Thanks. So yeah, it looks like IPv6 is more secure than IPv4... as long as we're talking about competent engineering ! Hopefully this is the case for major ISPs and OSes...
Especially interesting is this RFC :
https://www.rfc-editor.org/rfc/rfc6092.html
"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"
It shows that there are lots of different filterings involved, so it looks like that these millions of residential users connected to the IPv6 Internet without router firewalls might still have some router filtering going on ?
Also, it confirms that "The IPv6 stateful filtering behavior described in this document is intended to be similar in function to the filtering behavior of commonly used IPv4/NAT gateways, which have been widely sold as a security tool for residential and small-office/home-office networks.
As noted in the Security Considerations section of [RFC2993], the true impact of these tools may be a reduction in security. It may be generally assumed that the impacts discussed in that document related to filtering (and not translation) are to be expected with the simple IPv6 security mechanisms described here.
In particular, it is worth noting that stateful filters create the illusion of a security barrier, but without the managed intent of a firewall. Appropriate security mechanisms implemented in the end nodes, in conjunction with the [RFC4864] local network protection methods, function without reliance on network layer hacks and transport filters that may change over time. Also, defined security barriers assume that threats originate in the exterior, which may lead to practices that result in applications being fully exposed to interior attack and which therefore make breaches much easier."
So now I'm kind of confused as for the different meanings of 'filtering' and 'firewall' that might be used... The RFC seems to use 'firewall' in the sense of 'customizable firewall', while ISPs still often don't provide other options on their IPv6 'firewall' than 'ON/OFF'...
Especially interesting is this RFC : https://www.rfc-editor.org/rfc/rfc6092.html "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"
It shows that there are lots of different filterings involved, so it looks like that these millions of residential users connected to the IPv6 Internet without router firewalls might still have some router filtering going on ?
Also, it confirms that "The IPv6 stateful filtering behavior described in this document is intended to be similar in function to the filtering behavior of commonly used IPv4/NAT gateways, which have been widely sold as a security tool for residential and small-office/home-office networks.
As noted in the Security Considerations section of [RFC2993], the true impact of these tools may be a reduction in security. It may be generally assumed that the impacts discussed in that document related to filtering (and not translation) are to be expected with the simple IPv6 security mechanisms described here.
In particular, it is worth noting that stateful filters create the illusion of a security barrier, but without the managed intent of a firewall. Appropriate security mechanisms implemented in the end nodes, in conjunction with the [RFC4864] local network protection methods, function without reliance on network layer hacks and transport filters that may change over time. Also, defined security barriers assume that threats originate in the exterior, which may lead to practices that result in applications being fully exposed to interior attack and which therefore make breaches much easier."
So now I'm kind of confused as for the different meanings of 'filtering' and 'firewall' that might be used... The RFC seems to use 'firewall' in the sense of 'customizable firewall', while ISPs still often don't provide other options on their IPv6 'firewall' than 'ON/OFF'...