Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems (itnews.com.au) 113
"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found."
Slashdot reader Bismillah summarizes a report from IT News.
Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."
this is not an ipv6 specific issue (Score:5, Informative)
IPv6 is called out unfairly here. Any kind of tunnel is potentially not handled by an IDS.
There's better ways to exfiltrate data. VPN anyone?
Re:this is not an ipv6 specific issue (Score:5, Interesting)
VPNs aren't setup and enabled by default on windows machines the way teredo, 6to4 and isatap are.
Re: this is not an ipv6 specific issue (Score:1)
No. The point is that ipv6 is often not watched by IDS. In most cases because the admins didn't realize v6 was running and simply haven't configured it.
Re: (Score:1, Offtopic)
Shitty admins use Shitty configurators on Shitty windows for Shitty protection.
Re: (Score:1)
Switches operate at layer-2. They don't give a shit what layer-3's you run through your network. You may not be routing IPv6, but I can all but assure you IPv6 is present on the link. (if you have windows machines (newer than XP), you DO have v6 in your network.)
Re: (Score:1)
Perhaps. But the key here is that admins often are completely blind to IPv6 and various shit systems (and users) do to enable IPv6. (I'm looking right at you Microsoft!) VPNs? Sure. And many will block them.
Re: (Score:2, Interesting)
this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds, but unless its from the vendor that bought him steak and told him he was a real straight shooter, hes not going out of his lane to potentially fail at this point in his career, or learn something new.
Thats nice, but we have newly graduated kids from top-tier schools coming in that couldn't tell you the first thing about ipv6. They know it exists, and that's about the extent of it.
Re: (Score:3)
I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.
Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).
Let me guess, you use DNAT extensively?
Re: (Score:2)
Nope. No NAT. Real, public IPv4 IPs. Yes, the allocation is unfair.
I have returned a bunch of IPs (some /24s and some /26s or something) to the organization's pool (which is much larger than /24) as we've consolidated some things, but as far as I know there's no chance of those IPs going back to public use as far as I know. In the grand scheme of things, a few hundred IPs for public allocation won't help much. Now, IBM on the other hand, with it's /8 assignment...
Re: (Score:2)
If all the unused /8's were returned, that would get us a few more months at most.
Re:give me a break. (Score:4, Funny)
I can use the entire 10.x.y.z range internally, that are more IP's than I'll ever need.
Re: (Score:2)
Amazingly one reason some people are looking at IPv6 is that they are out of private IPv4 addresses in their CGN (carrier grade NAT) setups. Apparently mobile phone companies are hitting this.
Re: (Score:2)
No. [ietf.org]
Re: (Score:1)
RFC 6598 -- http://tools.ietf.org/html/rfc... [ietf.org]
Re: (Score:3)
I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.
Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).
It is great to hear you have enough IPv4 addresses. What happens when you want to communicate with someone who happens to be less fortunate?
Speaking for myself restoring the Internet to a viable network of PEERs where everyone has the capability if desired to directly address everyone else is of upmost importance to countering the proliferation of centralized manure currently waging war against *my* Internet.
IPv6 is well worth any initial hardship or annoyance. Even if everyone hides behind an SPI anyway
Re: (Score:2, Flamebait)
> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has
> the capability if desired to directly address everyone else is of upmost importance to countering
> the proliferation of centralized manure currently waging war against *my* Internet.
I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an
Re: (Score:2)
I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.
1:many NAT is *LESS* secure than SPI. NAT requires added complexity to support ALGs, packet mangling and tolerance of ambiguous assumptions about application state.
Re: (Score:2)
> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has
> the capability if desired to directly address everyone else is of upmost importance to countering
> the proliferation of centralized manure currently waging war against *my* Internet.
I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.
> IPv6 is well worth any initial hardship or annoyance. Even if everyone hides
> behind an SPI anyway the ability to trivially prime direct connections with
> a 1:1 map is an absolutely priceless capability by itself without getting to global
> costs of dealing with IPv4 scarcity or people being forced into CGN land.
I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.
Repeat after me: NAT is *not* a security mechanism. If you think it protects you, you are a fool.
NAT is not a security mechanism, but it provides useful security by preventing hosts from having publicly routable IPs when they simply don't need them.
It's an additional layer on top of a firewall which may or may not actually be configured properly (or actually work). Think of the tens of millions of home users who have a crappy modem/router combo device managed by their ISP.
Re: (Score:1)
Useful security? How many times have you seen "just put it in the DMZ" as a solution to many connectivity issues NAT causes? There goes their supposed security.
Re: (Score:1)
What does me reading something on the internet have to do with my friends???
