[dotancohen]

  > It's called a firewall. You want a firewall. IPv6 also has a firewall. NAT is not a firewall.

With NAT, I absolutely know my ESP32 is not vulnerable and exposed on the wild wild web. With a firewall, I may have a configuration issue or there might be a bug in the implementation or there might be some UDP nuisance I didn't know about or a dozen other concerns. I don't want to hire a network admin not play one at home.

[blueflow]

Your router will open up any port for an ephemeral forwarding if the traffic looks like that forwarding is warranted. Any application can open arbitrary inbound pathways. "Application" also includes the Javascript you run in your Browser. Which is externally controlled.

Security folks call those techniques "hole punching" but they are how NAT is expected to work.

[KaiserPro]

> With NAT, I absolutely know my ESP32 is not vulnerable and exposed

I mean thats not actually true, uPnP will open ports up, as will misconfiguration.

The firewall is still the same in ipv6 vs 4, and has the same problems.

[dotancohen]

Correct me if I'm wrong, but UPnP requires my ESP32 to initiate communication. Whereas giving it an IPv6 address would expose it to the entire www even before it attempts communication.

[jech]

> Correct me if I'm wrong, but UPnP requires my ESP32 to initiate communication.

Not quite. Using UPnP, any host on your internal network can open a port for any other host. You may be thinking of NAT-PMP.

Additionally, by default UPnP mappings don't expire (unlike NAT-PMP mappings), so if a host crashes with an open port and your ESP32 inherits its IPv4 address, it will be exposed to the Internet.

[dotancohen]

Actually I've never heard of NAT-PMP, so I'm just wrong ))

Thank you. I never considered the reused address vulnerability.