said by Walter Dnes:Dear internet hippies; please stop ranting about NAT. There's a joke about how 90% of today's baby boomers remember having attended Woodstock in 1969. It seems that there's a similar false memory syndrome about everybody having end-to-end connectivity in "ye olde internete" of some fabled distant past. I'm pushing 61, and my memories are totally different.
Was 12 years ago really that long? The success of Napster (and later Gnutella/Kaazaa) is directly attributable to the end-to-end connectivity allowed by dial-up and the first few broadband links. A small fraction of NAT-enabled clients didn't break the network, but only because the bulk of the 'herd' had a direct, public IP. (Remember that this was also before UPnP and STUN mitigated some of the problems of a NAT-rich environment).
IPv6 privacy extensions give individual machines in a client (/64) network almost exactly the same level of privacy they currently have behind a private network with a single IP used with NAT. (I say 'almost' because privacy extensions will still allow someone monitoring an entire network's traffic to set a lower bound on the number of active, transmitting devices. IPv4 makes this detection somewhat harder, requiring more detailed association of flows.)
The static or dynamic nature of the /64 prefix is only equivalent to the static or dynamic nature of the current IPv4 address: it remains mostly meaningless. A static prefix will allow a foreign host to associate a prefix with a single customer, but without deliberate precaution today's DHCP-assigned dynamic addresses
still persist for days to weeks at a time. That is, a fully static address/prefix is only good for time-associations longer than a week or so, and that's a pretty marginal area as-is.
In return, privacy extensions have the potential to almost completely eliminate host-scanning attacks. The first /64 is already a relatively sparse address space (making it difficult for a completely random scanner to find your customer-based network in the first place), and then privacy-extension addresses in the second /64 make it difficult to find your computers on your own network. Implementations aren't yet perfect (we tend to give home routers easy-to-guess assignments in the last /64, and the unchanging EUID-based addresses are still used as the 'permanent' addresses for privacy-enabled systems, although no outgoing connections should come from that address), but there's little technical reason to expect a persistent vulnerability here.
To put it another way: the 2000-era Code Red worm could not have happened had we been all using IPv6 addresses.