Comment Re:Yay (Score 1) 247
How is that different from your NAT today? If you want to accept incoming connections, you must tell your NAT box a port to DNAT map from your external thing to something internal, defined by, surprise surprise, a static entry.
The differences are
1) A single static ip address in ipv4 can be either a single device or a NAT gateway. In ipv6 it is guaranteed to be a single device.
2) The perception that since a static ipv6 address is just one of the possibilities out of a 64bit subnet, that this renders address scanning useless. This perception is blatantly false, as without address randomisation you leave "footprints" everywhere you go hence the privacy extensions. Who needs to scan for your address when you leave it wherever you go ?
The current implementations of ipv6 leaves you the choice between security and privacy - you cannot have both.
If you choose security you cannot even have plausible deniability by running an open wifi as all ipv6 addresses are unique.
If on the other hand you choose privacy, then you cannot implement a default deny firewall as this would require a whitelist listing all of the allowed ipv6 addresses - something that you cannot provide if you are randomising your ip address as per the privacy rfc.
I will wait until someone figures out how to do both before I consider going live with ipv6.