That's a common misconception. NAT isn't a security feature but rather a feature of a stateful firewall, which is. There's no reason to remove the firewalls that are in place now when ipv6 happens.
If firewalls are even needed, a recent poll on an IPv6 professional forum ended with 50/50 split between opt-in and opt-out for IPv6 firewalls in routers of consumer ISPs...
That's surprising and quite concerning. Imagine all the insecure IoT devices running ancient software having a direct connection to the Internet... It would be even more concerning if they were shipping routers without any firewall functionality at all. NAT basically requires a firewall. I hope the thinking isn't if you can do away with NAT you can do away with the firewall.
The thinking of the opt-inners seems to be (roughly) that :
-IPv6 is fundamentally much more secure than IPv4 (no scanning, etc.)
-opt-out is bad for innovation, especially since the cheap default ISP router firewall software is likely to not even allow opt-out for any other protocols than TCP and UDP. (Heck, these days on IPv4 even anything different than HTTPS can be problematic...)
-reliance on router firewalls is bad because they incentivize sloppy device security - the manufacturers should be instead liable when they are at fault for screwing it up (also, how many of these "insecure IoT devices running ancient software" are even able to run IPv6 ?)
So I guess that we're going to see in practice the problems that having no IPv6 firewall causes (most customers not having any idea about what even is a firewall) as it gets more popular... and since Free this summer boasted about reaching 99% IPv6 coverage, and is enabled by default, and can NOT be disabled...
> IPv6 is fundamentally much more secure than IPv4 (no scanning, etc.)
The same was true for ipv4 until about a decade ago.
> opt-out is bad for innovation, especially since the cheap default ISP router firewall software is likely to not even allow opt-out for any other protocols than TCP and UDP. (Heck, these days on IPv4 even anything different than HTTPS can be problematic...)
I can't wait for conficker6 to innovate it's way around the ipv6 net.
> reliance on router firewalls is bad because they incentivize sloppy device security - the manufacturers should be instead liable when they are at fault for screwing it up (also, how many of these "insecure IoT devices running ancient software" are even able to run IPv6 ?)
Sounds like an excellent reason for an opt-out by standard. 99% of the world's internet users wouldn't have a clue how to manage a firewall. Directly connecting all their devices to the internet is an awful idea for 99% of the world.
Your 50/50 example is hugely biased, first it's on a Telco discussion forum so that clearly selects for technical users, then it's on ipv6 which is going to further select for technical people.
Go canvas 100 random people outside a supermarket if they want to have to manually manage a firewall for every device they connect to their network. If they don't give you a blank stare at that question remind them that includes everything from lightbulbs, washing machines, "smart" speakers, to their computers/phones (likely the only thing they think of as being connected to the internet). If you find more than 1 I'll eat my hat.
> Your 50/50 example is hugely biased, first it's on a Telco discussion forum so that clearly selects for technical users, then it's on ipv6 which is going to further select for technical people.
As you can see I'm aware of that, they are also aware of that, and the discussion is not so much about themselves (since they know how to configure a firewall or even to install their own router), but about what your "average grandma" should get.
If only average grandma's were just limited to grandma's. I don't know a single person who isn't a gamer or IT person that can properly use a firewall as they exist now.
Thanks. So yeah, it looks like IPv6 is more secure than IPv4... as long as we're talking about competent engineering ! Hopefully this is the case for major ISPs and OSes...
Especially interesting is this RFC :
https://www.rfc-editor.org/rfc/rfc6092.html
"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"
It shows that there are lots of different filterings involved, so it looks like that these millions of residential users connected to the IPv6 Internet without router firewalls might still have some router filtering going on ?
Also, it confirms that "The IPv6 stateful filtering behavior described in this document is intended to be similar in function to the filtering behavior of commonly used IPv4/NAT gateways, which have been widely sold as a security tool for residential and small-office/home-office networks.
As noted in the Security Considerations section of [RFC2993], the true impact of these tools may be a reduction in security. It may be generally assumed that the impacts discussed in that document related to filtering (and not translation) are to be expected with the simple IPv6 security mechanisms described here.
In particular, it is worth noting that stateful filters create the illusion of a security barrier, but without the managed intent of a firewall. Appropriate security mechanisms implemented in the end nodes, in conjunction with the [RFC4864] local network protection methods, function without reliance on network layer hacks and transport filters that may change over time. Also, defined security barriers assume that threats originate in the exterior, which may lead to practices that result in applications being fully exposed to interior attack and which therefore make breaches much easier."
So now I'm kind of confused as for the different meanings of 'filtering' and 'firewall' that might be used... The RFC seems to use 'firewall' in the sense of 'customizable firewall', while ISPs still often don't provide other options on their IPv6 'firewall' than 'ON/OFF'...
I'm well aware it's not a security feature and I know there are ways to punch holes, but in practice, a lot of machines are still relying on it. The number of IoT devices alone that would be screwed if they were public is massive.
Yes, everyone should have a hardware firewall, but we both know most people just buy the cheapest thing, and by bad large, real firewall features are mostly targeted toward higher end devices.