[JohnFen]

> People don't want every local network device to have a public IP

I absolutely don't want this. But as I understand it, I can avoid this by assigning my machines the IPv6 nonroutable addresses fe80::/64. They're the equivalent of 192.168.* and 10.*

[hot_gril]

Same as the firewall, it's fine if it's done right. But does every machine get link-local v6 addresses by default? My Mac is set to "automatic," which I assume asks the router. Even if I use link-local, does every router (even crappy ones) respect the no-forward rule? This is along with several other aspects of my network changing to use v6.

Meanwhile, if someone sends a v4 packet with TCP port 22 to my router, it can't tell where to forward it even if it wanted to. It takes effort to do that, namely a port forwarding config.

[JohnFen]

> But does every machine get link-local v6 addresses by default?

If you use DHCP, then I think you can configure that. What I have in mind is to assign static IPs to all of my fixed machines anyway, and use DHCP to assign IPs to transient machines. Not sure if that's reasonable, but it's my current thinking.

> does every router (even crappy ones) respect the no-forward rule?

There may be broken ones, but it doesn't matter so much because your ISP won't route such addresses regardless.

[hot_gril]

> If you use DHCP, then I think you can configure that. What I have in mind is to assign static IPs to all of my fixed machines anyway, and use DHCP to assign IPs to transient machines. Not sure if that's reasonable, but it's my current thinking.

You probably can, but as it's often said, most security breaches are caused by misconfiguration.

>There may be broken ones, but it doesn't matter so much because your ISP won't route such addresses regardless.

Yeah fair enough, I can trust my ISP to do that at least.

[JohnFen]

> You probably can, but as it's often said, most security breaches are caused by misconfiguration.

Yes, but that's no different with IPv4. What it really means is that we have to learn the intricacies of IPv6 in order to use it confidently. Right now, I am nowhere near comfortable that I have sufficient understanding. That can be fixed through enough study, but is also part of the friction in adopting IPv6.

[hot_gril]

There's that friction, but also blocking traffic in v6 is more complicated per se. v4 only has one kind of address, and it's really hard to mess up NAT in a way that causes a breach. In kind of a stupid way, it's secure by default.

Guess the most likely mishap is a bad router supports upnp and has it on by default, and a bad device maps an actually used port. No PC is going to do that, it'd have to be something like a cheap knockoff security DVR.

[JohnFen]

> blocking traffic in v6 is more complicated per se

I don't think that's the case. I think how you set your router/firewall rules with IPv6 is the same as with IPv4 aside from the addresses being longer.

> it's really hard to mess up NAT in a way that causes a breach

You can continue to use NAT with IPv6. I know that when I make the change, I'll still be using NAT, for convenience if nothing else.