That was more of a rhetorical question. I was hoping you had seen it. Regardless, the advice is out there and it's being put to use. The routers have that feature and their websites have the instructions on how to use it. I have seen it recommended when upnp and port forwarding fail to work for whatever reason. I've had upnp stop working mysteriously many times.
But that doesn't matter. It's a very common built in feature that
IPv6 has NAT as well (Score:2)
Also IPv6 can do NAT (eg. you can use it for a transparent proxy) and there are routers that let you define your own firewall rules so that cheap ADSL router with NAT is already available - so you can do it, just don't assume that NAT is going to keep anyone other than the honest out.
Re: (Score:2)
I've done this, and I saw no difference. If you did then you fucked up the test. Specifically, you most likely changed the PC from a public v4 address to an RFC1918 one at the same time as introducing the NAT. Making two changes at once means you can't tell which change caused the different behavior.
Try comparing a traffic capture of a machine with an RFC1918 address with vs without NAT on the router, and then separately compare a capture of a machine with a public address with vs without NAT on the router.
Re: (Score:1)
I hope the idea of IPV6 NAT gets taken out back and shot. NAT has been the single most pain in the ass thing to network gaming since forever.
I don't now how much time I've wasted trying to troubleshoot why certain people can't connect to our gaming session. Most of the time it's because of NAT. And when they can connect to the game, the audio chat doesn't work still. Grrrrrr.
Then there's people who have multiple consoles and want to play the same game together online. One of them can and the other can'
Re: (Score:1)
NPT is 1:1 which doesn't have all but one of the issues that 1:many NAT has. There's no port rewriting, not statetful packet inspection, etc. The only issue is if the internal host needs to tell an external host its IP address. Incoming using DNS would have no issues.
NPT does not block incoming connections like regular NAT does. This is because 1:many NAT has no idea where to send incoming without an explicit rule. NPT which is 1:1 does know where to send incoming connections because each external IP i
Re: (Score:2)
This is because 1:many NAT has no idea where to send incoming without an explicit rule.
A lot of people think this, but it's not true. Your router knows perfectly well where to send the packet, because the packet has a dest address field in the header that tells it where to send it.
Now, it is true that if your network is using RFC1918 addresses (which I note isn't actually a requirement for NAT) then it's quite hard to send your router a packet with one of those addresses in the dest field... but your ISP could do it easily, and of course so could anybody else in a position to twist your ISP's
Re: (Score:1)
You are correct. I was referring to NAT + RFC1918 when I said that it doesn't know where to send incoming packets (originally sent to the public IP). That's the mechanism that creates the psudo security of NAT.
As you said, using routable addresses on the inside does not trigger this. Without a firewall they can go direct. Same with NTP and routable addresses on the inside.
Yes, ISPs can send to you using RFC1918. If you're using a tunnel broker for IPv6 that can be intercepted without ISP help and IPv4
Re: (Score:2)
Any security NAT can give you can easily be implemented in v6 with a few simple rules.
Re: (Score:1)
this happens when you have a baby-boomer tech employee who refuses to retire
that happens when anybody is not much interested in exploring newer technologies ; actually I'd put more trust in a network specialist baby boomer who still lives off the industry, and who experienced the multiple changes since the 70s.
Re:give me a break. (Score:5, Interesting)
It goes well beyond the boomers. v6 has been around for TWENTY years and TFA is calling it "new". The kids coming out of school now seem to think of it as "new" as well. Even XP supports v6, just how new could it be? Before you cast too many stones at the boomers, remember you seem to have been asleep for 10 years yourself. By the time you noticed this v6 thing, I was running dual stack at home so I could get familiar with it.
This from the same industry that gushes over every new application framework that offers no tangible benefits over the old framework and will probably be yesterday's news by the time an actual project can be completed. Where are all those much younger network guys pushing for a v6 initiative? For God's sake, Comcast beat them to v6!
Re: (Score:2)
Re: (Score:2)
XP actually didn't support IPv6 out of the box: that support had to be added later.
Saying that IPv6 is 20 years old is misleading, given that only recently have enterprises accelarated their moves to this protocol, and also, a lot of changes happened in the IPv6 spec over that time (e.g. the deprecation of IPv4 compatible addresses)
Re: (Score:2)
XP supported it out of the box. You had to enable it but the code was installed on the box when it was delivered.
I've been writing and shipping applications that support IPv6 for nearly 20 years now. I've been using IPv6 from home for 15 years now.
Work has been operating servers reachable by the public over IPv6 for longer still.
Re: (Score:2)
Actually, it did. It wasn't configured out of the box until SP2 or 3 but you could configure it if you wanted from day 1. TYhe protocol driver was on the install disk.
