>Even though they now have a public IPv6 address, the router's firewall should block incoming connections to it by default. That's the case for my router, but to be sure you should check it yourself for yours
This is why I won't enable IPv6 unless ISPs dramatically change how their hardware works. My ISP-issued modem+router doesn't even have a way to disable routing or automatic updates. I can test the firewall today, but what guarantee is there it'll just keep working?
The comment you're replying to is referring to Homeland. If all you have is an ISP-issued device, then you don't need to worry about it, just use the defaults.
Also, I doubt ISPs will ever change their home routers to default to IPv6 because of the complexity it'll add to customer support with no extra benefits.
It's not the router that decides which IP version to use but the operating system and AFAIK all default to IPv6 if they have an address. And yes many ISPs have activated IPv6 by default that's the reason we see 80% IPv6 usage here. It's not because 80% of the users have actively activated it. Most of them have no idea what an IP even is.
Is there a specific reason you trust your router for IPv4 but not for IPv6 traffic? IPv6 privacy extensions should be enabled by default on most devices. So even in the unlikely case of a device being exposed, someone has to know the temporary IPv6 address and then try to access it while it is still in use. This device would also have to run a vulnerable service on some port that the attacker has to know. All in all, I think that this is a pretty unlikely scenario.
"Most devices", "should be, "unlikely case", "pretty unlikely". That's my impression too, and none of those are good enough. I have many internet connected devices (appliances) and really don't want to worry about someone remotely accessing them. Behind the NAT it just isn't possible.
It could be with UPnP, which as a security conscious person you likely have disabled. Do you trust it staying disabled or none of your many devices trying to use it to poke holes in the NAT?
Even if you have to use your ISPs modem/router device, it might have a bridge mode where it just becomes a modem, enabling you to use your own router. It might be worth checking this option if you didn't already.
It is possible -- NAT won't protect you from inbound connections. Even using RFC1918 addresses on your LAN won't protect you from all inbound connections. You need a firewall for that.
If you don't trust the ISP device to firewall, then you can't trust it even for v4. You need to run your own router.
This is why I won't enable IPv6 unless ISPs dramatically change how their hardware works. My ISP-issued modem+router doesn't even have a way to disable routing or automatic updates. I can test the firewall today, but what guarantee is there it'll just keep working?