

I know that people often find IPv6 confusing and that’s fine, but at the very least you need to explain that you’re specifically talking about IPv4 IP and Subnetting configuration and that is very much how things used to be done. IPv6 is finally gaining real adoption and can make a lot of things confusing.
For example, until I got a handle of IPv6, my Android phone never had proper ad-blocking from my Pi-Holes because Google would make Android auto-configure an IPv6 DNS address that would bypass my IPv4 DNS addresses. Even if I filled every IPv4 DNS slot, my phone would still automatically make a slot for the IPv6 DNS and fill it with a Google-chosen DNS. There were two ways to fix this, and I’ve done both: Set up IPv6 and fill that slot with my Pi-Hole IPv6 DNS address, and/or setting up a VPN that hands out the Pi-Holes as DNS and bypasses Google’s auto-configurations entirely. I ended up with both because I also use the VPN to keep ad-blocking functional on my phone while I’m away from home.
Especially in keeping with your “Zero trust” idea, you can’t have rogue IPv6 traffic all over your network unless you’ve managed to disable IPv6 on every network interface and the traffic is just being dumped since it’s disabled. (Also, personal opinion, subnetting on IPv6 is so much more elegant and straightforward than on IPv4)
Finally, you mention “bytes” (it’s actually bits) and CIDR notation, but that’s probably more confusing than illuminating if someone has no idea that an IPv4 address has four sets of octets (eight bits) for a 32-bit addressing scheme. You might consider expanding on how IPv4 addresses function to make that a little clearer.















The word you’re looking for is “pillory.”
I probably have been playing too much Kingdom Come: Deliverance II.