> This allows us to enumerate a particular subset of active IPv6 hosts which can then be scanned.
So if you have turned off the firewall in your CPE, someone might heave an easier time scanning your network, without having to find your ip address from a http access log or using webrtc etc.
The property of scanning resitance due to address sparsity in IPv6 is not very strong (nor is it meant to be a security boundary) and there are many things like this that can go around it.
If one were to scan all the IPv4 internet for broken/exposed UPnP service to target, they could then use IPv4 to craft a special message instructing the service to phone home to an IPv6-only domain. If the client has IPv6 enabled and the phone-home goes through, it is determined that there is a link from broken/exposed IPv4 UPnP to a potentially unknown IPv6 address. This gives a new set of previously unknown IPv6 addresses. These IPv6 addresses can now be scanned for other vulnerabilities.
So if you have turned off the firewall in your CPE, someone might heave an easier time scanning your network, without having to find your ip address from a http access log or using webrtc etc.
The property of scanning resitance due to address sparsity in IPv6 is not very strong (nor is it meant to be a security boundary) and there are many things like this that can go around it.