IPv6 infodump
Benefits
Huge address space
IPv6 has an address space of 2^128 which is incredibly huge. It is so large that you could assign 2^16 addresses to every planet in the observable universe.
No fragmentation and no broadcasts
IPv6 routers do not fragment packets. Instead, they send back a ICMPv6 message packet too big. What this means in practice is that performance is greater and much more stable since MTU discovery is cleaner. IPv6 hosts can still fragment packets if needed and typically this happens when you try to transmit a large UDP packet. IPv6 also drops support for broadcasts in favor of multicast since it is much more efficient.
Simpler subnetting
IPv6 subnets are always going to be a /64 which gives 2^64 addresses. (referred to as a prefix) Having cleaner subnets leads to a network design that is much simpler since you can have effectively infinite devices on a single subnet. The secondary benefit of cleaner subnetting is quick identification of what subnet a IP is in since you only need to check the first half. For routers that have multiple subnets, you can assign something like /56 which contains multiple vlan assignable prefixes. This can be done manually or with DHCPv6 prefix delegation.
Better routing
Because subnetting is simplified, routing becomes much easier. In IPv6 land it is best practice to assign a subnet which has multiple prefixes to geographical units such as buildings. This allows for routers to advertise a single route instead of having to advertise multiple smaller blocks. This can do done automatically with route summerization if you assign multiple /64s that are adjacent.
Auto configuration and scalability
IPv6 has something called Stateless Address Auto-configuration (SLAAC) which allows for hosts to autoconfigure addresses. SLAAC works by first picking an address and then checking for conflicts via duplicate address detection. It then sends out a router solicitation (RS) and routers on the network reply with a Router advertizement (RA). This means that it is unnecessary to store state information like on DHCPv4. SLAAC and DHCPv6 also support revocation which means that a router or DHCPv6 server can withdraw an address. Additionally, IPv6 devices typically support tempoary addressing via SLAAC which improves privacy by generating a random public IP for web browsing.
IPv6 nuts and bolts
Firewalls
It is importaint to put IPv6 devices behind a Firewall to protect against attacks. Firewalls are stateful and will only allow traffic initiated by a IPv6 device inside the network.
The role of ICMPv6
ICMPv6 is very important since it allows for MTU discovery among other things. It is recommended that firewalls are configured to allow all ICMPv6 traffic since routers along a IPv6 path may send ICMPv6 messages back to a host. If ping scans are a concern it is possible to just block ICMP echo requests inbound.
SLAAC and security logging
Some security profesionals are concerned about SLAAC since it can potenically reduce visiblity. If this is a concern the recommended action is to log Duplicate Address Detection (DAD) packets and the associated MAC addresses since IPv6 devices will send out DAD packets before using an address. On switches port security settings can be configured to only allow use of an address after Dad completes.
Creating memorable IPv6 addresses
IPv6 addresses can be composted of anything including building numbers and 4 letter words (that have a-f). To make network design simplier you can use addresses like 2605:bc80:3010:600:dead:beef:cafe:fed9 where the building might be 600 and dead:beef:cafe:fed9 would be the device in question. Ideally you should use DNS since it will always be simplier and easier to remember.
IPv6 address notation also allows eliminating leading zeros for each nibble of the address. (Instead of :004 it would be :4) Another way addresses are shortened by eliminating a group of nibbles that have all zeros. You can write something like 2006:44::1 instead of 2006:44:0:0:0:0:0:1. Keep in mind the rule only applies once per address so you can’t do something like 2006:44::3::1.
IPv6 prefix delegation
IPv6 supports something called IPv6 prefix delegation which is similar to DHCPv6 but allows for upsteam devices to delegate IPv6 prefixes to downstream devices. A downstream device can request a prefix such as a /56 and after negotation a route can be created that maps a prefix to a device. This allows for highly efficient network design since it minimizes the need for manually configuration.
IPv6 transition mechanisms
NAT64
NAT46/NAT64 takes IPv4 packets as input, converts them to IPv6 packets and then converts them back on the edge. The idea is to do IPv6 only where possible so that you don’t need to run dual stack. The way it works is by adding a prefix to a raw IPv4 address so that it becomes a IPv6 address. That prefix is then routed to the NAT64 devices which the converts it back to IPv4.
464xlat
464xlat allows devices to autoconfigure NAT46 with a NAT64 prefix. Devices can learn the prefix via SLAAC, DHCPv6 or DNS and once it is detected a built in NAT46 kicks in and translates IPv4 coming from applications to IPv6. From the perspective of the application it has native IPv4 but in reality it is converted along the path. For this to work a device needs a CLAT (Customer Edge Translator) to be built into the software. Google and Apple devices have this built in but Windows only supports this on WWAN networks. For Linux you need to install CLATD since support for 464xlat is typically not included by default.
MAP-T
MAP-T is simular to 464xlat but is designed for large ISPs. The way it works is that it assigns an IP and port range for a consumer wifi router device to use when doing NAT. This offloads NAT to consumer hardware which saves cost and reduces complexity for large internet providers. It is typically better supported than 464xlat on consumer equipment and is in use at some very large ISPs. However, it has less of a usecase outside of traditional ISPs since it is focused on consumer hardware.
DNS64
DNS64 takes a very different appoach to IPv4 compatiblity. Instead of translating IPv4 raw addresses it replaces IPv4 DNS records with IPv6 ones. The converted records point to a translation device that converts IPv6 traffic back to IPv4. This does not work with DNSSEC or IP literals but it does work for services that only use DNS.