I really want to love IPv6 but my ISP (Xfinity in California) will not provide a stable prefix.<p>This doesn't matter with IPv4, because all my internal IPv4 addresses are NATed. But with IPv6, although each device on the network can receive a globally routable IPv6 address, the prefix keeps changing, and so the address keeps changing. This makes <i>internal</i> networking a nightmare, since the address of my devices is not under my control.<p>I don't use NPT, but it would fix the problem, so people are going to continue using it until dynamic prefixes go away. Which will probably be never.
"Stateful packet filtering can provide the same level of security for IPv6"<p>The keyword here is "can". The difference here is this: if your NAT is not configured properly, your network is not accessible, nothing works, the problem is obvious, and is going to be fixed ASAP. If your stateful firewall is not configured properly, everything works fine, except that your network is visible from places it wasn't supposed to be. It requires some dedicated checks to verify.<p>So, the problem with NAT vs firewall security is not technical, it is psychological (but no less dangerous): when you have a working (but insecure) system by default, it is easy to miss the hardening step. The consequences can be catastrophic.
See also "IPv6 Multihoming without Network Address Translation":<p><pre><code> Network Address and Port Translation (NAPT) works well for conserving
global addresses and addressing multihoming requirements because an
IPv4 NAPT router implements three functions: source address
selection, next-hop resolution, and (optionally) DNS resolution. For
IPv6 hosts, one approach could be the use of IPv6-to-IPv6 Network
Prefix Translation (NPTv6). However, NAT and NPTv6 should be
avoided, if at all possible, to permit transparent end-to-end
connectivity. In this document, we analyze the use cases of
multihoming. We also describe functional requirements and possible
solutions for multihoming without the use of NAT in IPv6 for hosts
and small IPv6 networks that would otherwise be unable to meet
minimum IPv6-allocation criteria. We conclude that DHCPv6-based
solutions are suitable to solve the multihoming issues described in
this document, but NPTv6 may be required as an intermediate solution.
</code></pre>
* <a href="https://datatracker.ietf.org/doc/html/rfc7157" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc7157</a>
hot take of the day: NAT is (mostly) a shitty idea. we can give everything a WAN ipv6 and a private LAN address. devices should maintain their own firewalls and if defense in depth is required, the router should maintain a firewall that blocks incoming by default but still give everything its own address.
Something I'm a bit fuzzy on, but can WAN/LAN address separation be done without NAT? I think it can, but if it can't that seems like a good argument in favor of keeping some form of NAT even for IPv6. While it definitely shouldn't be the only defense, I think it is a reasonable layer of defense for home networking.
I ran into the oddest thing after switching ISPs. IPv6 kept dropping out with my devices and I traced it back to the LAN side of my router accepting router advertisements from inside my network. Easy enough to fix, I flipped the flag to not accept router advertisements on the LAN interface.<p>The weird part is that I traced the router advertisements as coming from an old Google Chromecast. It was advertising the prefixes of my old ISP. Bug or intended? If the latter, why?
The lack of adoption of IPv6 over so many years, it makes me think that they should just have slapped a couple extra address bytes on IPv4 and call it a day.