You'd setup your firewall to protect your IPv6 network. This policy says do this, firewall defaults to no traffic pass. Same as you have now.

IPv6 privacy extension (been around for many many years, and default on at least MacOS and others for many iterations), gives you a new IPv6 address every time period, and rotates through them transparently.

just want to make it clear, usually you are assigned a prefix which you can announce to your network and then nodes will pick random addresses from that prefix. its still easy to determine the packets came from your network just not clear from which device exactly much like current NAT setups lets say...

... unless your ISP would change your prefix regularly (like every day), like it's now the case for those who have a public dynamic IPv4. If they give you a static IPv6 prefix, it's like giving you a static IPv4 now, i.e. something ISPs would probably want to monetize as a premium service. So I'm pretty sure we'll end up with regularly changing prefixes... which is probably good for privacy.

In most countries, the ISP is legally obliged to keep records at which point in time has a customer had an address. Usually a court can order an ISP to hand over those records. In other cases, the police, secret service, copyright lawyers etc. can talk directly to the ISP.

Sure, but keeping logs for legal reasons doesn't mean transmitting those logs to all the web sites you visit. I think the point here was untrackability by websites rather than pure anonymity.

In general, the level of privacy/ anonymity should be pretty similar with IPv4 or IPv6 in the real world. You will be better off at some hacky, local IPv4-only ISP behind a huge "CG"NAT because they may not keep all the records or not for so long or whatever. You might be better off at a large mobile provider with IPv4 as a service over an IPv6 network, because the prefixes can change often and IPv4 is again basically a huge gateway hiding you to some degree. If you really need to be as anonymous as possible to most services online, use TOR or a series of VPNs/ SSH tunnels in different countries or whatever and a number of other anonymizing tools, browser plugins etc. Having IPv4 or IPv6 will not play a role as people usually leave huge amounts of traces all over the place. For websites, for all these reasons, it is way more interesting to fingerprint you with multiple different aspects of your online presence. E.g. look here: https://amiunique.org/ or here: https://robinlinus.github.io/socialmedia-leak/

For most people and websites, IPv4 vs IPv6 for fingerprinting isn't very interesting because websites have better means and people usually don't really know/ care and most ISPs think they have a great business model handing out dynamic prefixes/ IPs and combining all that with CGNAT or NAT64/ DS-Lite or other gateways. Privacy extensions and local NATs of various kinds also don't help in having more visibility into that chaos. Actually, in my experience, most tracking currently is really, really dumb to such a degree, that I cannot be reliably tracked even if I want to (e.g. when using navigation like Waze) because for some reason, the app cannot get my position using GPS even after tens of minutes. The app still hasn't figured out, I live somewhere else now and hasn't offered me a new home address. It also doesn't recognize any pattern in my routine quite obviously. That would actually kind of be the point of the app, wouldn't it - it would make it more comfortable for me and it could serve me much better targeted adds, e.g. for good coffee in the morning? I also don't get very meaningful suggestions or adds for anything and I only use an add-block plugin. For those reasons, I don't think most websites are able to track me effectively and I don't worry about law enforcement much - I am not a journalist, nor a dissident, nor have I done anything in regards interesting to law enforcement or such.

I think, we all should worry a bit less and focus on fixing stuff all over the place so that tracking is more easily detectable and can be mostly disabled in such a way as to not hinder useful functionality. IPv4 and IPv6 as currently deployed are mostly "boring" in a good way. IPv6 tends to work just fine in places that want to make it work. So for most things, talking IPv4 vs IPv6 is like vim vs emacs or some other endless and rather pointless discussions. Not very informative or useful. We should be using what makes sense. IPv6 starts to make sense in most places, because it becomes easier to set up each day and IPv4 becomes more expensive to maintain. The real problems of IT are really elsewhere now and they are so plentiful.

You would laugh, but just doubling the amount of RAM in the computer today is an undertaking. You cannot get RAM with the same frequency and timing as is built into a computer just a few years old. Higher speed RAM doesn't "just work". No, you have to update the BIOS/ UEFI because they have support for newer RAM standards as it turns out and set the frequency by hand to enforce a downclock of the newer RAM - not really something a regular user would know how to do at all. All of this just adds up and the IT field is so complex nobody can reliably navigate it nor give any dependable estimates about anything. You have similar things way up the stack. Just try updating dependencies in a project (mentioned at length on the front page just a few days ago https://news.ycombinator.com/item?id=29106159). If engineers have to solve stuff, that should have taken 10 minutes for 2 hours instead, we have a major problem - we are just not getting stuff done, because we have been let down by otherwise solid assumptions.

Anecdotal, but I manage connections from AT&T and Comcast and both have had stable IPV6 prefixes since they were installed multiple years ago.

That's true for IPv4 too. I've had the same IPv4 from my ISP for months.

The truth is that if you are not tunneling over some kind of VPN or using onion routing your IP is public, period.

Genuinely curious: how do you maintain a local DNS to make sure you can always designate 'printer' and 'intranet' by name?

Things in IPv6 land can have multiple IP addresses - you can have a fixed address or use a fixed link-local address for an entry DNS if you're not using something like multicast DNS, but it can still initiate connections using a privacy extension address.

Multicast DNS, e.g. Bonjour.

Even now I doubt many home users have a local dns server for reaching their printer by name. I think Windows uses NetBIOS for this purpose, which should work fine over IPv6 too.

Some models of home routers do run an internal DNS server which makes things accessible under a subdomain with whatever name you've set for that device in the router's configuration.

dnsmasq, requests for a new DHCP lease contain the hostname which it duly registers.

printer.local

protecting ipv6 Networks works just the same as ipv4 networks. by using firewalling.

NAT is not a security mechanism. most consumer routers seem to block any incoming traffic from the outside world by default anyways.

I'm not trying to be aggressive here. But what's the actual end user difference between NAT and firewalled ipv6 for me and my local network then? I assume I could route now than one addresses for a specific port. On the other hand I have to pay for domain record to access my local resource without a struggle.

Should I use ipv6 at home when my doesn't have one?

I honestly struggle to find good information on the protocol that's decades old. It's either to deep for me to care for my needs or too shallow to understand why and how should I just it. Scaremongering is what I find on the internet. And no real benefits for me to update my hardware or find ISP that has ipv6.

I can kind of relate to the feeling of IPv6 being "new and scary" to back in 1995 when I barely grasped IPv4 routing... everything becomes clear eventually with experience and exposure... hopefully eventually I'll understand more IPv6 concepts with time. I "want to believe". :)

But I do fully get that firewall without NAT is perfectly fine (great) in an IPv6 world - but may be necessary in simpler multi-ISP routing scenarios...

The difference is that traversal protocols like UDP hole punching work deterministically almost 100% of the time in an IPv6 environment but are flaky in an IPv4 NAT environment.

It also means that you never experience port exhaustion on large networks, which is a problem for large IPv4 NAT deployments.

I haven't seen a single IPv6 network configured to behave like that by default. Just because it has a globally unique address doesn't mean it's reachable.

New home routers (the kind that ISPs give out to clients) with IPv6 support include default deny firewall on externally-initiated connections, precisely for that reason.

If you think NAT gave you any privacy benefits... at best it made for easy "household mapping" of people.