V4 has changed as much as v6 has over the years. For example, source routing and source quench went away. Congestion control has changed a good bit.
The fact that enterprises have only recently gotten interested in v6 just means they were asleep at the switch for a long time. They jumped on every flavor of the month they could find while ignori
Re: (Score:1)
"every flavor"? You mean NAT? Shit we've all been using since the mid-90s? ISPs have been grasping at straws because they can't get any more v4 addresses, and still have to connect a growing number of users to the v4 internet. (and develop v6 CPE hardware and infrastructure, AND still get the v6 only connected to the v4 internet.) And their answer has been NAT as well; just on a scale beyond reason.
Re: (Score:2)
I mean every flavor of everything. CASE tools, XML, CORBA, Ruby on Rails, Java, a zillion management fads, you name it, as soon as some exec read about it while waiting for tee time, it became a must have. Except for IPv6 apparently.
But I agree the extremes they're going to to avoid just going with v6 are silly at the least. Personally, I would love to just go with v6 so I can get enough addresses allocated without submitting my last colonoscopy and the opinions of 3 or more fortune tellers, but it's just n
Re: (Score:1)
XP has an IPv6 stack, but I wouldn't go so far as to say it "supports v6". It only supports SLAAC. (pinning a static address is a pain in the ass, and doesn't always survive a reboot) There is zero GUI integration for managing it. The OS will not use it for it's own internal processes (namely DNS.) And Microsoft has never officially supported it.
It's also so hopelessly out-of-date, it only barely works. Very little of what is considered IPv6 today is supported.
Re: (Score:2)
Consider, XP itself is hopelessly out of date and unsupported. Since XP was for workstations (not servers) SLACC made plenty of sense (and it still does).
Notably, if v6 was enabled and it didn't get a router announcement, it would auto-configure Teredo.
Basically, it worked well enough to meaningfully operate in a dual stack environment. It would not work in a v6 only environment.
So no excuses there, the capability existed.
Re:give me a break. (Score:4, Informative)
IPv6 transition mechanisms
ipv6 has been around nearly a decade. any company that doesnt have a competent dual-stack implementation deserves what they get. that having been said the number of vendors that recoil in shock and horror when you ask if they can route, or even support ipv6 is amazing.
The truly terrifying thing is the amount of otherwise competent and knowledgeable IT professionals who are utterly terrified of IPv6 and get elevated blood pressure whenever its mentioned.
Theres a whole generation of IT pros who have come to believe that NAT is the solution to almost all of their security issues, have no use for port blocking firewalls or defense in depth. It wasn't that long ago that desktop workstations often had Internet routeable IP addresses and you had to have actual firewalls on the front end and inside as well.
Nowadays they run their webserver in an RFC1918 range and use DNAT to send the traffic into it, thinking this is more secure than having a firewall and, when they look at IPv6, they see this security blanket as being taken away from them and they retreat into their shells.
Re: (Score:1)
Those professionals hate it because it's a constantly moving target. If IPv6 were one thing to implement, ONCE, they'd've done it long ago. However, that's not the case. Even today, it's a constantly changing ball of shit.
IPv6 is a different way to doing things. NAT does involve a "firewall" -- 'tho it's unlikely to be watching traffic with an eye to security. With IPv6, security is not automatic; firewall rules have to be manually crafted.
Re: (Score:2)
I just deactivate IPv6 at all dual stack machines, that should fix this (and a lot more issues that the idiot who implemented IPv6 first instead of use it only if no IPv4 available created).
Re: (Score:3)
That's going to blow up in spectacular fashion as soon as v6 only sites start popping up that you or your employer care about (there are v6 only sites now, but mostly not targeted at English speakers).
It affects IPV4-only machines too (Score:3)
> I just deactivate IPv6 at all dual stack machines, that should fix this...
Wrong. If your ISP doesn't support IPV6, you can still get IPV6 via a "tunnel broker". Packets get tunnelled over an encrypted connection to IPV6-land. I know this is Slashdot, but please RTFA https://www.itnews.com.au/news... [itnews.com.au]
> The researchers developed proofs of concept with tunnel-based IPv6 transition tools over
> IPv4-only, or IPv4/IPv6 dual-stack networks, that were able to pass traffic undetected by
> common network
Re: (Score:1)
My IPV6 tunnel is not encrypted. It doesn't have to be as there's no point and all it would accomplish is add more CPU load to my router and the tunnel broker's router.
Any unencrypted traffic like HTTP attackers could mess with after it leaves the tunnel broker to the rest of the internet so waste of effort there. Encrypted traffic like HTTPS would get encrypted twice which is also a waste of effort.
