Malaysia already ranks among the world's top IPv6 deployers at 56–66% capability. MCMC's 100% migration mandate by 2028 would make Malaysia only the third nation globally to complete the IPv4-to-IPv6 transition. This framework synthesises global standards across 13 assessment domains — from ISP infrastructure to OT devices — providing the methodology government agencies and national infrastructure operators need to execute that transition with confidence.
The IPv6 transition rests on a well-established body of IETF standards. RFC 8200 (Internet Standard STD 86) defines the base IPv6 protocol. RFC 6540 (BCP 177) is unequivocal: new IP implementations must support IPv6, with IPv4 now optional. For enterprise planning, RFC 7381 covers inventory assessment, address planning, routing, DNS, security, and training — the definitive deployment guideline.
Transition mechanisms are governed by distinct RFCs: RFC 4213 (dual-stack), RFC 6877 (464XLAT), RFC 6146/6147 (NAT64/DNS64), RFC 7597/7599 (MAP-E/MAP-T), and RFC 6333 (DS-Lite). Beyond IETF, NIST SP 800-119 (188 pages) provides the authoritative IPv6 security deployment guide, and APNIC's deployment portal tracks per-country capability in real time — the APNIC region reached 50% aggregate IPv6 capability in April 2025, accounting for 64% of global IPv6 users.
Since July 2020, IPv6 certification has been mandatory for all direct-connect equipment under MCMC's MTSFB TC T013:2019 Technical Code. From 1 July 2025, IPv6 reporting is mandatory for all certification applications and renewals. Malaysia became the 4th country globally to surpass 50% IPv6 capability in October–December 2020, after India, Belgium, and Saudi Arabia.
A comprehensive IPv6 readiness assessment spans 13 technical and governance domains. Each carries a weighted score contributing to an organisation's overall maturity rating:
Carrier readiness begins with MP-BGP (RFC 4760) support for IPv6 unicast routing. MyIX — Malaysia's Internet Exchange — fully supports IPv6 dual-stack across approximately 119 peers, with 88% of peers supporting IPv6 including Google, Cloudflare, Microsoft, Akamai, and Meta. Infrastructure has been upgraded to Juniper QFX10008 switching with 6.3 Tbps total capacity.
Address planning should align on nibble boundaries for human-readable notation. APNIC allocates a minimum /32 to ISPs/LIRs, a minimum /48 to enterprises, and recommends /56 for residential customers (providing 256 × /64 subnets per household). Point-to-point links use /127 (RFC 6164); loopbacks use /128.
| Level | Prefix | Purpose |
|---|---|---|
| RIR → ISP | /32 | ISP allocation from APNIC |
| ISP → Enterprise customer | /48 | Standard business assignment |
| ISP → Residential customer | /56 | 256 × /64 subnets per CPE |
| ISP → Infrastructure | /40 | Backbone, loopbacks, PtP links |
| Customer → LAN subnet | /64 | Required for SLAAC operation |
| Point-to-point links | /127 | RFC 6164 — prevents ping-pong attack |
A critical note on address configuration: Android and ChromeOS do not support DHCPv6. SLAAC (RFC 4862) is therefore essential for any network serving mobile devices. The recommended hybrid approach uses SLAAC for address assignment with stateless DHCPv6 delivering DNS options, and DHCPv6-PD (RFC 3633) delegating prefixes to customer CPE routers.
Dual-ISP multihoming is the most operationally complex aspect of government IPv6 deployment and the area most likely to cause silent traffic loss if mishandled.
Provider Independent (PI) space from APNIC is the strongly recommended approach. With a /48 PI allocation and their own ASN, organisations advertise a single prefix to both ISPs via eBGP — eliminating renumbering risk, simplifying traffic engineering, and providing stable addressing for DNS and security policies.
When PI space is not feasible and organisations receive PA prefixes from each ISP, RFC 8475 Conditional Router Advertisements provide mitigation: when an ISP uplink fails, deprecating its prefix via Router Advertisements (setting Preferred Lifetime to 0) causes hosts to prefer the surviving ISP's addresses. Without this, BCP 38/uRPF will silently drop packets where the source address belongs to one ISP but the packet routes via the other.
