Well, yes, it is possible to operate a rogue IPv6 router and fool the local machines into using you as their default gateway, but it's just as possible to operate a rogue DHCP server on an IPv4 network. It's an issue but it isn't a new issue, nor is it a show-stopping one.
FWIW the guy whose website I'm linking to, Sam Bowne, gave this talk at Defcon which I found on youtube and found very informative regarding IPv6, having known little to nothing about it before : http://www.youtube.com/watch?v=zIUgH2wVt_0
So much to learn though.
Allowing hosts to perform router discovery and generate their own IPv6 addresses, reminds me of the old days of Netware IPX/SPX. Hopefully it will become common for hosts to automatically register themselves with nameservers, and we will have come full circle.
I use static IPv6 addresses for routers, and for DNS servers. Everything else uses the address automatically assigned using router discovery plus the MAC address. At the moment, my workflow is to log in using IPv4 and then copy-and-paste the IPv6 address into the DNS server. This seems suboptimal and I would like to see the process automated.
I think the biggest change is getting out of the NAT mindset. IPv6
restores the original end-to-end nature of the Internet.
How much you want to bet that residential access providers will continue to charge extra $ for more than one IPv6 address, continue to assign dynamic addresses, etc -- just to create an artificially tiered service?
Seems more likely that your home network might just get bridged onto the provider's cable plant, so their whole network in your neighborhood looks like one big Ethernet segment.
Scoping a /64 across an entire "node" (~500 subscribers for cable, 32 subscribers for PON, and for DSL it would probably be whatever the line capacity of a single DSLAM is) seems to make sense from a capacity planning point of view, *if* they could find a way to keep neighbors from stepping on each other too much. At first it seems feasible to simply restrict intra-node traffic at layer 2, until you consider that it's perfectly reasonable that neighbors might want to Skype or play online games with each other, etc.
Perhaps it would be sufficient to restrict *broadcast* traffic at the demarc (in the cable/DSL modem or ONT, or even in a consumer grade IPv6-ready firewall) so that traffic flows freely but neighbors don't end up in one big "network neighborhood" when they bring their computers online. Or if we're going to return to the good old days of firewalls that just do filtering and not NAT, then a properly configured consumer-grade firewall would simply drop all inbound packets that are not known to be part of an existing flow -- but it would have to do it without routing.
On the other hand, one would think that The Man would very much like to have static IPv6 down to the device level for tracking purposes. MPAA/RIAA types would enjoy it. "Law" enforcement types would have an easier time nailing people for non-crimes. And the folks who sell your information would be able to tell the difference between traffic originating from different computers in the same household.
Right now, I'm sitting on a /23, so I don't see how the situation is fundamentally different than what's already happening: that /23 must be bridged to other local customers.
And it seems that unlike Acecape, Verizon is letting me connect to various open ports on thos hosts.
Interestingly, all of them have the same MAC address. Also, I'm not able to DHCP for more than one IPv4 address at a time. Clearly the equipment on the FiOS network is doing more than just bridging Ethernet between the port on my ONT and an upstream router somewhere. Probably both the ONT and OLT are configured to pass IPv4 through in a specific way.
Doing this effectively with IPv6 would require passing the router advertisements downstream, and then admitting the subscriber's various IPv6 addresses upstream in an orderly fashion while both suppressing inter-subscriber broadcasts and handling the conflicts that are created when two or more morons start hardcoding IPv6 addresses starting at the bottom of the subnet instead of allowing their computers and other devices to derive their IPv6 addresses from the MAC address of each device.
It's all doable -- just a question of how they go about it. It should be interesting. It would be a shame if ISP's took the easy way out. There are a lot of advantages to bringing back the end-to-end nature of the Internet, even from the ISP's point of view. For example, I'm sure that the ones who provide both Internet and Television would love to be able to talk to the various DVR's and other set top boxes without having to resort to stupid router tricks.
And there's really no reason not to let the subscribers have as many IPv6 addresses as they want. It's not as if we're back in 1999 and ISP's are still arguing that NAT violates their ToS because you're connecting multiple endpoints and only paying for one. These days, most of them even *give* you the router.
Some allow edge-premise routing-switching while others require one arm routing back at the internet handoff.
I personally think having the ability to communicate with peers unrestricted will be a good thing and bring
people closer to one another in the same communities.