[mindslight]

A stateful firewall that rejects incoming connections is conceptually simple even without NAT.

NAT itself does have the security benefit of masking more bits of client identity though. If I had a bunch of machines on an ip6 prefix, I would still want their outgoing connections to be NATted, to avoid address-based tracking.

[ecksii]

That isn't really necessary any longer. Modern IPv6 stacks devices use and periodically rotate through temporary IPv6 auto-allocated addresses for privacy reasons.

[mindslight]

AFAIK "privacy extensions" are just designed to avoid putting the (customarily) fixed MAC address onto the wider Internet. If each device still has a specific /128 at any given time, then the number of devices and the connections from the same device can be inferred - the statistical distribution is still drastically different than per-connection NAT.

We can envision a better version where each device pulls multiple addresses at a time and rotates through them basically per-topic, but I don't think stacks are really set up to do that. But sure we could get there eventually, at least modulo outdated firmware stuck with said vulnerabilities. On the other hand, if we already need maintained premise routers to manage incoming connections, they can simply NAT outgoing connections and get a perfect probability distribution across IP6+port that fully masks the internal network.

Ultimately I think the distinction between "outgoing" and "incoming" connections is only going to continue increasing, regardless of IP6.