> NAT66 doesn't add much in the way of security here, because the external address is fully routable and maps 1:1 to the internal address. You are once again fully dependent on a correctly configured firewall.

When using the stateful firewall provided by Linux's packet filter, the IPv6 NAT66 "masquerade" works very similar to IPv4 NAT. 1:1 mapping is NOT required.

For example internal hosts are configured as follows:

inet6 fd00::200/64 scope global noprefixroute

ip -6 route add default via fd00::1

Edit: From my understanding the NAT66 is ambiguous and it may work as a stateful port-based translation similar to IPv4 NAT, whereas NPTv6 is a stateless prefix-only translation.

Hardest to attack:

fcab:cdef:1234:5678:9abc:def0:1234:5678

The whole point is that your devices on the inside of your network can't be routed to at all.

It's the same difficulty to attack in all 3 cases: hack the internet firewall, which the only point providing connectivity between both internal and external addresses regardless of what the address itself is.

You don't need to change the prefix to prevent an address from being routed to from the internet, but you do need a firewall if you want an address to be securely reachable from the internet. If you don't want an address to be reachable, what the address is whatsoever doesn't matter so long as you've implemented any possible way of making it unreachable.

Not true, 2001:1868:209:FFFD:0013:50FF:FE12:3456 provides some amount of geographic information about the target that the other addresses do not. No firewall is going to protect you from that. Of course that is only going to matter in the specific scenario where your internal IP is leaked but the attacker has not other way of getting your external IP.

Okay - I'll bite - Why is FC/7 harder to attack than FD/8?