All government agencies with dual-ISP requirements should obtain PI address space from APNIC (approximately AUD $1,180/year for membership). This single decision eliminates the source address selection, asymmetric routing, and uRPF complexity that undermine dual-PA deployments — and removes renumbering risk if an ISP is ever changed.
IPv6 introduces an expanded threat surface that many organisations are underprepared for. SOC teams must handle 128-bit addresses in multiple valid representations — a host may simultaneously hold link-local, GUA, ULA, and temporary privacy addresses (RFC 8981), making activity correlation a fundamental challenge. Only 61% of organisations with IPv6 deployed can actively monitor their IPv6 traffic (Arbor Networks).
The most dangerous IPv6-specific threats are: Rogue Router Advertisement attacks (attackers claim to be the default gateway and inject malicious DNS via RDNSS), NDP spoofing (the IPv6 equivalent of ARP poisoning), and extension header abuse — chains that push transport headers beyond firewall inspection depth. A 2024 Nature study identified 70 types of extension header threats.
CVE-2024-38063 (CVSS 9.8) — a zero-click remote kernel code execution vulnerability in Windows, exploitable via specially crafted IPv6 packets. It affects all Windows versions with IPv6 enabled (the default). The exploit occurs via an integer underflow in Ipv6pProcessOptions() before the Windows Firewall processes the packet. Patching and network-level ICMPv6 filtering per RFC 4890 are both required controls.
Firewall configuration must follow RFC 4890's ICMPv6 filtering guidelines. Unlike IPv4, ICMPv6 cannot be broadly blocked — the following types must be permitted: Destination Unreachable (Type 1), Packet Too Big (Type 2, essential for PMTUD), Time Exceeded (Type 3), Parameter Problem (Type 4), Echo Request/Response (128/129), and all NDP messages (133–136). All legacy tunnelling mechanisms — 6to4, Teredo, ISATAP — must be blocked at the firewall (IP protocol 41, UDP ports 3544 and 3653).
RFC 9313 (October 2022) provides the authoritative comparison framework for IPv6 transition technologies. The tipping point for moving to an IPv6-only underlay with IPv4-as-a-Service is when IPv6 traffic reaches 50–60% of total traffic — a threshold Malaysia has already crossed.
| Mechanism | RFC | State in Core | IPv4 Sharing | Best For |
|---|---|---|---|---|
| Dual-Stack | 4213 | None | No (1:1) | Backbone, data centre |
| 464XLAT | 6877 | Stateful (PLAT) | Yes (CGN) | Mobile, IPv6-only access |
| NAT64/DNS64 | 6146/6147 | Stateful | Yes | IPv6-only clients → IPv4 services |
| MAP-T | 7599 | Stateless (BR) | Yes (port-range) | Massive ISP subscriber base |
| MAP-E | 7597 | Stateless (BR) | Yes (port-range) | Cable operators |
| DS-Lite | 6333 | Stateful (AFTR) | Yes (CGN) | IPv6-only ISP backbone |
| 6rd | 5969 | Stateless | No | Legacy IPv4 ISP adding IPv6 |
Recommended for Malaysia: Dual-stack for backbone and data centre. 464XLAT for mobile and IPv6-only access networks (deployed by T-Mobile, Orange, Telstra). NAT64/DNS64 for legacy IPv4 services. Avoid deprecated mechanisms: 6to4, Teredo, ISATAP, NAT-PT.
This maturity model synthesises frameworks from the IPv6 Forum, IETF, NIST USGv6, Singapore's IMDA RS IPv6 Profile, and the IETF IPv6 Monitoring Architecture. Each level has defined criteria across all 13 assessment domains:
| Level | Name | Key Indicators |
|---|---|---|
| Level 0 | No Awareness | No IPv6 policy, no address space, no trained staff, IPv4-only infrastructure |
| Level 1 | Planning | Executive awareness established, roadmap drafted, IPv6 space obtained from APNIC, included in procurement |
| Level 2 | Lab Testing | ≥50% engineers trained, test environment operational, addressing plan developed, security policy updated for ICMPv6 |
| Level 3 | Dual-Stack In Progress | Core network dual-stacked, external services IPv6-enabled, ≥25% segments operational, ISP connections IPv6-enabled |
| Level 4 | Full Dual-Stack | ≥80% infrastructure dual-stacked, all public services IPv6-accessible, IPv6 traffic >30%, integrated into change management |
| Level 5 | IPv6-Only Capable | IPv6-only segments operational, NAT64/DNS64 for legacy, ≥80% assets IPv6-only, IPv4 sunset timeline established |
Each of the 8 weighted domains scores 0–100, aggregated to produce an overall maturity score. Compliance (pass/fail against MCMC MTSFB TC T013:2019) should be tracked separately from maturity — compliance governs procurement and audit, while maturity guides strategic planning and benchmarking.
