IPv6 Transition Guide: What Australian Businesses Need to Know

The Internet Assigned Numbers Authority (IANA) allocated its last blocks of IPv4 addresses in 2011. APNIC, the Regional Internet Registry for the Asia-Pacific, reached its final /8 allocation pool shortly after and has since operated under an austere rationing policy — new members receive a maximum of a /22 (1,024 addresses), regardless of how large their network is. This means that Australian businesses starting new services, expanding data centres, or spinning up cloud environments face a stark reality: new IPv4 space is scarce, expensive (addresses now trade on secondary markets at USD $30-50+ per address), and increasingly fragmented.

The exhaustion is not theoretical — it has practical consequences today. ISPs increasingly rely on Carrier-Grade NAT (CGNAT) to share a single public IPv4 address among multiple subscribers, which can break peer-to-peer applications, VPN connections, and inbound services. Cloud providers like AWS charge for public IPv4 addresses (AWS introduced a USD $0.005/hour charge per public IPv4 in 2024), incentivising IPv6 adoption. The message is clear: IPv4 is a legacy protocol running on borrowed time, and IPv6 is the path forward.

IPv6 uses 128-bit addresses, compared to IPv4's 32 bits. This expands the address space from roughly 4.3 billion addresses to 340 undecillion (3.4 x 10^38) — enough to assign a unique address to every atom on the surface of the Earth and still have addresses to spare. IPv6 addresses are written in hexadecimal, separated by colons: for example, 2001:0db8:0000:0042:0000:0000:0000:0001, which can be abbreviated to 2001:db8::42:0:0:0:1 or 2001:db8:0:42::1. Learning to read and write these addresses fluently takes practice, but the logic is straightforward once you understand the abbreviation rules.

Beyond the larger address space, IPv6 introduces several architectural improvements. Stateless Address Autoconfiguration (SLAAC) allows hosts to generate their own addresses from the network prefix advertised by the router, without needing a DHCP server (though DHCPv6 exists for scenarios requiring more control). IPv6 eliminates broadcast traffic entirely, using multicast instead. The header format is simplified and fixed-length, improving router processing efficiency. And critically, NAT is no longer necessary — every device can have a globally unique address, restoring the end-to-end connectivity model that the internet was originally designed around.

Dual-stack is the most common and recommended approach to IPv6 transition. In a dual-stack deployment, every device and interface runs both IPv4 and IPv6 simultaneously. Hosts have both an IPv4 address and one or more IPv6 addresses. When connecting to a destination that supports IPv6, the client uses IPv6; when connecting to an IPv4-only destination, it falls back to IPv4. The operating system's Happy Eyeballs algorithm (RFC 8305) manages this selection automatically, preferring IPv6 but falling back to IPv4 quickly if the IPv6 path is slow or unavailable.

Dual-stack avoids the complexities of translation mechanisms and allows a gradual migration. You enable IPv6 on your infrastructure — routers, switches, firewalls, DNS, DHCP, and monitoring — while keeping IPv4 running unchanged. Over time, as more services and destinations become IPv6-reachable, the proportion of IPv6 traffic naturally increases. Eventually, when IPv4 dependencies are eliminated, IPv4 can be decommissioned. Most major operating systems, network vendors, and cloud platforms fully support dual-stack today, making it a low-risk starting point.

IPv6 address planning is fundamentally different from IPv4. With IPv6, you have so much address space that conservation is no longer a concern — instead, the goal is to create a structured, hierarchical addressing scheme that simplifies routing, security policy, and operational management. A typical enterprise receives a /48 prefix from their ISP or a /32 from APNIC if they are a Local Internet Registry. A /48 gives you 65,536 /64 subnets — each /64 subnet supports 2^64 host addresses, which is more than you will ever need on a single LAN segment.

Best practice is to allocate the 16 bits between your /48 and the /64 subnet boundary as a structured hierarchy. For example, the first 4 bits could represent the site (allowing up to 16 sites), the next 4 bits could represent the building or floor, and the final 8 bits could represent the VLAN or function. This gives you an addressing plan like 2001:db8:acme:SBFF::/64 where S=site, B=building, FF=function. The beauty of this approach is that you can summarise routes at each level of the hierarchy, keeping routing tables compact, and you can write firewall rules based on prefix patterns rather than individual addresses.

