It is really sad to see that essentially all security issues of IPv4 were inherited, at least on the LAN level. However, besides of the "firewall protection" provided by NAT, which is largely mirrored as "outgoing connections only" in ipv6 deployments, I fail to see how it actually makes security worse. Do you have examples for what you had in mind?
The one you excluded (why?) is a pretty darn big one. It means for example that a random hacker would have a hell of a hard time spontaneously reaching my phone via the cellular data connection... or the WiFi connection for that matter, since that's NAT'ed too. Which reduces the attack surface immensely. I don't see why even this by itself would be insufficient reason...
No, it doesn't. The "attack surface" is a IP stack that looks in some hash tables whether there is anyone listening on the port, and then rejects the connection. Vs. a huge browser with a javascript interpreter and JIT and what have you that is accessible regardless of NAT or firewalls or whatever else you do on the network level. The fear of inbound connections is completely irrational.
And you're also claiming every single router I'm going to encounter today has already set up IPv6 correctly as needed to mirror the security and privacy characteristics of IPv4 like this?
You know, I really have to apologize, because it seems I missed a critical detail that changed the entire story. Thanks to both of you for making me go double-check.
What happened was I vividly recalled seeing "stateless" as the default option for the router I had in mind over a year ago. Which was indeed correct. However, in response to the other comment I went back and checked again, and just noticed that "stateless" was in fact under the NAT page, not the firewall. The IPv6 firewall page is rather hidden so it's something I forget about completely, as I don't use IPv6. Looking there, the firewall page indeed does say it blocks unrelated input traffic by default.
This wasn't the entire story though, because I could also remember that ip6tables -L was empty when I checked it. I now see, though, that this must have been because when I had done this check, IPv6 was turned off, and that made the router purge all the rules. I had always assumed it was never setting them up in the first place.
Frankly as of right now I can't really verify what actually happens because I don't immediately get an IPv6 address when I enable it. I trust it does what you say. That said, I'm still not sure how I could rely on this fact being true everywhere. With IPv4 it's pretty much a given that you will hit a NAT due to the lack of enough IPv4 addresses, but with IPv6 they could easily assign you an IP address, so what guarantee is there that the router has things set up this way? It still seems like a risk vs. no-risk, with the same resulting decision.
Thanks for checking. I actually also expected this to be an issue when IPv6 started to become a thing, but I've seen very little in the way of reports of it and am positively surprised that manufacturers appear to be copying templates that do it properly, so I'm more worried about crap like the "forgotten" backdoors, exposed management interfaces like UPnP, ... right now.
Interesting. Note that this router manufacturer is probably one of the better ones, so I wouldn't weight this data point too much for generalizing, but that's good to know.