Re: (Score:2)
Reading the summary, since the issue is regarding IPv6 packets that are undetected on an IPv4 network that's unaware of the protocol, it'll only make it easier for IPv6 to be a disguised carrier of attack vectors
Re: (Score:1)
Don't blame M$ and Google for what was a basic, founding tenant of IPv6... "None of this bullshit NAT!" And from a second chair in the room, "yeah, and none of this G** D*** DHCP!" By the time we get around the room, IPSec (think all of OpenSSL) had been glued into the protocol. Many hard lessons completely unlearned -- SLAAC, RA's, multicast DNS, etc.
If you want something to blame on Google, ask them why Android doesn't support DHCPv6.
[On the subject of SLAAC: this wasn't such a bad idea on the surface. Ho
Re: (Score:3)
this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds.
So, in your world, young people with no experience in deploying networking will use
their "more competent and open minds" to do a job that older workers cannot,
even though the older worker has been aware of IPv6 for nearly as long as the
younger people have been alive. Because, you know, they are older.
Fuck You, you ageist piece of shit.
I hope someone sues your company into fucking oblivion.
windows 10 enables the tunnel mechanisms by defaul (Score:2)
windows 10 enables the tunnel mechanisms by default.
and has no easy way to turn them off.
yeah, you can remove ipv6 from the network card - but are you so daft that you think it actually removes this threat? hahahahha. of course no. you have to go into registry to disable ipv6. and of course they will reset it on update, because fuck you, that's why. and disabling any ipv6 support entirely wouldn't help either if the offending sw gets to write it's own ethernet packets(though thats more complicated than some
Re: (Score:1)
Hell, Windows XP enables them by default. (once IPv6 is installed)
Re: (Score:2)
Re: (Score:1)
#1 - Wrong. This is often trotted out, but an outsider cannot find every machine on your network with just the prefix or a single address. Once inside your network (compromised host), it's possible, but far from dirt simple.
#2 - It's as tested as anything else.
#3 - True, but you can attack anything that has a NAT map as well. And this is partially why privacy extensions exist (your address changes regularly)
#4 - Wrong. This was a basic requirement of early IPv6 standards. It's now "optional", but present in
First thing I change on Win devices I use (Score:5, Informative)
netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled
These IPV6 tunnels are use than useless in my experience.
Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.
Re: First thing I change on Win devices I use (Score:1)
When ipv6 on my router is set to disabled, is it blocked?
Re: First thing I change on Win devices I use (Score:5, Informative)
Turning off IPV6 in your router will turn off native IPV6 routing but that's not the issue here. The problem is that Windows in particular sets up three different means of tunnelling IPV6 in IPV4. Turning off IPV6 in your router will do nothing for these and you need to turn off Teredo, 6to4 and Isatap on every windows machine.
Re: (Score:1)
In a word, NO! In fact, it will cause windows to fall back to using teredo, etc. to fake IPv6 connectivity. One must take active measures to block that shit from the network. Turning off those interfaces within windows will *NOT* keep them turned off.
Re: (Score:2)
netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled
These IPV6 tunnels are use than useless in my experience.
Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.
At least you didn't advise disabling IPv6 completely, which isn't even a supported configuration any more (in Microsoft products).
Re: (Score:3)
When IPV6 is configured on a Windows machine and it is getting & attempting to use AAAA DNS records, resulting in a 30 second timeouts, that's when I diable IPV6: http://blogs.cisco.com/enterpr... [cisco.com]
Yeah, it's the client's network that "should" be fixed, but I've given up at tilting at windmills. I'll just tell them that their IPV6 is messed up, disable IPV6 on the server with the issues getting rid of the timeouts and move on.
Re: (Score:2)
When IPV6 is configured on a Windows machine and it is getting & attempting to use AAAA DNS records, resulting in a 30 second timeouts, that's when I diable IPV6: http://blogs.cisco.com/enterpr... [cisco.com]
Yeah, it's the client's network that "should" be fixed, but I've given up at tilting at windmills. I'll just tell them that their IPV6 is messed up, disable IPV6 on the server with the issues getting rid of the timeouts and move on.
Thats using a sledgehammer to crack a nut. You don't need to disable IPv6 to do that.
Re: (Score:2)
Given that I couldn't care less about homegroup and it's the only thing that I see that breaks when IPV6 is disabled & "netsh interface ipv6 set state disabled" takes 5 seconds, it's a itty bitty teeny tiny sledgehammer. MS can state that it's an unsupported config but why should I care (presently)? If IPV6 becomes necessary in the future for things I need, I'll change my habits but so far? Meh...
