[rnhmjoj]

Ah, the inevitable NAT security comment on every IPv6 discussion.

> yet it removes a whole class of problem (eg: windows print spooler is listening on [::] by default or something like that)

NAT is just address translation, that's it: it doesn't imply a firewall. What you're thinking is a typical CPE router which, along masquerading the usual RFC 1918 range, runs a stateful firewall that blocks all incoming connections by default (but can be easily punched, even automatically by NAT-PMP, UPnP and a bunch of other protocols).

Lifting the NAT doesn't mean lifting the firewall: new ISPs that deployed native IPv6 are doing exactly the same firewalling as before.

[znpy]

Congratulations, you missed the point

The ISP level yada yada doesn't matter, nobody cares about that at a consumer level.

NAT doesn't imply firewalling, that true, but NAT also means that hosts being the gateway are not exposed by default.

[rnhmjoj]

I haven't mentioned the ISP level networking anywhere. The router provided by an ISP with native IPv6 to you (or any consumer router you can buy, for that matter) is using the exact same firewall with the same rules: they just don't do NAT because it's not needed anymore.

By this I mean that new WAN to LAN connections are blocked by default, LAN to WAN connections are allowed by default, ICMP is allowed etc. The only difference is that in IPv4 to "open a port" you have to:

1. map a LAN port/address to a WAN port using a DNAT destination rule

2. write a firewall rule to allow WAN traffic through that port

while in IPv6 you just do 2. Same result, same level of security, just less steps. These two steps are usually bundled into one operation in your familiar home router web UI, and this is why many confuse NAT with a firewall/some kind of security feature.

[adrian_b]

Exposing by default or not does not have anything to do with NAT.

It only depends on the default firewall rules.

The default rules should not allow connections from outside, regardless whether NAT is used or not and regardless whether IPv6 is used or not.

Any device with a network interface connected directly to Internet must have an active firewall.

[adrian_b]

Whoever downvoted this does not know how NAT and firewalls function.

That NAT and firewall are independent functions, even if they may be performed by the same program, is a simple true fact, which cannot be contested.

NAT cannot enhance security in any way. On the contrary, only the absence of any NAT can enhance the security of private IPv4 networks, because only when NAT does not exist, the computers with private addresses are no longer reachable from outside. Whenever a device that does NAT exists in your network, your internal private addresses become public addresses, no longer hidden from the Internet, because that is what NAT does. The fact that multiple internal addresses are mapped to a single external address may make more difficult the tracking of individual users, but it does not protect the internal computers in any way from external accesses. That is the job of the firewall, which filters the undesirable IP packets.

So anyone who believes that NAT is something that provides security is delusional.

I own a subnetwork of public IPv4 addresses and I have a private network of computers connected to the Internet through a router/firewall, which is a standard PC on which I have been managing the firewall and NAT for almost 20 years.

Neither of my 2 ISP's supports IPv6, so I use IPv4 with NAT.

However, if I could use IPv6, rewriting the firewall rules would not take more than a few minutes and the security would be exactly the same as it is with IPv4 and NAT.

[throwaway525142]

> So anyone who believes that NAT is something that provides security is delusional.

If I understand NATs correctly, they cannot route incoming connections (from the Internet) to a computer on the local network because they don't know which computer to route them to. Hence incoming connections will always fail (unless configured to go to a specific computer, "port forwarding"). Thus a NAT (by design, because it cannot operate in another fashion), blocks incoming connections. I'd think this is a security benefit (over having a public IP address for every device in the network like in IPv6, but without a firewall).

Care to elaborate why my example doesn't work/misses your point?

[adrian_b]

It is true that for incoming connections you normally have to include in the NAT configuration the local IPv4 address to which the connection requests should be sent.

Otherwise the NAT would have to guess if they should be sent to one of the local addresses already seen to be in use.

In any case there is no difference between what happens when you use NAT and what happens when you have only public addresses in your internal network, either IPv6 or IPv4, it does not matter.

If you have internal public addresses, the incoming connections cannot reach them anyway, until you add a firewall rule allowing a connection with a certain protocol for a certain port and internal host, which is done exactly like when adding the same rule in the NAT case.

If the NAT does not allow incoming connections without express configuration, then it has correct default firewall filtering rules.

The fact that there may be multiple internal computers, is not something that would block the connection, because the NAT can choose the first of the internal addresses that it has seen, maybe rotating the addresses for the next connection requests.

So what blocks the incoming connections is the lack of permission to do that, not the fact that the NAT could not do that if allowed.

It would not surprise me if there are some NAT implementations that attempt to be too helpful so they might send the incoming connections to your local computer even without any configuration for this.