Launching in September 2016 as a greenfield 4G VoLTE network, Jio mandated IPv6-only for 90% of subscribers from day one. By end of 2017, 200 million users were on IPv6-only mobile. Google, Akamai, and Facebook delivered 80% of Jio traffic exclusively over IPv6. India now sits at 61–82% IPv6. Malaysia's 5G rollout presents an identical greenfield opportunity — the largest single acceleration mechanism available.
Japan's success hinges on IPoE architecture replacing congested PPPoE — consumers experienced measurably faster speeds on IPv6, creating market demand. The v6plus (MAP-E) and transix (DS-Lite) services deliver IPv4 compatibility over IPv6-only backbones. Approximately 75% of Japanese FTTH connections are now IPv6-enabled. The government facilitated rather than mandated.
Belgium maintained top-3 global IPv6 status through IPv6 Council meetings where the three major ISPs (Telenet, VOO, Proximus) shared roadmaps and created competitive emulation. Current adoption: 58–66%. Establishing a Malaysian National IPv6 Council with MCMC, MAMPU, Maxis, TM, and CelcomDigi would replicate this proven model.
OMB M-21-07 (November 2020) set a landmark target: 80% of IP-enabled federal assets on IPv6-only by end of FY2025. As of October 2025, no federal agency publicly announced achieving this target, despite two decades of IPv6 policy. US overall adoption (46–50%) is driven entirely by commercial carriers. For Malaysia: policy mandates require embedded milestones in performance plans, dedicated project teams at each agency, and public progress dashboards.
Despite IMDA publishing comprehensive IPv6 guides since 2011, Singapore's adoption remains a paradoxical 10–20%. ISPs were cautious; market forces alone proved insufficient. Government systems must lead by example. Pairing IPv6 with infrastructure upgrades — 5G, fibre — creates the natural transition points that drive adoption.
Three decisions will determine whether Malaysia achieves its 2028 100% migration target or repeats the US experience of policy without execution:
1. PI address space as standard for all government agencies. Every ministry and statutory body with dual-ISP WAN connections should obtain Provider Independent /48 space from APNIC. This single architectural decision eliminates source address selection failures, asymmetric routing problems, and renumbering risk — and costs approximately AUD $1,180/year in APNIC membership, far less than the engineering hours spent troubleshooting dual-PA deployments.
2. IPv6-only mandated for all 5G and U Mobile network deployments. Following India's Jio playbook, Malaysia's second 5G network (U Mobile, live early 2026) and DNB's ongoing 5G Advanced rollout represent a once-in-a-generation greenfield opportunity. Mandating IPv6-only with 464XLAT for IPv4 backward compatibility on all new 5G subscriber sessions would add tens of millions of IPv6-capable users in months, not years.
3. A National IPv6 Council modelled on Belgium's approach. Regular structured meetings between MCMC, MAMPU (Jabatan Digital Negara/JDN), Maxis, TM, CelcomDigi, and U Mobile — with published progress benchmarks — would create the competitive emulation and shared knowledge that transformed Belgium from a mid-tier market to a global IPv6 leader. Malaysia has the regulatory will. What remains is disciplined, public, accountable execution.
My6 Initiative Berhad delivers IPv6 readiness assessments across all 13 domains for Malaysian government agencies and enterprises, including the INFUSE training programme and hands-on audit engagements. Our assessors are APNIC-certified and have conducted assessments across MAMPU-managed networks, federal ministries, and national infrastructure operators. Contact us to commission a formal IPv6 Readiness Assessment and receive your organisation's maturity score against the framework described in this article.