[api]

NAT is not a security feature. Please stop repeating this toxic drivel.

NAT is not the same as firewalls, and firewalls do not require NAT. NAT is just an ugly hack to stretch IPV4's inadequate address space, and it's one that breaks quite a few protocols and generally makes a lot of things painful and complex.

Remember back when there were two dozen different networking layers vying for the ability to link Docker containers? (There still are, but Docker's hype wave has crested so you don't see them every 5 minutes on here.) With IPv6 and no NAT, none of that is necessary. Just give every container a real address, set your firewall rules accordingly, and every container anywhere can talk directly to every other container without any added complexity. Give each container host a /96 address and let it assign container IPs from the remaining /32, for up to four billion containers per host. Since IPv6 specifies that an ISP should hand out /64's to customers, each customer can have 4 billion container hosts.

Getting rid of NAT makes everything orders of magnitude simpler.

I do wonder about monopoly resistance. I wonder if IPv6 has been shunned by Amazon, Google, and Microsoft clouds because they see a long term advantage in preventing adoption. IPv6 makes peer to peer systems a lot easier to build, and peer to peer is direct competition to the 'run absolutely everything through the cloud' model. IPv6 could actually reduce the cloud's importance (especially for data transit) if it were widely deployed.

[chatmasta]

I didn't say NAT is a security feature. I said developers use NAT to benefit security. The security benefit of NAT is that it forces developers to assign a predictable, private IP address to each device/container/vm/box behind its "firewall," which the gateway can then use for enforcing QoS policies or port whitelisting. Sure, you can do this on IPv6. But IPv6 is more complicated to implement, because all tools support IPv4, and only some support IPv6.

[api]

How does that help security?

IPv6 has usability problems (I've written on this), but these are unrelated to security in any direct way.

The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption. It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.

There's a ton of superstition and cargo cultism in network security, since most people -- even developers -- don't understand much about how networks work.

[yusyusyus]

NAT is so painful. Even the specs are written with grossly overloaded terminology.

>The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption.

In all fairness, the common NAT implementation involves L4 params and the requisite state for ingress traffic. It makes like a filter that is "drop any" with respect to the NAT IP address (with the exception of in-state traffic). Further, it also limits the IP protocols available. Example, you will not likely be doing SCTP across your NAT and certainly it would be difficult to send directed OSPF packets during this[0] fun thing. It still leaves things to be done (like dropping internal IP space traffic on the external IFs), but the requisite components supply a lot.

I think I've seen the problem though. In general, network engineers have failed to break down the components of NAT: 1) State, 2) Rewrite, 3) A filter dropping traffic not matched by state. Fundamentally, the only thing we need to do in IPv6 is 1) state and 2) a filter. Their failure, combined with the packaging of components that NAT provides, feeds the valid points of the superstition while neglecting the details (what happens when we look at too big of a picture, or philosophical thing).

>It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.

The ignorance of management and "netwerk sekurity esperts" aside, NAT does have use cases in IPv6. Example, if we're performing renumbering frequently, does it make operational sense to roll over prefixes with RAs/DHCP? Maybe the expectation is for multiple prefix advertisement, but then which IP should be used for internal vs. external? Should all applications always rely on DNS? What are the implications for routing networks that may be designed with separate number spaces? The reasons for why these things may be done are not absolutely "wrong" or "bad design" and should not necessarily adopt a purist model.

[0]https://tools.cisco.com/security/center/content/CiscoSecurit...

[TimWolla]

> Give each container host a /96 address and let it assign container IPs from the remaining /32, for up to four billion containers per host.

A /80 for Docker is preferred because it can map 1 to 1 onto the mac address for SLAAC.

see also: https://docs.docker.com/v1.5/articles/networking/#ipv6