[akersten]

> (people frequently argue that NAT is valuable for network security - nonsense).

Most of the devices on my home network should never be routable from the Internet. Without NAT, they suddenly are, and I have to go out of my way to configure a firewall (either on the device or an intermediary appliance) just to get back to that baseline. That is more configuration to get right and is a worse experience than when they were just impossible routes under NAT. So, I get it, NAT was not "designed" with security as a primary consideration, but when thousands of Grandma's printers are suddenly pwn'd because their 2.6.x kernels wind up answering traffic from the public Internet, it's quite devilish to say "gosh, well, they should never have relied on things continuing to work the way they always have, because it was philosophically never meant to be that way."

It's quite possible I'm missing something (because I haven't bothered to learn much about v6 yet) and consumer routers are smart enough to drop unsolicited traffic to "private" addresses (however that is determined). If that's the case I cede a little.

[foxfluff]

I don't agree with this argument at all.

If routers can enable NAT by default, they have a stateful firewall by default. The printer won't be on the internet unless you punch a hole in NAT, it won't be on the internet unless you punch a hole in that firewall. You can have that firewall without NAT.

[IshKebab]

This is true but there is still a difference. How do you know if that protection is working? With NAT, if it's online then basically the only way is if NAT was used.

With a firewall then I have no idea. I guess you have to check on the router, and maybe do some kind of online test? Can't imagine grandma doing that.

I do think a firewall is a cleaner solution but it's definitely true that NAT is way more foolproof.

[jiggawatts]

These arguments are just hogwash, but they just don't seem to go away. Literally every IPv6 topic on Reddit and YCombinator is just filled with people going on and on about NAT being essential for security, despite that being clearly false.

I wonder what can be done to educate people that NAT != Firewall, and that all IPv6 home routers also include a default-deny firewall?

It seems like the concept of NAT=>Secure and also RFC1918=>Secure isjust embedded so deeply in people's consciousness that they assume !NAT=>!Secure.

[IshKebab]

> NAT being essential for security

That's not what I said at all. Read it again. NAT is a more foolproof kind of security.

> NAT != Firewall

NAT is effectively a pretty good firewall isn't it? How would you access a device behind NAT?

[Dagger2]

You do it in exactly the same way you would if the NAT wasn't there.

NAT only applies to outbound connections. It does nothing for inbound ones, and thus doesn't provide any firewalling functionality.

[IshKebab]

It means devices on the internet cannot directly connect to devices in your network. That is a function you would have to use a firewall for without NAT. Therefore NAT does provide some firewall functionality.

If I'm wrong I'd like to know, but you haven't provided any evidence that I'm not!

[throw0101a]

> Most of the devices on my home network should never be routable from the Internet. Without NAT, they suddenly are [...]

Copy-pasting from a previous discussion a little while ago:

---

IPv4+NAT does not remove any more classes of problems than IPv6+firewall. Firewalls under IPv6 work exactly the same way as they do with IPv4.

An IP connection is started from the 'inside' to the 'outside', and the source-destination tuple is recorded. When an 'outside' packet arrives the firewall checks its parameters to see if it corresponds with an existing connection, and if it does it passes it through. If the parameters do not correspond with anything in the firewall's table(s) it assumes that someone is trying to create a new connection, which is generally not allowed by default, and therefore drops it.

The main difference is that with IPv4 and NAT the original (RFC 1918?) source address and port are changed to something corresponding to the 'outside' interface of the firewall.

With IPv6 the address/port rewriting is not done.† Only state tables are updated and checked.

New connections are not allowed past the firewall towards the inside with either protocol, and only replies to connections opened from the inside are passed through.‡

There's no magical security behind NAT: tuples and packet flags are read, looked up in a state table, allowed or not depending on either firewall rule or state presence.

The security comes from the state checking.

[…]

I have a printer with an IPv6 stack. I also have IPv6 addresses from my ISP. Yet somehow my Asus AC-68U prevents the public Internet from reaching my printer.

† It is possible to have private IPv6 addresses using ULA, and then the router/firewall uses NPTv6 to rewrite the prefix (leaving the /64 interface component alone).

‡ Just like with IPv4 (NAT), to allow unsolicited 'new' connections in you have to do do firewall hole punching with (e.g.) UPNP. But by default things are blocked.

---

* https://news.ycombinator.com/item?id=28390634

IPv6 firewall on my Asus:

* https://www.asus.com/us/support/FAQ/1013638/

[bombela]

Network Address Translation (NAT) has the side effect of ignoring incoming connections that do not match an explicit port mapping.

A firewall will block any incoming connections unless explicitly allowed.

Basically the NAT happens to overlap a bit the job of the firewall as a side effect of how it works. In practice NAT and firewall are implemented by the same system. For example look at iptables on Linux.