IPv6 for Web Developers
debt(d7/e5/b5/t7)
Closest to 'only careful code review or runtime testing' (d7). The detection_hints list dig, test-ipv6.com, and ping6 — all manual, specialist tools with no automated detection flag. Missing AAAA records, IPv4-only Nginx configs, or hardcoded AF_INET assumptions won't surface until manually tested or until IPv6-only clients start failing in production. No standard linter or compiler catches this.
Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix mentions adding AAAA DNS records and updating Nginx listen directives, but common_mistakes show the issue is cross-cutting: hardcoded AF_INET assumptions in code, URL construction (bracketing), firewall rules, and testing infrastructure all need attention. This spans infrastructure config, application code, and DNS — more than a single-line patch but not a full architectural rewrite.
Closest to 'persistent productivity tax' (b5). The choice applies to both web and CLI contexts. Every new service, DNS entry, firewall rule, and URL construction must account for IPv6 going forward. It's not architectural-rework level, but dual-stack awareness imposes an ongoing tax on infrastructure decisions, security reviews, and network configuration across many work streams.
Closest to 'serious trap (contradicts how a similar concept works elsewhere)' (t7). The misconception field directly states that developers believe IPv6 is optional — but it's increasingly the default and cost-required on AWS. Additionally, the URL bracketing requirement (http://[::1]:8080 vs http://::1:8080) and firewall bypass via IPv6 are non-obvious gotchas that contradict IPv4 mental models. A competent developer with IPv4 experience will guess wrong on multiple fronts.
Also Known As
TL;DR
Explanation
IPv4 has ~4 billion addresses, exhausted. IPv6 provides 340 undecillion addresses. Format: eight groups of four hex digits (2001:0db8:85a3::8a2e:0370:7334). Key differences for web devs: IPv6 addresses in URLs need brackets (http://[::1]:8080), socket code needs AF_INET6, nginx and PHP need explicit IPv6 configuration. Dual-stack deployments support both. The PHP_EOL of IPv4-only hosting is approaching — major cloud providers require explicit IPv4 which costs extra; IPv6 is free.
Diagram
flowchart TD
subgraph IPv4 - Exhausted
IP4[32-bit address<br/>4.3 billion total<br/>0.0.0.0 to 255.255.255.255]
NAT[NAT required<br/>multiple devices<br/>share one public IP]
end
subgraph IPv6 - Abundant
IP6[128-bit address<br/>340 undecillion total<br/>2001:db8::1]
NONAT[No NAT needed<br/>every device gets<br/>a public IP]
end
PHP[PHP server<br/>listen on both] --> DUAL["Dual-stack<br/>nginx listen 80<br/>nginx listen [::]:80"]
style IP4 fill:#f85149,color:#fff
style IP6 fill:#238636,color:#fff
style DUAL fill:#1f6feb,color:#fff
Common Misconception
Why It Matters
Common Mistakes
- Hardcoding IPv4 assumptions — code that uses AF_INET exclusively breaks on IPv6-only hosts.
- Not bracketing IPv6 addresses in URLs — http://::1:8080 is invalid; must be http://[::1]:8080.
- Firewall rules that only block IPv4 — attackers on IPv6 bypass IPv4-only rules.
- Not testing dual-stack deployments — IPv4 and IPv6 code paths can behave differently.
Code Examples
// IPv4-only socket — breaks on IPv6-only infrastructure:
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_bind($socket, '0.0.0.0', 8080); // IPv4 only
// IPv6 address in URL without brackets — invalid:
$url = 'http://' . $ipv6Addr . ':8080/api'; // Broken// Dual-stack: bind to all interfaces including IPv6:
$socket = socket_create(AF_INET6, SOCK_STREAM, SOL_TCP);
socket_setopt($socket, IPPROTO_IPV6, IPV6_V6ONLY, 0); // Dual-stack
socket_bind($socket, '::', 8080);
// IPv6 in URL needs brackets:
$url = 'http://[' . $ipv6Addr . ']:8080/api'; // Correct