As a developer writing a modern networked application, ignoring IPv6 is a mistake. It restores the internet’s capability of providing connections directly between all users & devices, which vastly simplifies building reliable and easy to use applications. Infuriating issues with port forwarding, NAT, and VPN address conflicts can be relegated to obscurity. Real world performance tests at Facebook show a 15% performance improvement. (Why would bigger packets with longer addresses perform better? This is unclear. One hypothesis is that NAT devices are a performance bottleneck. I suspect the decision to drop header checksums from IPv6 is more significant. Additionally, companies like Hurricane Electric have used IPv6 as an opportunity to establish themselves as equals to legacy tier 1 providers. The IPv6 Internet may have better peering and routing as a result.)
IPv6 in real world tests? Yes. Although many software engineers remain unaware, IPv6 use is already widespread. Apple devices automatically use IPv6 for many of their device-to-device connectivity features. Some mobile operators offer IPv6-only service. A little under 10% of Google users now access Google over a native IPv6 connection. Verizon Wireless recently stated that 50% of the traffic on their network is now IPv6.
Unfortunately, OS X’s IPv6 implementation leads to privacy concerns. Early IPv6 specifications indicated that devices should select their IP address based on their MAC address. MAC addresses usually represent a globally unique identifier – they are assigned by manufacturers to individual devices and they do not change. Widespread recognition of the privacy risks of this design decision led to new recommendations, such as RFC4941 (2007). Consumer devices instead randomly choose their IP suffix and change it periodically.
OS X appears to consider RFC4941, and when it initiates connections to the outside world, it uses a temporary IP address by default. But it also retains IP addresses with a MAC address based suffix. Anyone that knows or discovers your MAC address can use this fact to confirm that your device is present at a particular IP prefix. A simple ‘ping’ can confirm or deny the presence of your device. This will work on any device which has not specifically enabled “stealth mode” (which comes with a new set of problems, and would not eliminate non-ping based implementations of this attack).
How can they learn your MAC address? There are many ways. Options include wifi sniffing, or learning it from an advertising network. While many ad networks use hashing to reduce the privacy impact of collecting a MAC address, in practice a brute-force attack on a non-uniform 48-bit address space is trivial.
Ad networks are probably the best positioned to take advantage of this privacy leak (they also have the financial incentive). Existing tools will allow them to heuristically determine likely IP prefixes for users. The presence of a particular IP suffix at a particular IP prefix will allow them to keep track of when your laptop is at home and when your laptop is at work. Any sufficiently sophisticated adversary can use this strategy to track your daily movements.
Due to time limitations, I have not checked if this privacy leak affects other operating systems’ IPv6 implementations.