NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc. And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV. I'm probably going to buy a router and make my own NAT soon (don't have access into the ISP modem).
I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.
And, no, I don't think it's practical for everyone and their grandma to "just set up a bastion"
Contrast that to using public WiFi in NYC where everybody knows exactly where you are.
And yes, incompetent ISPs are the norm.
Before IPv6 it was a classic internal LAN with IPs like 192.168.0.1.
There is a dramatic difference in effort between ( owning a device ) and ( owning a router, configuring network access to the device, then owning the device ).
Also psychologically: If I was a rock hard piece of shit and I knew I was at the doorstep of a personal device, I would treat it much more aggressively than a router. I suppose maybe that's just me and not the kids and enemy states.
edit: Changing the subject to insulting me is a bad way to conclude. You're creating an illusion the debate is concluded in your favor instead of responding to points. I don't think any of my points had a sound argument against them.
I can't configure anything technical about my internet. Any change is paid, and often simply not possible.
Even if your ipv6 host or border firewall allows pings through, it's not practical to scan an entire /64. There's just too many addresses in it, and your devices will frequently change them.
> I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc.
They already do this through fingerprinting that operates with higher-layer protocols.
> And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV.
This is very simple to implement. Ensure it's listening on the link-local address. That's the IP that starts with fe80. These are unrouteable by spec.
It's very hard to distinguish my iPhone and Mac from the other dozens/hundreds people have in my building just through fingerprinting. Very easy if they have separate IP addresses.
Ad link local - cool, I'll look into that, thanks.
I have exactly one machine which needs to be accessible from outside the local network. The rest of them should never be. Do I want to spend extra time ensuring that each and every single device on my network is secure, or do I want to do the inverse and assume all devices are secure and only spend effort to make the one machine exposed?
I can't imagine anyone who would actually want or need their WiFi toaster to be publicly routable, WiFi cameras, every computer. There's absolutely no reason for it. Instead of relying on network isolation, we expect users to just implicitly rely on who knows how many different firewall implementations. Hopefully your router configures it by default.
It doesn't matter if everyone in your building has an iPhone and a Mac as well -- there are things about virtually every single one of them that make them unique.
When my (previous) ISP switched on IPv6 none of my internal devices could be connected to because my Asus did stateful packet inspection and only allowed in replies to connections that were previously initiated.
> NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website
Given that temporary IPv6 addresses tend to rotate every 24 hours it will kind of hard to track individual devices by IP in a 2^64 address space.
You could rotate addresses 10 million times per second, using each only once, and it would take over 5000 years to exhaust a single /64.
> I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.
I now have to use a ISP-supplied router (for GPON), but when I still had my Asus on the DSL/IPv6 ISP I could tell it to reboot every night and I would get a new IPv4 address and a new IPv6 prefix every day.
If you could scan one million addresses every second it would take about 500,000 years to scan just one /64. Not sure how practical that would be.
When I was still with an ISP that did IPv6 my Asus would block any incoming connection attempt unless it was a reply (SPI firewall), though it may have (IIRC) allowed pings in by default.
You have a router, it has a firewall, that is meant to be used to control access to the network, you don't have to assign rules to every device you can assign default interface rules that apply to any connection.
Just because you get a publically routable address doesn't mean the internet defines physics and hops over your router and firewall.
Also as an aside - perimeter security is a very outdated way of looking at security, yes the perimeter is still important but if it is your first and only line of defense you are gonna be in for a bad time, defense in depth as it is called where you look at your systems and networks as layers to an onion is the more modern standard and NAT as a security mechanism has never been standard in either because it isn't.
With NAT, it doesn't work because the ports get remapped, and the intermediary doesn't know how they will get remapped on the p2p connection, so they can't coordinate to send on the correct ports to open the firewall.
Or UPnP can work. By default, your router drops incoming packets on all ports. If you want to e.g. run a game server, then on startup, it hits a standard API to tell the router to forward that one port. On shutdown, it can tell it to close the port (you could potentially also have the router require keepalives to keep the forward alive. I'm not familiar with the details of UPnP and related protocols).
Without a public IP, you need intermediate servers to relay all traffic to you, which centralizes the web. With p2p working, you can e.g. have high quality video calls with friends/family instead of dealing with the garbage quality tech companies allow. Or I can share with my mom photos of her grandkids with effectively unlimited storage; for 2 years of 2 TB Google storage, I can buy 20 TB of disks.
You could also just use an old pc...
For software opnsense, pfsense, openbsd, freebsd, Linux (openwrt could be used too if you want embedded)
It is a pain to start ... But satisfying when it works :)
Even then id still rather ensure every device is appropriately firewalled. 'not worrying about it's sounds like a hardened shell with a juicy center. What happens when a device does get compromised and tries to spread to your local network?