[Decade]

Yes, you should throw out a lot of what you know about networking.

Port scanning _should_ be difficult in IPv6. Instead, you should be using DNS and/or multicasting.

Having multiple ways to configure IP addresses _isn’t_ a problem. Modern devices have lots of RAM. They can handle having lots of IP addresses.

Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it. Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely. https://tools.ietf.org/html/rfc4193

[gvjddbnvdrbv]

> Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely.

I.e. essentially what we already had with IPv4.

> Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it.

Security provided by 'the attackers get bored'....

[Dagger2]

Security is provided by a firewall. But a lot of IoT botnet stuff comes from people opening inbound connections to their cameras/NASs/etc so they can access them from elsewhere. These are hosts where the network security has been deliberately disabled. The large address space of v6 at least reduces the odds of someone finding the device -- an insecure, unexploited device is better than an insecure exploited one.

You could sort of consider the 64 bit host ID to be a cookie, stored in DNS, that has to be provided by the client to connect to the server. Viewed like this, the IP itself would be considered a layer of security, since it forces the client to know the correct DNS name (or spend a lot of time guessing) to connect.

[gvjddbnvdrbv]

> Security is provided by a firewall.

Right so as I said elsewhere I'll be dropping all packets for incoming connections at the firewall. I was heavily downvoted for that comment... I guess a lot of folk will leave insecure devices open to the world.

[Dagger2]

You said you'd be dropping all v6 packets, not just incoming connections. Not quite the same thing.

[Decade]

Not essentially what we have with IPv4.

IPv4 is from the old days of 1 device, 1 IP address.

RFC 4193 addresses are in addition to the globally routable IP addresses. Your laptop could have both classes of addresses. Your printer could have only one class of address.

Between the ULA and the global addresses, with DHCPv6 and NDP and IPv6 privacy extensions, my laptop currently has 13 IP addresses on its main network adapter. That’s leaving my router and my laptop on default settings, nothing special, no appreciable memory impact.