All this IPv6 / NAT discussion reminded me of something Tony Hain pointed out a while a back on the IPv6 IETF mailing list. 

Tony pointed out that IPv6 is inherently better at hiding a users machine than IPv4 NAT, as a users’s PC will typically be connected to a LAN segment which has been allocated a /64. A /64 leaves 64 bits for the node address, giving a total of (2^64) or 18 446 744 073 709 551 616 possible addresses. The user’s PC could be at any one of these addresses, based upon the IEEE MAC address of their LAN card. 

If an attacker could probe 100 addresses per second (using a tool such as nmap), and assuming that the attacker would find a machine on average 50% through the address space, it would take an average of 92 233 720 368 547 758 seconds to find the user’s device, or 2 924 712 086.77 years! 

If the user still isn’t happy with those odds, their node address could be changed periodically, say once a day, via Privacy Extensions for Stateless Address Autoconfiguration in IPv6. 
http://www.ietf.org/rfc/rfc3041.txt

The current recommendation for IPv6 address allocation, for all users, including those at home, is a /48, which reserves 16 bits for 65 536 subnets of 64 bits (IAB/IESG Recommendations on IPv6 Address Allocations to Sites). The truely paranoid could extend the randomness of their periodic node address selection to including some, if not all of those 16 subnet bits, assuming they are willing to automate their local router’s subnet configuration. Of course, for every subnet bit included, the work the remote attacker has to perform to find the user’s PC doubles. 
http://www.ietf.org/rfc/rfc3177.txt

While I wouldn’t recommend it, I’d almost go so far as saying for a typical home user, IPv6 without a firewall of any sort will be just as effective as IPv4 + NAT is at “hiding” their PC. 

In other words, remote attacks which rely on finding a target via an address probe are useless under IPv6, as they aren’t worth the time. Aren’t they the only type of attacks that IPv4 NAT inherently protects against ? 

Social engineering attacks will then probably become the alternative to address probing, using techniques such as convincing a user to download something they shouldn’t from an untrusted web site, or sending them a malicious payload in an email. Of course, IPv6 won’t protect against those types of attacks, then again, neither does IPv4 + NAT today.