Re: I don't want to be measured!
I don't think trying to limit the number of devices you have is going to work well, in part because you could just run to NAT if they tried. But that doesn't mean everyone should be forced to use NAT all the time just in case some ISP somewhere goes retarded.
ISPs do suck, but that's no reason to fight v6.
> If ever I allow an IoT device on my LAN, it MUST exactly being able to connect to a central server WITHIN my LAN ONLY.
Yeah, this is basically how I run my IoT-style stuff too. You are free to do this even if you're using v6 on your LAN, it won't stop you from doing it. v6 just gives you the _possibility_ of accepting selected inbound connections in any situation where you actually do want remote control (which is something you won't be able to do on v4 once CGNAT ends up being common).
> Skype is going to a client/server model anyway, because peer-to-peer is not good for analyzing your contents...
Well, yeah, but the point is that nobody can make a direct peer-to-peer program when everybody is behind multiple levels of NAT. If you don't want to run everything through a central server, then step 0 is to make it possible to avoid doing that. Whether anybody will come along and take advantage of the possibility is a separate matter, but they definitely won't if it's not possible.
> and once you have a NAT traversal library for games you don't have to waste precious resources which hinder "awesomeness"
In theory, except people seem to have trouble with NAT traversal quite frequently, and it still requires running some form of servers to set up the traversal. And some games opt not to bother and instead require multiplayer to use central servers hosted by the company, which they have to pay for and will eventually shut down. (And did I mention the extra latency caused by all this crap?)
> Which makes extra work for whoever's programming the firewall and hence increases the probability of bugs
It's not so bad. The random addresses are for outbound connections; for inbound connections you have a fixed address (which is difficult to find without knowing what it is, because a /64 is so extremely large that it's impossible to scan). So your inbound firewalls don't need to change frequently.
What about firewalls/ACLs on servers that you connect to? For those, you just allow the /64, i.e. the whole network. That's what you had to do in v4 anyway, where the whole network was NATed behind one public IP.
So actually this part of firewalling ends up basically identical to the current situation in v4.
Biting the hand that feeds IT
