IMO, not having NAT is a "new toy". It allows end-to-end connectivity again. Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.

You could try fd00::1, fd00::2, ... for short internal static addresses. You don't have to use a random prefix in that range - it's just policy (for good reasons that might not matter for a small network).

▲

nottorp 18 hours ago | parent [-]

> Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.

Yeah, and my Windows box is again accessible from the outside with whatever services MS deems to run by default...

Yes, there are firewalls, but isn't it better if a potential attacker doesn't even know what's behind my router?

P.S.: Since webrtc showed up to do whatever it wants with my network, peer to peer has started to mean "donating resources to some company" to me.

▲

Dagger2 17 hours ago | parent [-]

v4 networks commonly only get one IP for the whole network, and people use NAT with port forwarding to make inbound connections work. With this setup, an attacker only needs to scan the 65536 ports on the router to exhaustively enumerate every single publicly accessible server on your entire network, which is about 3 megabytes of traffic and takes approximately no seconds.

On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger.

If you want attackers to not know what's behind your router, you want v6.

	▲	nottorp 9 hours ago \| parent [-]
		> to exhaustively enumerate every single publicly accessible server on your entire network Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible...