Comment by immibis
3 days ago
Note that V6 is easier to scan than some people assume. You don't have to scan all 2^128 addresses - you can look at provider address blocks in the registry, and make an assumption (or try it and see) what size block that provider assigns to each server, and then guess the server is ::1 or ::2 in each block. This isn't an exhaustive scan, but you'll find a lot of services this way anyway.
You can also e.g. monitor certificate transparency logs for hostnames. But the difference is that without NAT, knowing about one server on the network doesn't automatically give you the IP for every other accessible server on the same network. You have to actually try host IPs one by one instead of the router kindly filling that part in for you.