It makes device specific protocol attacks possible.
Sniffing traffic on the outside of a NAT hides which internal device(s) the traffic is coming from, doesn't it? So if you wanted to attack Alice's traffic then you can't easily tell which it is.
If you can sniff traffic from Alice's IPv6 address, then you have a much smaller amount of traffic to brute force, and you can try a MITM attack without risk of anyone else behind the NAT being affected accidentally.
Nah, unfortunately NAT doesn't really do a good job of hiding what the source machine is. People have used this to analyse how many machines are behind a NAT with very clear patterns emerging based on TCP/IP timestamps as well as the sequence numbers (which are sequential in most OS's).
The bigger concern is the fact that you apparently have access to the data being sent/to from an IP address and can thus sniff the data in the first place. Whether that be a NAT'ed or IPv6 IP address.
Obfuscation isn't security. If exposing the existence of a device is compromising to you, then this doesn't solve the problem, it makes it less likely.
To which you might say "it makes us less likely to be compromised", which is probably your goal. So obfuscating network access probably makes sense to you. But I think it's dishonest to market this as "security". The door is still exactly as open as it would be if they were exposed. Security is fixing the problems that would be exploited
It is marginally more difficult than IP addresses.
So, unless you are truly using a multiuser machine from which the users use the Internet, it's just a convenient feeling of security. Which in itself does have some value, though, even if merely to save from some stress.
I need a reference that exposing more information about systems that are nearly guaranteed to have security flaws is bad? I'll give you a simple scenario and then go look for something to make you happy.
I have a computer running services A and B and several computers running service B. Service A exposes information about the computer's configuration that helps attack service B, but only if the attacker can figure out which one.
Edit: I haven't really been able to find a comparison between firewalling and firewalling+NAT, just comparisons between nothing and NAT.
By the way, I wasn't completely explicit. I supposed that in both cases all incoming ports are closed, except for the ones you explicitly open. That way, the only difference between the NAT and the firewall is the address translation.
My scenario is narrow, but I expect it to be a common one: IPv6 internet boxes will likely include such a firewall by default.
I have to agree with Dylan on this one. By default, the security of a system with ANY public addressability (vs. one that can't be seen except on outbound requests) is dramatically less secure than not exposing it at all.
If we can believe the old adage that "The only secure server is one encased in concrete", then the average non-NATTED device is more akin to one that is concreted than one with public addressability.
No there isn't. Not a single one. Just replace your old NAT by a clean firewall, and you're set.