Tell us with the next 0 day, because that big problem exist, and unfortunately happens every days.
IPv6 == All your devices are globally ROUTABLE and CONNECTIBLE from Internet, your home network is part of internet. It is an additional rule in the router's firewall what temporarily avoids it. Remark in temporarily, as one day the gifted packet will arrive to the router. This is not cool.
So much so -the home network is part of internet- that if you want to create a simple Video NAS or whatever, one have to use external DNS services, as no one have control over its own local IPs... what are served by the ISP. This is not cool.
Even if it was not designed for it, NAT has been helping to secure and giving flexibility to our local networks along decades, but someones decided to reject it from the specification. Bad decision.
I really don't understand the fearmongering. Your home router likely runs some flavor of Linux which uses Netfilter/iptables to perform both NAT and filtering. Do you believe that the filtering/firewall modules are inherently flawed, yet the NAT modules are infallible?
I see them as two sides of the same coin. If we're theorizing about a magic packet that not only removes your firewall rules, but also flips the default policy to ACCEPT, the very same packet could also sneak in a few NAT rules into your IPv4-only router.
Regarding firewalls bring prone to accepting by default, either way the packet has to go through the CPU to be routed. I don't believe there's any inherent bias in the design. You could argue that routers that use a single switch and vlan isolate the wan port are inherently biased, though.
Regarding local hostname resolution, there are several options that don't require your ISP. There's mDNS, DHCPv6 and DNS on your router, ULA prefixes, or you can continue using IPv4 for local traffic.
Firstly one ceases to have control of its own home network, what now have to rely on the ISP for to receive the "local" IPs, what are part of internet. And in addition each machine leaves a trace of its "local" ip on the Internet. This if one want internet access in the device, due the absence of NAT in the router's protocol.
Secondly one have to rely on a buggy piece of code called firewall for to make "local" those IPs, due the absence of NAT in the router's protocol.
https://nvd.nist.gov/vuln/search/results?form_type=Basic&res...
https://www.cvedetails.com/google-search-results.php?q=firew...
We are talking about millions of routers provided by the ISPs in each country, barely maintained and updated, what little by little will become exposed. And this without taking in account the unpublished firewall bugs that each artist keeps for themselves and takes 3 to 5 years become detected and fixed by the mainstream. I do not know how to express the negligence is going on, but I can see that Crackers, Advertisers (privacy) and "others" are in good time because things are getting more easier for them than it should be.
Why people keep down-voting the message is a mystery for me. If it is due the local hostname resolution, mDNS, ULA prefixes, etc, all are workarounds due it is a network one does not control, what is one of the main points I exposed (it also needs filters/rules what needs be manually added in the firewall, each user has to make efforts to try to protect the supposed "from internet" separation).
One could create another network as you said, but the main problem keep existing without NAT.
RFC1918 address space IS routable, it just doesn't have a global route. There is nothing to stop devices adjacent to your wan interface (ie other customers) from manually adding a route to your RFC1918 address space via your firewall. Will that traffic be allowed? that depends on the device and its configuration, have you ever tested this scenario? probably not.
NAT is a hack to get around a shortage of address space, nothing more. Once the shortage is gone there's no more need for NAT. That's why although NAT with IPv6 is possible, it's very rarely used because you no longer have any valid reason to use it. If you are think there are any other reasons to use NAT then you need to brush up on your network knowledge because a lot of smarter people than you or I are saying to avoid NAT and designing systems (eg IPv6) to fix the problems it causes.
US government advice is to avoid the use of NAT because of the extra complexity it introduces, which actually reduces security:
https://media.defense.gov/2023/Jan/18/2003145994/-1/-1/0/CSI...
IPv6 has link-local addresses that aren't routable, so you can't really get more local than that. Unlike a typical IPv4 setup, typical IPv6 hosts have multiple addresses, and you can make your own for local traffic and only rely on ISP prefixes for internet access if you want to.
Sure, the internal host's internet routable IP address is visible rather than being masked behind the router's IP address. Pretty much all operating systems periodically randomize the bottom 64 bits, making it effectively as opaque as NAT. You could call that a hack, but people call NAT a hack. There's tradeoffs.
The CVE links you provided are just lists of vulnerabilities with "firewall" in the name. Skimming through them, I don't see how they're specific to IPv6? Most of the vulnerability descriptions I read seem equally problematic for NAT setups. The one IPv6 specific one I saw had to do with a bad firewall rule allowing access to LAN facing services running on the router; it could have just as easily been a bad IPv4 rule.
I agree, consumer network gear all sucks. IPv6 is bolted on as an afterthought, and is probably buggy in a lot of them. More features means more opportunity for bugs, but that's true of anything. IPv6 isn't being deployed for no reason; there's limited IPv4 addresses to go around. I still don't follow why IPv6 is fundamentally riskier than IPv4 when traversing a router. Sure, with NAT an incoming packet needs to have a port number that's been dynamically mapped back to an internal host and port, or have a static port forward. In IPv6, an incoming packet needs to have a destination address and port that's been dynamically mapped back to an internal host and port, or have a static firewall rule. It's basically the same, but also less complicated for the router because there's no translation involved. In time, less complexity is good for software hardness.
I also get anxiety from trying to wrap my head around IPv6 address assignment. It is nuts. It's very comforting to work in the effectively 8-bit address space of a /24 IPv4. I suppose it's true that you can't control internet routable IPv6 addresses in that they are dynamic and ephemeral in their nature. Coming from IPv4, it feels messy. I've experimented in detail with configuring my own ULA, DHCPv6 configuration, and SLAAC. I've tried to embrace the benefits of IPv6, and having used a few of the features I can appreciate them for what they are.
