing there could be a vibrant community of p2p torrents sharing content locally over the high speed fibre network. Instead because of CGNAT all the traffic has to trombone to another country and back so this doesn't happen, and people continue trading copied DVDs on market stalls and even retail stores.
Yes many developing countries couldn't care less about copyright, they cannot afford to pay for content and copied DVDs are sold openly in retail stores.

The CGNAT also stifles gaming in the same way - p2p gaming or self hosting would be very fast over the local fibre networks, but they have to connect to servers located in other countries which adds latency and further congests the expensive international transit links. There are also plenty of older and open source games that people could play for free on lowend hardware.

No these people assume that the services are poor and overpriced because they're in a third world country, they have no idea what legacy IP is or how it's slowing down their development but it absolutely is and that's obvious to anyone who understands the technology. That's not to say they don't face other problems, but this is one that has a clear and obvious solution.

NAT is not a security mechanism, it's a kludge to get around a lack of address space. You can operate a firewall without NAT and it works better this way because it's less complex and has less to go wrong.

Plus devices these days are mobile - sure you have your own firewall at home, but take your laptop to a hotel and theres no longer anything between your laptop and the other guests.

Malware is still an epidemic, there are still millions of infected machines and new strains of malware coming out all the time. NAT gives users a false sense of security and causes them to be more careless when opening a phishing email or opening a suspicious link.

Using v6 is better for everyone, otherwise we're stuck in a dystopian world where only a few large companies can host content and everyone else is just a consumer paying the extra cost of CGNAT equipment. This is a return to the controlled networks of aol and compuserve.

These are all completely different things...

Based on stats published by google, apnic, akamai and cloudflare it does indeed work just fine for almost half the world now meaning hundreds of millions of users, and there are many countries where users with working v6 make up a sizeable majority.
The problem is not v6, the problem is lousy ISPs, and a lousy ISP is just as likely to provide a lousy legacy service too.

In fact, legacy IP is one of the main reasons why lousy ISPs exist and are not driven out of business by better competitors.
Any new competitor would need to acquire legacy address space (costly) and probably ration it with CGNAT (also costly and causes other problems), this makes it much harder to start a new ISP.

Eliminate legacy IP and any startup ISP can easily get enough v6 space to support millions of customers, if the existing providers have shitty services someone else can easily provide a better service.

Again the fault of the ISP.
PPPOE does support MTU 1500 providing the underlying transport is something from this century (ie 100mbps or gigabit ethernet rather than 10mbps ethernet):
https://datatracker.ietf.org/d...
And the only reason to use 6rd is if the underlying technology cant support native routing, which also suggests equipment >20 years old at this point.
In fact this is all a very bad sign pointing to the use of obsolete technology which is likely to be end of life and suffering from serious security flaws.

We absolutely need v6, and the longer the migration takes the more damage is caused through lack of competition, stifling of developing countries, erosion of privacy through centralised services and stifling of innovation.

Doing egress filtering this way is a convenience mechanism not a security one. A compromised system can trivially change its IP address or MAC address. Having separate SSIDs is the way if you want different policies applying to different devices, and that's why it's recommended to provide a /56 v6 block. You could potentially use 802.1x identities too.

What you're running up against with android is a case of the devices being secured against you the user. These devices don't trust the user to make good decisions, and thus prevent them doing so - like preventing the loading of third party certificates. This kind of functionality is only useful to the 1% of users who know how to manage their own CA. If the process is easy then malicious parties will trick or exploit users into loading their own malicious CA.

Wrong.

A NAT gateway without explicit deny rules will allow traffic inbound if there is a route - ie from adjacent hosts. Reserved legacy address space is NOT non routable, it's just filtered from global BGP tables. There's nothing stopping your ISP routing it internally, or an adjacent customer adding a route to it via your public address. Many ISPs place the wan ports of their customer's routers into a large shared subnet so this attack is very feasible.

A consumer IPv6 firewall will block inbound by default and allow all outbound - exactly the same configuration as a consumer legacy NAT gateway, only without the adjacent source risk above.

If you're relying on ingress filtering as your only security model then you're doing it wrong. Modern consumer operating systems don't expose listening services by default, and portable devices are frequently connected directly to networks you don't control such as public wifi or cellular data networks. In this scenario you don't have an external device providing ingress filtering, you are relying on the device itself and at the mercy of the network operator and/or the other users on the network.

The vast majority of malware targeting consumer devices these days never attempts to make inbound connections to infect devices, the infection vector is via outbound connections (eg phishing emails, malicious websites etc), and a default firewall setup which blocks inbound while allowing outbound will do nothing against the vast majority of todays malware.

Says someone who has never used IPv6 and doesn't understand how it works at all.

Firewalls work exactly the same way with both legacy IP and v6. The difference is that very few can actually afford to operate a firewall with legacy IP.

So instead you have NAT+firewall, which are two distinct functions adding complexity - now you have to keep track of two sets of addresses and correlate the logs, as well as keeping track of individual port mappings on the same address but to different devices. More complexity means more can go wrong and mistakes can be made more easily.

Plus most users leave outbound unrestricted, so your toaster would have unrestricted connectivity with a typical legacy NAT setup anyway.

Legacy IP does not scale without NAT. Virtually all mobile providers and an increasing number of fixed line providers are forced to NAT their customers.
There are literally thousands of ISPs around the world who simply don't have enough legacy address space to provide one to each customer, let alone one to each device that a customer might have. It may be technically possible to operate legacy IP without NAT, but it is neither scalable nor affordable to do so.

So instead you have NAT. If you're lucky you control the NAT and share it with your own devices, but for millions of people around the world they have no control as the NAT is performed by the ISP. If these users want to make anything available remotely via legacy IP then they have to rely on a third party service to do so.

That only makes sense if you have a card which charges a per transaction fee. Most of them charge a percentage so you wouldn't save anything.
Plus most of these tap to travel services will calculate a daily charge rather than an individual charge every time you enter.

What alternatives would you suggest for tourists to avoid currency conversion fees?
There are plenty of cards out there that pass on the visa/mastercard/amex rate without adding any extra fees. If you change cash you'll almost always be getting a much worse rate than this, not to mention the extra cost of being stuck with leftover change when you leave.

There are multiple states where islam is the official state religion, such as saudi arabia.
There are also multiple states where christianity is the official state religion.

But they generally don't travel without adults accompanying them, and those adults tend to have credit cards.

That's why they take contactless cards..
Tap your existing credit/debit card on the reader and off you go.