I am not an authority on hardening linux, but I would bet that disabling IPv6 is recommended simply because in most applications it is unnecessary extra complexity. All your careful IPv4 firewalls are meaningless if you forget to also configure ip6tables.

> if you forget to also configure ip6tables

Yeah, I've never understood that. I get that ping and traceroute have their own IPv6 versions, but that's sort of understandable (maybe).

A firewall, though, is a firewall, it shouldn't matter what one of the IP protocols is. TCP and UDP don't have separate tools. The maintainers should clean it all up and put it into one iptables tool. If you want only IPv4, use a -4 flag, and ditto for IPv6 with a -6 flag. Heck, for most rules you can just imply it by the nature of the src and dst addresses.

It's because most firewall rules we deploy are for a combination of layer 3 and layer 4 addresses, not just layer 4(port numbers).

And since layer 3 addresses are different between IP versions, we need different rules. (There may also be additional concerns if you enable V4 mapped addresses for IPv6)

It's primarily due to router discovery and automatic address assignment combining with stacks built to prefer 6 if available making it trivial to hijack/reroute/mitm your traffic. It's a significant concern on local networks that haven't intentionally deployed 6, you can see this behavior where things like laptops will inadvertently take over traffic on a network and push it through its 6 tunnel, generally evading network boundary controls.

What the market wants, or what ISPs want? IPv6 works perfectly for me, the only problem is having to use a tunnel to get to it, meaning until at least one of the ISPs in my area delivers the goods, It will continue to be an extra step. IPv4.1 turns out to be NAT, which makes direct-connections a privilege. Unless ISPs take initiative, IPv6 will continue to be relegated to being an overlay network on IPv4 for the foreseeable future.