[foxfluff]

I don't agree with this argument at all.

If routers can enable NAT by default, they have a stateful firewall by default. The printer won't be on the internet unless you punch a hole in NAT, it won't be on the internet unless you punch a hole in that firewall. You can have that firewall without NAT.

[IshKebab]

This is true but there is still a difference. How do you know if that protection is working? With NAT, if it's online then basically the only way is if NAT was used.

With a firewall then I have no idea. I guess you have to check on the router, and maybe do some kind of online test? Can't imagine grandma doing that.

I do think a firewall is a cleaner solution but it's definitely true that NAT is way more foolproof.

[jiggawatts]

These arguments are just hogwash, but they just don't seem to go away. Literally every IPv6 topic on Reddit and YCombinator is just filled with people going on and on about NAT being essential for security, despite that being clearly false.

I wonder what can be done to educate people that NAT != Firewall, and that all IPv6 home routers also include a default-deny firewall?

It seems like the concept of NAT=>Secure and also RFC1918=>Secure isjust embedded so deeply in people's consciousness that they assume !NAT=>!Secure.

[IshKebab]

> NAT being essential for security

That's not what I said at all. Read it again. NAT is a more foolproof kind of security.

> NAT != Firewall

NAT is effectively a pretty good firewall isn't it? How would you access a device behind NAT?

[Dagger2]

You do it in exactly the same way you would if the NAT wasn't there.

NAT only applies to outbound connections. It does nothing for inbound ones, and thus doesn't provide any firewalling functionality.

[IshKebab]

It means devices on the internet cannot directly connect to devices in your network. That is a function you would have to use a firewall for without NAT. Therefore NAT does provide some firewall functionality.

If I'm wrong I'd like to know, but you haven't provided any evidence that I'm not!

[jiggawatts]

There's no "directly". It's not like your PC is plugged in to the Telco backbone router, right?

No matter what, the packets have to traverse multiple hops, including the residential router that you've currently got.

It's not like the IPv6 packets magically "hop over" the router and skip it, they're processed the same way, except for one difference: the destination addresses are not altered in the process.

Note that IPv4 is supposed to work the same way. Back in the good old days, you'd get a public routable address even for home connections. Every router in the path to your PC would not modify the destination address.[1]

The RFC1918 address space was formalized in 1996, but I had an Internet connection as far back as 1992, and the "IPv4 Internet as we know it" materialised back in the '82-'83 era, and HTML in 1990.

This means that NAT is a "new thing", a workaround for the problem of address space exhaustion only. It wasn't a solution for security. Firewalls existed before, firewalls existed after, and generally worked the same with or without NAT.

Without NAT, my home Internet is still secure. Inbound connections are blocked by default. If I permit an inbound connection, it takes the same path through the same devices. All of the processing is the same, except for not having a single 32-bit address[2] rewritten in the packet headers.

Having my internal network devices being 1:1 addressable from the outside doesn't mean accessible. The default-deny firewall is in place either way, NAT or no NAT.

PS: If you can afford the USD 40 per public IPv4 address, and your ISP is willing to sell you a /C or whatever, you can totally have the non-NAT "experience" with IPv4 on your home network! It'll work the same as IPv6, with directly addressable devices with public-routable addresses. The firewall in your router will work the same! You'll still be just as protected.

[1] THIS is where the perception that NAT is required for security came from! In the 90s, most endpoints did not have a built in default-deny firewall, especially Windows. Most people dialed into the Internet via a modem and got a public IP on their PC, exposing them to attackers without any firewalls in the way (software or hardware). When people were forced to move to NAT, as a side-effect they also got a firewall on their network for the first time. Now? Every residential Internet router has a firewall, as does every endpoint on top of that.

[2] Okay, the address, the port, TTL, and the checksum.