What's the responsibility of an IPv6 owner?
Having used IPv6 for the better part of a decade now, and watching the changes go by, I have a little bit of perspective on this.
The most important point here is this: NAT is not the firewall. These are two completely distinct things. In Linux it happens to be implemented as part of the firewall code, but this is merely an implementation detail, and isn't necessarily the case on other operating systems.
Once you completely understand that the thing in the router protecting your home network is the firewall, and not the NAT, then the rest falls into place.
To answer the rest of your question, let us take a look at a real live IPv6 router firmware, OpenWrt version 14.07 Barrier Breaker. In this router, IPv6 is enabled by default and works out of the box using DHCPv6 with prefix delegation, the most common way that ISPs will assign address space to customers.
OpenWrt's firewall configuration, like any reasonable firewall, blocks all inbound traffic by default. It contains a way to set up port forwarding rules for NATted IPv4 connections, as most every other router has for years. It also has a traffic rules section for allowing specific traffic to be forwarded; this is what you use instead to allow inbound IPv6 traffic.
Most home routers I've seen with IPv6 support also firewall inbound IPv6 traffic by default, though they might not provide an easy way to forward inbound traffic, or it may be confusing. But since I never actually use factory firmware on any home router, (OpenWrt is that much better) it's never affected me.
Indeed, many people are using IPv6 right now and have absolutely no idea that this is the case. When their ISPs enabled it, their home routers picked up the DHCPv6 responses and provisioned the addresses and everything Just Worked. Had I not needed more than a /64, I could have just plugged it in with zero configuration. I had to make one change to get a larger prefix delegation, though this is easy enough.
Finally there's one more thing: If you have a system on the IPv4 Internet today, it gets all sorts of inbound connection attempts on a variety of ports, attempting to exploit known vulnerabilities or brute-force passwords. The IPv4 address range is small enough that it can be scanned in its entirety in less than a day. But on IPv6, in almost a decade I've never seen such a connection attempt on any port. The much larger size of the host-part of the address makes scanning the range virtually impossible. But you need the firewall still; the fact that you can't be found from an IP address scan does not mean you can't be targeted by someone who already knows your address because they got it somewhere else.
In short, generally, no you won't have to be too overly concerned about incoming IPv6 traffic because it will be firewalled by default, and because IPv6 address ranges can't be easily scanned. And for many people IPv6 will come on automatically and they will never notice.
NAT really did very little for security. To implement NAT you basically have to have a stateful packet filter.
Having a stateful packet filter is still a strong requirement to be secure with IPv6; you simply no longer need the address translation since we have lots of address space.
A stateful packet filter is what permits outgoing traffic without permitting incoming traffic. So on your firewall/router you will set up rules which define what your internal network is and then you might permit your internal network to make outbound connections, but not permit any other networks to connect to your internal hosts, except in reply to your requests. If you are running services internally you might set up rules to permit the traffic for that specific service.
I expect IPv6 consumer routers either already do this, or will start implementing this in the future. If you are using some custom router, you might have to manage this yourself.
NAT isn't really security, except by a certain kind of obscurity.The internet, and most tools are designed to be used from end to end anyway. I would treat any individual system behind a nat the same way I would treat a system on the open internet.
Its worth considering the different mechanisms of getting ipv6 access, from the least native (Teredo), Tunnels (and there's different protocols that work well in different situations), ipv6rd (essentially an ISP run tunnel, that's a good way to get ipv6 quickly on an existing ipv4 network), to native (We use SLAAC and NDP I believe).
If you're on a less than utterly ancient windows box (XP or better - but I don't have anything worse than a SP3 box, and that's under duress), you probably have the option of non native, teredo support. You might already be on ipv6 and not realising it. Teredo kind of sucks and except in a few situations its worth explicitly turning it off.
Tunnels need a client of some sort, and that's even more work than a native install.
Outside of this ts nearly impossible to set up native ipv6 by accident. Even where your modern router supports it, you need to explictly set it up, and there's 3-4 different mechanisms in common use. My ISP uses ipv6rd and SLAAC on different physical connections, and the instructions are in the equivilent of a filing cabinet in a toilet. The alternative is a tunnel, and that's essentially at least an hour of work.
I would treat any system that's open to the IPV6 networks the same as I would any other system that's on the open internet. If it dosen't need ipv6, turn it off. Its trivial, and I've done this with my XP systems. If it does, make sure its secured. There's very little that absolutely relies on ipv6 in the current transition period that cannot fall back to ipv4. One notable exception is homegroups on windows 7 or later
The good news is most modern OSes with ipv6 support have their own firewalls for IPV6, and you shouldn't have too much trouble locking them down.
IPv6 also has an odd advantage. With ipv4, you often had many exploits that randomly scanned you for open ports. IPv4 NAT mitigates that a little by hiding the clients behind a main ip address. IPv6 mitigates that by having a huge address space it is implausible to completely scan.
At the end of the day NAT is not a security tool - its one meant to solve a very specific issue (the difficulty in assigning public IP addresses), that makes it a TINY bit harder to access a network from outside. In an era of router firmware hacks, and massive botnets, I'd suggest treating any system, ipv4 or 6 as if it was on the open, end to end internet. Lock it down, open up what you need, and not worry as much since you have actual security, rather than a cardboard policeman.