[the_mitsuhiko]

It's nice that this is how the internet is "supposed to work". In practice not having a NAT makes "automatic" internal protection of web services hard to impossible.

> If you want to secure your servers, use a firewall. Maybe it's a host-based firewall.

Firewalls do not solve this problem because a you do want service to service communication. What you do not want is code that crawls to user supplied URLs to access your internal services. Do you need application level protections. With IPv6 you're basically forced to declare your CIDR explicitly whereas with IPv4 you could easily achieve a secure by default system.

[icedchai]

In these situations, store your IPv6 prefixes in a config. This doesn’t sound like a hard problem to solve.

[the_mitsuhiko]

Which is a manual process and because it is one it leaves many systems unprotected.

[icedchai]

Systems that crawl user provided URLs are in the minority. For most systems it is irrelevant.

[the_mitsuhiko]

I strongly disagree. Almost every single system has webhooks which by definition are user supplied URLs.