Four things that change when going IPv6, which make IPv6 a paradigm shift.
From one public IP to 'All public IP'
most IPv4 users used to have one only public IP, and managed their needs through NAT and Port Forwarding. The first great shift when going IPv6 is to realize we're each given a least 16+ billion billion public IPs. That's the size of a /64 subnet, which is the minimum.
This means that all nodes ( network equipements, computers, appliances, ... ) get a unique, globally reacheable, public IP. That is the first great shift : All public IPs. ( Public IPs everywhere )
From NAT 'pseudo-firewall' to IPv6 pure firewalling
NAT provided for a default closed inbound pseudo-firewall . The NAT functionning, needing a port forwarding rule to forward anything in, made that a fresh, un-changed, firewall was secure regarding inbound connections.
IPv6 is 'all public IP', no NAT is used or needed. This means that a misconfigured firewall easily allows all computers in a network to be reachable from the Internet. The firewall becomes extra-important. Beside, we get back to a pure firewall functionning. That is the second great shift : Pure firewalling
From NAT zero-routing to IPv6 mandatory routing
Nat functionning maid that chaining up routers didn't need any routes management.
We just had to take care to use appropriate subnet numberings.
Let's look at this network :
using IPv4, Router1 doesn't need a route to subnet 2, because of NAT.
Neither did Server 1 need a route to subnet 2.
using IPv6, Router1 does need a route to subnet 2. And Server1 does too. The more complexe the network gets, the more routes need to be added in each network node.
It's the change when going IPv6 : Routes definition are mandatory, as long as we use more than 1 router/modem-router/CPE. It could promise RIPng a brillant future. This is the third great shift : Pure network routing.
from ICMP fencing to ICMPv6 freeway and obscurity
In IPv4, ICMP was a mere diagnostic tool, that was default inbound denied at each internet
gateway ( CPE, modem-router ). Beside, NAT made no internal network scanning possible, as a forwarding rule would be needed.
In IPv6, ICMP is considered mandatory for the good functionning of the network. Some ICMPv6 messages are inbound-allow by default ( ping request ). On the other side, the size of a IPv6 /64 subnet ( 16+ billion billion hosts ) PLUS the use of the IPv6 Privacy extentions ( DHCPv6 randomization, SLAAC temporary and randomized outbound address, one-time randomized 'server' address ) make this ICMPv6 easy living less of a security concern, as hosts are ' hidden ' inside this great /64 subnet. That is ' Security by Obscurity '. This is the fourth great shift : from ICMPv4 fencing to ICMPv6 freeway and obscurity.
Four great shift that make a paradigm shift
from 1 public IP to 'All public IP'
from NAT zero routing to IPv6 mandatory routing
from NAT 'pseudo-firewall' to IPv6 pure firewalling
from the ICMP fence to the ICMPv6 freeways and obscurity
we can take an IPv4 network representation :
as we're ' all public IPs ' we could represent it this way in IPv6 :
let's add in our IPv6 firewall :
we can represent the different layers of security ( core network / edge network ) :
IPv6 brings back the internet in its pristine original state : All public IPs, pure routing, pure firewalling, full-function ICMP.