Re: (Score:2)
Given that I couldn't care less about homegroup and it's the only thing that I see that breaks when IPV6 is disabled & "netsh interface ipv6 set state disabled" takes 5 seconds, it's a itty bitty teeny tiny sledgehammer. MS can state that it's an unsupported config but why should I care (presently)? If IPV6 becomes necessary in the future for things I need, I'll change my habits but so far? Meh...
It isn't a supported configuration. Microsoft do not test with IPv6 disabled. If you disable it you are on your own, in uncharted territory, with pretty much only blogs to guide you.
Good luck.
Re: (Score:2)
Oh gee, no IPV6, only IPV4, what _ever_ will we do? IPV4 only hosts are _such_ a mystery!!!
Re: (Score:2)
Oh gee, no IPV6, only IPV4, what _ever_ will we do? IPV4 only hosts are _such_ a mystery!!!
In this case it is a mystery because the configuration has not been tested by the vendor. Its not that the system needs IPv6 connectivity to the Internet, thats completely different. Its that some applications expect to find a functional IPv6 stack and may react unpredictably if it isn't present. Thats what testing would be for. If the applications and OS were tested in the presence of a disabled IPv6 stack you'd be dead right. But it isn't. So you don't really know how its going to fuck up until YOU test i
Re: (Score:2)
I've never seen an app (other than homegroup) that _needs_ IPV6 so like I said earlier, not having it is no loss and can quickly clear up some problems.
Re: (Score:2)
You'd have to ask someone who pretends to understand why MS adds multiple IPV6 tunneling adapters without ever asking if they might be useful. That certainly isn't me.
Re: (Score:1)
Until you reboot. Or install virtually anything from Microsoft. (read: they won't STAY turned off.)
Re: (Score:2)
I don't know whats wrong with your installations but around here, interfaces disabled using netsh do not get enabled through a mere reboot.
But where is the rush? (Score:2)
I wonder how much of this is from win to denying that IPv6 is coming and not doing the homework and proper security analysis?
Re: (Score:2)
Uh, heck. Typing on a phone with auto-corrupt :(
Corrected English:
I wonder how much of this is from tech teams denying that IPv6 is coming and not doing the homework and proper security analysis? For example, I have observed tech teams who didn't want anything to do with IPv6 and then ended up having systems that were kinda talking IPv6, but under the radar. No IPv6 firewalls and not even specifically deactivating IPv6 link-local on devices.
Re: (Score:2)
None of this make sense, every indication is that NATO (North American Territorial Occupation farce), along with the CIA and NSA (to be fair the entire global spy vs spy apparatus), will hide any hacks they find so that they can use them even when organised crime already has them. Is this a subtle attack on IPV6 to keep people on IPV4 for as long as possible because they have completely hacked IPV4. Also IPV6 represents a nearly figurative infinite number of disposable IP addresses, allowing people to use e
Microsoft must stop (Score:3)
Automatic transition mechanisms are beyond useless in todays dual stack world. They are not now nor will they ever be sufficiently reliable for production use and therefore universally ignored for purposes other than owning end users. Microsoft themselves shut down their own teredo servers due to stated reason of non-existent demand.
The only thing continuing to have teredo, isatap and 6to4 enabled by default on billions of machines does is help end users get owned.
New internet? (Score:2)
Can I put this to use to clone a mesh network for private communications?
IPv6 (Score:1)
Re: (Score:2)
One thing hardly has anything to do w/ the other - and that's w/o touching your mixed metaphors regarding the neck massager
IPv6 was designed from ground up to be a replacement for, not an enhancement to, IPv4. Bottom line was that there was no way to extend IPv4 addresses b'cos any fix would have to monkey around w/ the definition of the lengths of the source and destination address headers, and the moment one touched that, every router on the internet would have to be upgraded. Given the effort invol
Re: (Score:1)
HAH! They actively ignored much of what had been learned, and further, ignored what enterprises actually used. They put zero effort into how to get there -- backwards compatibility, migration paths, ... And they gave zero consideration to any aspect of security. IPv6 is the horribly broken, constantly changing ball of shit
Re: (Score:3)
The only reason people can "turn it off and everything runs just fine" is that you have been paying extra to your ISP to pay for the CGN boxes to keep IPv4 limping along well past the time when everyone should have been off it.
Sane ISP's know that they don't want to run CGN boxes. They are expensive and increase they amount of logging that needs to be kept for law enforcement purposes. They also break functionality on which some of the customers depend.
Sane ISP's enable IPv6 as it takes load off the CGN b