[njibhu]

> Pretty sure all reasonable devices utilise privacy extensions.

I stand corrected by throw0101a answer. This is actually not an issue

> If it's wrong is subjective. If it's not a goal to upsell a business connection there might be technical limitations.

I don't think a Guest network should be considered a business feature

> Bit of a niche use-case and still very doable with NAT66.

Yes or NPT, as I mentioned at the end of my initial answer. But it has its own con.

> I haven't seen a captive portal that wasn't able to intercept DNS or that couldn't MITM all connections to display that page. It's a non-issue.

I also stand corrected by throw0101a, this is a non-issue.

> IPv4 devices can conduct ARP spoofing, no biggie. If it's "very easy" to do either it's just poor switch software.

The actual "switch software" in IPv4 which handles that, is to use an authoritative DHCP server. This does not exist/work in IPv6.

[Avamander]

> This does not exist/work in IPv6.

Well obviously, but a proper switch, instead of DHCP snooping, has SLAAC and DHCPv6 snooping.

[njibhu]

A lot of devices (android/windows) simply don't support DHCPv6. And SLAAC's RA delegates the responsibility of the IP to the device itself, so doing something like DHCP snooping is simply not possible because the RA packet doesn't tell the switch which IP belongs to which device.

SLAAC-snooping protects against ARP poisonning, not against ARP table overflow.

[Avamander]

If it doesn't protect against ARP table overflow then that is again a missing feature in that software. Just like it's not IPv4's fault if there are no protections against someone sending a thousand DHCP requests and depleting the pool or filling some tables.