On 07/28/2015 02:08 PM, Chris Murphy wrote: > The whole idea of IPv6 is that, with proper authentication and > encryption, we can access any device anywhere. So firewalling > everything centrally would appear to break that. I think you're assuming that IPv6 carries with it a policy, when it is merely the mechanism. In IPv6, everything should have a unique, routeable address. Whether you can reach an address will be subject to local policy in the future, just as it is now. And just as you cannot currently reach a device in a Comcast/Xfinity residential network under IPv4, you can't under the default IPv6 rules either. I would call that the principle of least surprise. You can open inbound IPv6 traffic for specific hosts on the routers I've seen.