Actually, that is the reason why the conversion to IPv6 has stalled for so long. Which is a bad thing, since for one, it's much simpler to set up networks if you don't have to worry about NATs, and second NAT make many of useful technologies (like some P2P applications much more difficult). And we shouldn't forget that IPv6 is not only about a larger address space; it brings many useful standards like mandatory network layer security, jumbograms etc.
> it brings many useful standards like mandatory network layer security
Wikipedia and Google seem to confirm that IPsec is mandatory for IPv6 hosts, but how many hosts are really going to support it? I'm pretty sure I can turn on IPv6 on my Linux boxes a lot easier than I can turn on IPsec (step 1: figure out which implementation to install, step 2: figure out byzantine configurations, ...). I think my OS X box has IPv6 turned on out of the box, but I wasn't aware it'd do IPsec without being lovingly configured.
Like multicast and a better solution for portable IP space, I feel like mandatory IPsec will be just another purely theoretical benefit of IPv6. (Which is not to say that I'm not extremely interested in its highest profile promise: more address space.)
But my point is that the safest thing for most end-devices is NOT to be directly addressable from the wider internet. Any network admin will tell you that so it'll be interesting to see how that unfolds in the IPv6 world (if it ever unfolds).
The safest thing for most end-devices is not being servers in the first place.
Now, if the device is cracked through one of its client software (NATs don't prevent that), then it could start up a rogue server, while if it were behind a NAT it couldn't. That's no worse for the machine itself (it's hosed anyway), but you could argue that's worse for the rest of the network.
I think it's not. Botnets are annoying and dangerous when they act as clients. Spam, DDoS, automatic attacks are all client behaviour. Even if you want server behaviour, connections don't have to be initiated from the outside. The compromised device just have to know the relevant IP, and initiate the connexion itself.
Finally, if you want to block incoming connections anyway, a plain firewall is cleaner. At least FTP will work.
The point about NAT blocking unforwarded servers, not necessarily true: http://samy.pl/pwnat/
The goal of some botnets is to set up servers for software distribution or to host phishing sites. You can't characterize botnets activity as simply client behavior.
Thanks to UPnP being enabled on most modern consumer routers you can't even count on the NAT protecting you from having a unauthorized server.
Having end-devices NOT be servers is ignoring the fact that the UI for many home devices is delivered over a embedded web server. This is becoming more commonplace over time.
Ultimately you need a firewall that controls inbound and outbound traffic.
Why do firewalls suddenly go away when IPv6 is introduced? If NAT is the only thing stopping packets from coming into your network then that is bad. Set up appropriate firewall rules.
