> The threat model on this big enterprise WAN isn't "an authorized user creates a VM on an existing machine", but rather "some rando plugs something in with an Ethernet cable and goes to town on the intranet services". It has a whole web portal where you can log in and register your devices. So it's not like anything's really being bypassed here.

Isn't that what the MAC filtering is for? I don't see the point of stopping a single registered MAC on a single port from having multiple IPs.

I might be misremembering some of the details (in fact, given that the web portal works, I think it might allow new devices to have local IPs, but bounce all outbound packets until they're registered), but however it works exactly, it does not like passthrough networking on VMs in practice.

(If I had to guess, just letting any machine have a million new IPs for the firewall to track has its own issues, so you'd end up with policies upon policies.)

In any case, sometimes middleboxes just don't behave precisely how we want them to, and that's why I'm skeptical of the typical IPv6 position of "a flat /64 network (or something emulating one) is all you'll ever need".

The firewall shouldn't have to track IPs, just the connections it would be tracking no matter what.

And sure a million IPs could cause problems, but that's not a good reason to set the limit to 1.

> I'm skeptical of the typical IPv6 position of "a flat /64 network (or something emulating one) is all you'll ever need".

That's not the position. You can have as many networks as you want. Connect them with routers like you would on IPv4.

If IT doesn’t want random things plugging into the network? That’s what 802.1x is for