[ipv6-wg@localhost] Security over IPv6 networks

["BEGIN, Thomas" <]

Hello,
Security... that's a core problem for a lot of engineers !

With IPv4, a lot of enterprises networks were set up with private addresses (eg 10.x.x.x ). That implies that computers inside the network are unreachable from outside (eg Internet). 

Since IPv6 offers a large scale of addresses, I've heard that companies could address their machines with global unicast addresses (public addresses) and also benefit fully from IPsec and peer to peer applications.
That's nice and it is said that it should improve security (IPsec totally used from sender to receiver).
But in the other hand, isn't it dangerous to address machines with global unicast address and thus make them reachable directly from anywhere and by anybody... Besides NAT is often acknowledged as a good shield to secure networks.

Then is it really possible to protect IPv6 networks (with global unicast addresses) as safe as Ipv4 networks using NAT ?

I realize this is a big topic and may be there is no easy response but getting a high performance security is a fundamental factor for the deployement of IPv6.

But if you have any idea (know enterprises that use public addresses for their network) please let me know ...

-Thomas

PS: using site local addresses inside IPv6 networks doesn't solve the problem ... ;-))