The typical WiFi network is NAT'd with a default no-forward policy (or even more locked down), so even an insecure device is vulnerable only to other devices on the same network. That's much smaller than the universe of folks running portscans against globally routable addresses.

Presumably VZW's IPv6 configuration is similar, though I'd be interested to hear exactly what connections are allowed between devices at different locations within their own network. Wouldn't be surprised if they're completely forbidden.

Of course the network should not be trusted to protect you. But in the real world, everyday consumers are connecting insecure devices, and I'm curious how VZW is going about saving them from themselves.

> That's much smaller than the universe of folks running portscans against globally routable addresses.

You do realize just how many IPv6 addresses there are? The good old days of randomly scanning the interwebs in the hopes of finding an IP are gone, at least, for IPv6.

The minimum assignment form RIPE/ARIN etc to an ISP is a /32. Meaning Verizon on it's own has at least the same number of /64's as the entire IPv4 internet has IPs..

That's 4,294,967,296 /64's.

A single /64 is 4 billion times the entire IPv4 address space.

It's true that NAT reduces the risk of portscans but that's not much of a benefit any more. For at least a decade the accepted best practice has been host rather than perimeter level security and that's only become more important over time. It took awhile but the average device sold today doesn't have anything listening by default; at this point you're just subsidizing a few market-trailing manufacturers.