Especially with the development of IPv6, internal routing becomes transparent and the appearance of protection offered by NAT is gone. Possibly these printers all have been assigned a public-reachable IPv6 addresses.
It isn't an "appearance" of protection. NAT is the best thing to happen to security for home networks since their inception. The push to remove it with IPv6 and to force home users who don't care about these things to put their entire home network directly on the Internet is going to wreak havoc.
The security comes from the stateful firewall, not from the NAT. In all likelihood, IPv6-supporting home routers will ship with a stateful firewall enabled by default.
The stateful firewall is there because it is necessary for NAT. If it weren't necessary for NAT, consumers would not bother with it. Customers buy the router with the firewall to hook up multiple computers, they don't care about the security. You could argue that they should hire a security consultant to educate them on the need for a stateful firewall when setting up their home network, but you would be smoking crack.
> In all likelihood, IPv6-supporting home routers will ship with a stateful firewall enabled by default.
My thinking is router manufacturers will probably not do this. Because if you don't have a firewall and expose all your computers to the Internet via IPv6, Everything Just Works (assuming the rest of the world uses IPv6, which will be a close approximation to the truth in the future world we're talking about). Which means those insecure routers will have a better user experience for the vast majority people in the market, who don't have a clue about networking and would rather gouge their eyes out than learn about it.
Routers currently don't do this for IPv4 for a good and simple reason: When you're assigned a single public IP by your ISP, there's no way to automagically tell which host is supposed to receive an inbound connection.
The "good" news (from a security standpoint) is that the most clueless will probably be using IPv4 for a long time to come, helped along in their foot-dragging by the eventual release of IPv4 space by early adopters of IPv6-only.
I don't think so - putting "WITH FIREWALL" and "SHIELDS YOU FROM EVIL" will cost manufacturers maybe a few cents and is almost guaranteed to boost sales.
And for services running behind that router there'll probably be some kind of PNP port opening (so there can be "PLAY WITH FRIENDS EASILY" next to those other stickers)
You can't be seriously claiming that someone is port scanning my /48 that I've had since the early 00s? Over a typical slow internet connection that would take rather a long time to find my printer. Lets say you slammed my couple megabit cablemodem with a million address probes per second (yes I'm well aware thats impossibly high). It would only take you 38 billion years of continuous scanning to find my printer. I'll even give you credit that most people are using just a couple (obvious) /64 inside their /48. Assuming my math is correct it would take a mere half a million years per /64, so figure a couple million years and you'll own my home lan...
As soon as some random website's PHP script publishes your IPv6 address, there goes your security.
Assuming your IP address will remain secret seems naive.
Also, this assumes your IP address within your /48 is randomly chosen. Common user choices (or router implementations) might not default to random choices, or the randomness might not actually be very random.
... for example if the IPv6 address is autoconfed from the MAC address, then you can exploit the structure of the MAC address to target a much smaller range of address suffixes, specific to the manufacturer of your target device(s).
