Re: "nat-has-nothing-to-do-with-security"
AGAIN, NAT isn't what blocks incoming connections, and I'll prove it.
You get your IP address from your ISP. Which means your network is subservient to it and you're technically INSIDE the ISP's INTRAnet. Which means they can route packets within their INTRAnet willy-nilly. That includes the RFC1918 ranges. If they know the IP address of a target machine you have, they can just route the packet directly onto it, no translation necessary because it's THEIR network which you're riding on. You could do the same thing if there was a NAT in your corporate intranet. A network expert confirmed this to be possible by disabling a home router's firewall several months ago.
So NO, NAT is NOT what you really want. It's in fact a false sense of security in the face of an ISP that gets served a warrant.
The device that provides the minimum degree of separation you want is the firewall, which doesn't change with IPv6, and if you don't even trust that, you want something stronger like a proxy server that allows you to better safeguard from both directions. And if you want to go one step further, then yes I'm saying use something at the L2 level (and yes, you CAN have an L2 proxy just as you can an L2 firewall; it uses TWO interfaces and the proxy bridges them according to its rules).