[throw0101a]

> I'm well aware that ipv4+nat is not "security"... yet it removes a whole class of problem (eg: windows print spooler is listening on [::] by default or something like that)

IPv4+NAT does not remove any more classes of problems than IPv6+firewall. Firewalls under IPv6 work exactly the same way as they do with IPv4.

An IP connection is started from the 'inside' to the 'outside', and the source-destination tuple is recorded. When an 'outside' packet arrives the firewall checks its parameters to see if it corresponds with an existing connection, and if it does it passes it through. If the parameters do not correspond with anything in the firewall's table/s it assumes that someone is trying to create a new connection, which is generally not allowed by default, and therefore drops it.

The main difference is that with IPv4 and NAT the original (RFC 1918?) source address and port are changed to something corresponding to the 'outside' interface of the firewall.

With IPv6 address/port, rewriting is not done. Only state tables are updated and checked.

New connections are not allowed past the firewall towards the inside with either protocol, and only replies to connections opened from the inside are passed through.

There's no magical security behind NAT: tuples and packet flags are read, looked up in a state table, allowed or not depending on either firewall rule or state presence.

The security comes from the state checking.

> […] and it was happily listening on the public internet for something to print.

I have a printer with an IPv6 stack. I also have IPv6 addresses from my ISP. Yet somehow my Asus AC-68U prevents the public Internet from reaching my printer…

[rfoo]

> There's no magical security behind NAT

That's exactly the point. Yes, I know the "security" NAPTv4 provides is just a side effect. But it is what was widely deployed in the field. If you want to push IPv6, you MUST make sure in field appliances match this "side effect" (as a properly implemented firewall).

And this is not happening.

NAPTv4 with a "block incoming connection" side effect is widely deployed, running on countless CPEs. Proper IPv6 firewall is not. Thus IPv6 is not ready for these users.

[throw0101a]

> NAPTv4 with a "block incoming connection" side effect is widely deployed, running on countless CPEs. Proper IPv6 firewall is not.

I've been running IPv6 through my Asus for years now and it's been no different than IPv4. Going to Advanced Settings > Firewall, under "IPv6 Firewall" it says:

> All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic. Any other inbound traffic must be specifically allowed here.

It then has a table where you specify traffic to be allowed in to specific internal hosts on particular port (ranges), but since this is IPv6, you don't have to deal with reverse-NATing now.

* https://www.asus.com/us/support/FAQ/1013638/

[znpy]

> IPv4+NAT does not remove any more classes of problems than IPv6+firewall

NAT is automatic and works out of the box while most users, even tech-savvy ones don't bother configuring the firewall on their own laptop, let alone on the router/gateway.

And by the way, I'd like to see you explain that firewall thing to the average senile pc user (grandma/grampa).

[throw0101a]

There is nothing to figure out: you take your Linksys/Asus/whatever device, plug in the WAN side to your modem, and your computer(s) to the LAN ports. Perhaps enter your credentials if you're using PPPoE, and you're done.

I'm not sure why you think IPv6 is more complicated than IPv4 for home users when it comes to CPEs.

What exactly do you think needs to be done on an Asus/Linksys for IPv6 protection that is different than IPv4?