> I certainly don't want ingress from the public Internet to devices on my home network in the general case
This is a job for a firewall. NAT is not a firewall. You can easily filter incoming connections to untrusted devices when using IPv6, with the advantage that when you want to allow a certain kind of traffic in you can do so without messing around with port forwarding or dealing with multiple devices competing for access to standard port numbers on a single public IP address. That's assuming you actually get a public IP address; if you're behind CGNAT then port forwarding isn't even an option, since it would need to be configured on the ISP's side and not just in your router.
If you enable UPnP for automatic port forwarding, as most do, then NAT isn't blocking much of anything. The only difference between NAT with UPnP and IPv6 with no filter preventing incoming connections is in whether devices which open ports but don't set up forwarding can assume that incoming connections probably came from the same local network. However, it's considered poor practice to treat access to the local network as a means of authentication. (Note that with NAT alone if your router receives a packet addressed to your local network's private IP range, and not the routers public IP address, it will forward it unmodified; preventing that is a firewall function, not a NAT function.)
> and I think it's kind of nice that the Internet only knows the address of my router rather than that of my physical machine
If you use IPv6 with privacy extensions enabled then the Internet will only know your /64 network prefix, which is basically the same thing (unique per subscriber and subnet). The rest of the address will be randomly generated and short-lived, unless you choose to assign an additional long-lived address e.g. for a server.
> I'm not sure whether I care if that gateway is doing NAT as well or not? What can I do with a non-NAT-ing gateway?
Doing NAT isn't the problem, requiring NAT is. When the architecture requires NAT devices can't receive incoming connections without port forwarding even when you want them to. We've gotten rather good at working around NAT's limitations (not without cost), but with IPv6 those workarounds are unnecessary. For example, any peer-to-peer multiplayer game, video chat, or file transfer app where both sides are behind NAT depends on third-party servers for NAT traversal. (Note that the fact that this works at all without actually forwarding all data through the third-party servers shows that NAT is not a reliable system for preventing incoming UDP connections: it can be tricked into thinking a connection is already established.) With IPv6 you don't need the third-party servers as the peers can connect to each other directly.
> With IPv6 you don't need the third-party servers as the peers can connect to each other directly.
This will never happen. NAT gets replaced with a stateful gateway still doing conntrack (look at OpenWRT...) and p2p works exactly the same. UPNP, port forwarding, STUN are still relevant and work the same... Except IPv6 hexadecimal addresses are a usability disaster and dual stack will forever be a security disaster. Worst technology ever.
> NAT gets replaced with a stateful gateway still doing conntrack…
Yeah, blocking incoming connections by default is a bad habit and needs to stop. It's fine for untrusted devices or private VLANs which shouldn't be accepting direct incoming connections in the first place (like cheap IoT gadgets), and should probably be additionally filtered to prevent inter-device connections and access to arbitrary Internet sites, but a laptop, phone, or tablet is perfectly capable of deciding on its own whether to accept or reject an incoming connection, and moreover as a mobile device must assume the network could be hostile anyway.
> Except IPv6 hexadecimal addresses are a usability disaster…
How are IPv6 addresses "a usability disaster" when you never see them? Just use DNS like a sane person.
> …and dual stack will forever be a security disaster.
That's a new one to me. How is dual-stack (IPv4+IPv6) any worse security-wise than any other situation where you have multiple "upstream" Internet connections, e.g. for failover or load balancing?
Blocking incoming connections by default is what I like about the current scenario.
You don't trust "cheap IoT gadgets". I would like to be able to trust any/all my devices. But I don't.
I don't trust M$/Apple/Linux - AND any associated applications people might want to use at home(kodi, plex, screencast, NAS for example) - to be 100% perfect when it comes to "deciding on its own whether to accept or reject an incoming connection".
I see "block by default" as being a layer of security - one bit of defence in depth.
Happy to drop NAT (with it's IP<->port mapping complications) for a straight IPv6 firewall though.
If you really want to block all incoming connections by default on your own network you can. Personally I think if a reasonably capable (i.e. non-IoT) host opens up a port to accept incoming connections, and there isn't a specific rule set by the local admin to block that port or host, then incoming connections should be allowed. NAT certainly doesn't stop all incoming traffic given that UPnP is enabled by default on most routers, not to mention all the methods available for UDP NAT traversal. It just makes it more complicated.
If you've ever connected your phone or laptop to a public WiFi network (or for that matter, the cellular data network) then it's been exposed to an environment were there is no extra layer of protection from incoming connections beyond that implemented by the host itself. We generally expect that to work without major security issues. Non-mobile, "appliance"-type devices might need stronger filtering if they weren't designed to be connected directly to the Internet, but that assumption is becoming less common as more devices require authenticated connections rather than trusting the local network.
And that's the thing. With a firewall and IPv6 we can each configure for what we want without the NAT hassle/expectation.
I would aim for a default block with allowList and agree with you that a non-IoT host using a UPnP-like mechanism (does UPnP cover IPv6 firewall like scenario?) is probably ok.
Ideally I'd like some kind of notification system where I can click "allow" for the firewall. (Maybe the firewall notifies my phone?) I think UPnP as it currently stands is a bit too hands off but can understand not every user wants to deal with this.
And we agree regards mobiles being in a default hostile environment and expecting it to work. But I see that as a matter of fit-for-purpose. I don't trust every computer I have to that level.
The miniupnpd UPnP daemon (used e.g. by OpenWRT) includes code[0] to handle IPv6 "pinhole" requests—not port forwarding, which isn't required for IPv6, but rather just opening a port in the firewall to permit incoming connections to a certain host.
This is a job for a firewall. NAT is not a firewall. You can easily filter incoming connections to untrusted devices when using IPv6, with the advantage that when you want to allow a certain kind of traffic in you can do so without messing around with port forwarding or dealing with multiple devices competing for access to standard port numbers on a single public IP address. That's assuming you actually get a public IP address; if you're behind CGNAT then port forwarding isn't even an option, since it would need to be configured on the ISP's side and not just in your router.
If you enable UPnP for automatic port forwarding, as most do, then NAT isn't blocking much of anything. The only difference between NAT with UPnP and IPv6 with no filter preventing incoming connections is in whether devices which open ports but don't set up forwarding can assume that incoming connections probably came from the same local network. However, it's considered poor practice to treat access to the local network as a means of authentication. (Note that with NAT alone if your router receives a packet addressed to your local network's private IP range, and not the routers public IP address, it will forward it unmodified; preventing that is a firewall function, not a NAT function.)
> and I think it's kind of nice that the Internet only knows the address of my router rather than that of my physical machine
If you use IPv6 with privacy extensions enabled then the Internet will only know your /64 network prefix, which is basically the same thing (unique per subscriber and subnet). The rest of the address will be randomly generated and short-lived, unless you choose to assign an additional long-lived address e.g. for a server.
> I'm not sure whether I care if that gateway is doing NAT as well or not? What can I do with a non-NAT-ing gateway?
Doing NAT isn't the problem, requiring NAT is. When the architecture requires NAT devices can't receive incoming connections without port forwarding even when you want them to. We've gotten rather good at working around NAT's limitations (not without cost), but with IPv6 those workarounds are unnecessary. For example, any peer-to-peer multiplayer game, video chat, or file transfer app where both sides are behind NAT depends on third-party servers for NAT traversal. (Note that the fact that this works at all without actually forwarding all data through the third-party servers shows that NAT is not a reliable system for preventing incoming UDP connections: it can be tricked into thinking a connection is already established.) With IPv6 you don't need the third-party servers as the peers can connect to each other directly.