

2·
1 month agoGood post. And i would like to add for anyone to be able to use hypervisor escape, you also need a vulnerability in the software presented to the internet. And even then, the chance that anyone would waste a zero day on a homelab is pretty slim…
You’re right that IPv6 doesn’t need NAT for its original purpose (address scarcity). But “there is no NAT in IPv6” isn’t quite accurate: NAT still exists in IPv6
NAT66 (stateful, like NAT44) exists but is discouraged. More relevant is NPTv6, a standardized stateless 1:1 prefix translation, not the many-to-one port-overloaded NAT you’re used to from IPv4. It doesn’t do address+port multiplexing, so it doesn’t break peer-to-peer the way NAT44 does. So the “NAT is the enemy of p2p” argument applies to stateful NAT44-style translation — not really to NPTv6, which preserves end-to-end host addressability and just swaps the prefix.
You can absolutely build a fully functional internal network on ULA (fd00::/8) alone — routing, DNS, services, all independent of any ISP-delegated prefix. But ULA is explicitly non-routable on the public internet, so a pure ULA network is isolated: internal-only, no internet reachability.