While dual-stack is the preferred approach, some scenarios require IPv6-only networks that must still reach IPv4-only destinations. This is where NAT64 and DNS64 come in. DNS64 is a modified DNS resolver that, when a query returns only an IPv4 A record (no IPv6 AAAA record), synthesises a fake AAAA record by embedding the IPv4 address within a designated IPv6 prefix (typically 64:ff9b::/96). The IPv6-only client then sends its traffic to this synthesised IPv6 address. NAT64 is a gateway that receives this traffic, translates the IPv6 packets to IPv4, and forwards them to the actual IPv4 destination.

NAT64/DNS64 is used extensively by mobile carriers — both Telstra and Optus run IPv6-only mobile networks with NAT64 gateways for IPv4 connectivity. In enterprise environments, NAT64 can reduce the need for dual-stack on client segments, simplifying DHCP and IP management. However, applications that embed IPv4 addresses in their payload (known as IPv4 literals) may not work through NAT64 without application-level gateways. For most web, email, and cloud applications, NAT64/DNS64 works transparently, but legacy line-of-business applications may need testing.

The state of IPv6 support among Australian ISPs varies significantly. Telstra has been a leader in IPv6 deployment, enabling it across their mobile and fixed broadband networks. Optus runs IPv6 on their mobile network and has been progressively enabling it on fixed services. TPG/iiNet and Aussie Broadband offer IPv6 on NBN services. On the business and enterprise side, most managed network providers can deliver IPv6 connectivity on fibre Ethernet and MPLS services when requested, though it may not be enabled by default.

For IT resellers, the key action item is to verify IPv6 support with each client's ISP as part of any network design or refresh project. Request a dual-stack configuration on all new WAN circuits. If the ISP cannot provide native IPv6, consider a tunnel broker such as Hurricane Electric (free tunnel broker service) as an interim measure, or factor IPv6 capability into the ISP selection criteria for the next contract renewal. The goal is to ensure that every network you deploy is IPv6-ready, even if IPv6 traffic is minimal today.

IPv6 introduces security considerations that are often overlooked. First, many firewalls and security appliances are configured with robust IPv4 rules but have default-allow or no IPv6 policies. If IPv6 is enabled on hosts (which it is by default on Windows, macOS, and Linux), traffic may flow over IPv6 without being inspected. Every firewall rule that exists for IPv4 must have an equivalent IPv6 rule. Second, IPv6's reliance on ICMPv6 for critical functions (neighbour discovery, SLAAC, path MTU discovery) means you cannot blanket-block ICMPv6 the way some administrators block ICMP in IPv4 — doing so will break IPv6 connectivity entirely.

Rogue Router Advertisement (RA) attacks are an IPv6-specific threat. An attacker on the local network can send malicious RAs that cause hosts to configure incorrect addresses or default gateways, redirecting traffic through the attacker's machine (a man-in-the-middle attack). The defence is RA Guard, a switch feature that blocks router advertisements from non-authorised ports. Enable RA Guard on all access ports and only permit RAs on the uplink port connected to your legitimate router. Additionally, DHCPv6 Guard and IPv6 First Hop Security features on enterprise switches provide analogous protections to the IPv4 DHCP snooping and Dynamic ARP Inspection features you may already use.

The short answer is now. Even if your clients have no immediate need for IPv6, every new network deployment should be IPv6-ready. This means selecting firewalls, switches, and routers that fully support IPv6 (not just in the datasheet — verify feature parity with IPv4 in practice). It means training your team on IPv6 addressing, subnetting, and troubleshooting. It means ensuring that DNS, DHCP, monitoring, and logging infrastructure can handle IPv6. And it means writing firewall policies for both address families from day one, so that enabling IPv6 later does not create a security gap.

A phased approach works well for most organisations. Phase 1: audit your current infrastructure for IPv6 readiness — check firmware support, firewall rules, application compatibility, and ISP availability. Phase 2: enable dual-stack on your WAN edge and internet-facing services (web servers, email, DNS). Phase 3: extend dual-stack to the internal LAN, starting with IT staff and server segments. Phase 4: roll out to all user segments and begin monitoring IPv6 traffic volumes. This incremental approach limits risk while building operational experience.