Re: Security concerns
yeah, about those security concerns: I identified a number of those YEARS ago, and came to a few conclusions on how to mitigate them.
1. Every IPv6 is technically a publically-viewable IP address, which means your extremely insecure box (like one that is running a Micros~1 OS) can be directly accessed from "teh intarwebs". IPv4 usually has some kind of NAT that effectively firewalls most of the problems caused by a ;publically visible IP address. A similar "NATv6" would do the job and also allow for firewalling.
2. Direct routing to the outside world must somehow be managed so that firewalling can be properly done, especially for secure things. A "NATv6" system could also do that, but it may be more easily done by implementing IPv6 tunnels or internal VPNs. As an example, I use a popular ISP for IPv6 tunneling over IPv4. It can somewhat-easily be done on individual workstations, but would require SIGNIFICANT careful firewalling if you did this for Micros~1 OSs.
3. On Micros~1 OSs, there are a significant number of "listening ports" that you can see via the windows equivalent of "netstat -l". Like the old "Win Nuke" exploit of a few decades ago, there is nothing to stop some rogue from firing random packets at a visible port until something breaks. As such, having these ports "seen" over IPv6 is a major security risk. Normally the firewall settings would mitigate this, but a proper firewall appliance is really needed, and not something that runs ON a Micros~1 OS trying to "firewall itself".
Each physical connection to the internet could (somewhat simply) be routed through "an appliance" that would a) firewall everything, b) provide a level of "NATv6", c) assign semi-randomized IPv6 addresses to clients through a DHCPv6 or similar address assignment [already part of the protocol], and d) prevent any client from opening an un-firewalled publicly visible listening port [a major security flaw caused by UPnP support on many NAT routers, if you don't shut it off].
And yeah, it should NOT be that hard.
The biggest problem I found was filtering all of the IPv6 listening ports for windows boxen. I simply don't allow incoming connections on those ports. But I don't NAT the IPv6 addresses, so in theory, a windows box COULD open up a publicly visible listening port. If that ever becomes a problem I'd set up a better firewall on the gateway to prevent it (disallow ALL incoming connections to specific IPv6 ranges or similar). This is still do-able since you know what IPv6 addresses are routeable on the local side, and which ones are gateways [so you allow incoming connections on the gateways only]. However, for my home/office setup, I chose not to do it this way. And there's only one IPv6-capable windows box running these [the rest are all Linux or FreeBSD or phones]. I could shut off IPv6 on that box if I ever needed to.
Worth pointing out, phones and slabs do IPv6 really well on my LAN, over the WiFi. [now if I could JUST get some real speed on it...]
Biting the hand that feeds IT
