Sign inDeploy a VPS
NODED.CLOUD/Blog/IPv6 in Production: A Hosting Operator's Deployment Guide

IPv6 in Production: A Hosting Operator's Deployment Guide

27 May 2026 · Mario Marin

IPv6 isn't optional anymore. This is the practical guide to running IPv6 in production: addressing plans, dual-stack, firewalling, and the gotchas that bite people late.

IPv4 exhaustion is no longer a future problem — it's a budget problem. IPv4 transit and IP rentals get more expensive every year. IPv6 is the long-term answer, and it's been ready for production for over a decade. If you're not running it yet, this is the guide.

Why IPv6 Now

  • Cost. IPv4 addresses are a finite, traded commodity. IPv6 is effectively unlimited and free with most hosting plans.
  • Performance. Many networks have IPv6 paths that are less congested and lower latency than their IPv4 paths.
  • Simplicity at scale. No NAT, no overlapping RFC1918 networks, no contortions for multi-region deployments.
  • End-user adoption. Major mobile carriers and ISPs are 60–80%+ IPv6 in many markets. Your users are already on it.
  • Future-proofing. IPv4-only is a deprecation curve, not a steady state.

Addressing Plan: The First Real Decision

IPv6 hands you absurd amounts of address space. The temptation is to hand out /48s and /56s without thinking. The discipline is to plan it like you'd plan an IPv4 layout — only with rooms to grow.

Common patterns:

  • /48 per site or customer. Standard hand-out for organizations.
  • /56 per residential customer or per VPS customer. Plenty of room without burning a /48.
  • /64 per LAN or per VM. The standard subnet size for SLAAC.
  • /127 for point-to-point links. Avoids ping-pong issues some hardware has with /64 P2P.

Don't subnet smaller than /64 for end-user networks. SLAAC, which most hosts auto-configure with, requires /64.

Dual-Stack: The Pragmatic Path

Don't go IPv6-only on day one. Run dual-stack: every server, every load balancer, every DNS record gets both an A and an AAAA. Clients pick whichever path works; happy-eyeballs algorithms handle the failover.

Practical steps:

  1. Enable IPv6 on the host (most modern OSes do this by default).
  2. Assign a static IPv6 from your provider's allocation.
  3. Add an AAAA record next to your existing A record.
  4. Test with online tools (test-ipv6.com), looking glasses, and your own monitoring.
  5. Watch logs for IPv6 traffic for a few days before declaring victory.

Firewalling IPv6

The biggest IPv6 production mistake is leaving it wide open because the team is still thinking in IPv4 firewall terms. Your iptables rules don't apply to ip6tables. Your nftables rulesets need to cover both families. Your cloud security groups need IPv6 rules added.

Defaults to set:

  • Inbound: deny all, allow only what you mean to expose.
  • Outbound: usually permissive, but log and watch for anomalies.
  • ICMPv6: do not block. IPv6 depends on ICMPv6 for path MTU discovery and neighbor discovery. Allow types 1, 2, 3, 4, 128, 129, 133–137 as a minimum.
  • Bogon and Martian filtering: drop traffic from documentation prefixes (2001:db8::/32) and unallocated ranges.

Common Production Gotchas

  • Application doesn't bind to IPv6. Many older daemons listen on 0.0.0.0 by default. Check that your services bind to :: or both stacks.
  • Logs only record IPv4. Your access logs may be IPv4-only by default. Verify before you need to investigate an incident.
  • Monitoring blind spots. Your monitoring system probably checks IPv4 endpoints. Add IPv6 checks for the same services.
  • Reverse DNS missing. AAAA records are easy to remember; PTR records for IPv6 are easy to forget. Some services penalize you for it.
  • NAT habits. Stop. IPv6 doesn't need NAT. Routing and firewalling do the same job cleaner.

What Your Hosting Provider Should Give You

  • A /64 minimum for VPS and dedicated servers, with ability to request a larger allocation for free or cheap.
  • RPKI-signed prefixes for the IPv6 blocks they announce.
  • Reverse DNS delegation (or self-service) for your IPv6 space.
  • BGP transit that announces both IPv4 and IPv6 to all upstreams and peers.
  • A looking glass that shows IPv6 routes, not just IPv4.

If your provider can't tick those boxes in 2026, that says something.

What Noded Does

IPv6 is first-class on every dedicated server, VPS, colocation rack, and IP transit session we sell. Customers running their own ASN can announce their IPv6 space across our transit. We sign and validate routes with RPKI on both v4 and v6.

If you're planning an IPv6 deployment or stuck halfway through one, talk to us.

FAQ

Should I drop IPv4 entirely?

Not yet. Some services and corporate networks are still IPv4-only. Run dual-stack until your traffic data tells you otherwise.

How much IPv6 space should I ask for?

For a small site, a /64 is fine. For anything multi-server or multi-region, ask for at least a /48. Providers should give it to you without drama.

Is IPv6 secure by default?

It's exactly as secure as your firewall rules. The "no NAT" reality means you have to actually firewall, not rely on NAT-as-firewall side effects.

Do I need separate DNS for IPv6?

No — same DNS. You add AAAA records alongside A records. The same nameservers serve both.

What about IPv6 DDoS?

It happens. The defenses are the same as IPv4: edge filtering, anycast scrubbing, blackhole communities. Make sure your provider's DDoS protection covers IPv6 too — not all do.

← All posts

Keep reading

More from the NOC.

Like the way we run things? Spin up a server in 60 seconds.

Deploy a VPS Talk to an engineer