[xl-brain]

The tension here is the difference between theory and reality. In reality, IPv4 NAT is the only thing protecting most users in their homes. If you force IPv6 on this same population, you have to give them an equivalent posture by default.

This is kind of like writing an argument that motorcycles are not unsafe because they lack 4 wheels. This is true, but if you put my grandmother on one and ask her to drive across town, she would not survive it.

[da_chicken]

No, the reality is that every modern network device running NAT for a user device network is also already a fully stateful firewall, because the software required to do one is virtually identical to the other.

You can't buy a home router with NAT and no firewall, and no home routers ship that don't also have a default deny rule on that firewall. The same is true for SOHO routers and effectively every consumer network gateway device you might buy.

You literally have to go well out of your way to find a network device capable of NAT that can't function as a stateful firewall, and when you find it, it's likely to be carrier-grade. In other words, not intended to be capable of any security at all. The amount of NAT processing it's intended to handle will challenge the hardware enough as it is.

[xl-brain]

Nope, I agree with the findings here:

https://arxiv.org/abs/2509.04792?

[dissent]

NAT isn't protecting them. Not being on the public internet at all is protecting them.

NAT is then unprotecting them a little by letting them punch out again. It's super easy for routers to implement this behaviour by default if your LAN is publicly addressable, and removes a whole class of exploits caused by applications making NAT hacks.

[xl-brain]

This is splitting hairs. The point stands that PAT is the de facto firewall for most soho users.

[dissent]

Not in the context of claiming NAT offers protection.

An ipv6 lan with default ingress deny is more secure than ipv4+nat

[xl-brain]

I think you missing my point. My point is not that IPv6 cannot be secured, it is that the author's take is controversial because people are skeptical about whether networks ARE being secured when NAT is not present. This skepticism is backed up by the research paper that I quoted and real world experience. IPv6 is deployed in many places incorrectly and without the good defaults. IPv4 NAPT in residential networks acts as a last line of defense because most users have been incapable of turning it off.

I suppose I will distill my thought into the assertion that the author should have prefixed his title with "In capable hands,"...

[Dagger2]

The point is that NAT offers no security, so it doesn't make sense to be skeptical about the security of a network just because it doesn't have NAT.

The only way to be confident is to have a firewall, and you can do that on v6 just as well as you already do on v4.

[mrsssnake]

France with >85% IPv6 adoption mostly made of grandmothers driving a motorcycles across the town manually delivering packets like in their youth.

[xl-brain]

https://arxiv.org/abs/2509.04792?

"Collectively, our results show that NAT has indeed acted as the de facto firewall of the Internet, and the v4-to-v6 transition of residential networks is opening up new devices to attack."

[mrsssnake]

ISP hosting a virtual machine you remote desktop into from internal network as the only way to access the external internet can also work as a "de facto firewall".

But the best de facto firewall is a proper firewall.

[xl-brain]

I don't disagree with your comment that the best de facto firewall is a proper firewall. I think you are reacting against the idea that I am saying IPv6 is less secure than IPv4. I am not saying that.

The point of my original post is that the author's take is controversial because people are skeptical about whether networks ARE being secured when NAPT is not present.

They are right to be skeptical, in my opinion, because the rollout of IPv6 has been bungled over and over again. That is not a problem with IPv6, its a problem with the adoption of IPv6.

[denkmoon]

This is entirely untrue. Every shitty router shipped by ISPs this side of the doctom bubble has a stateful firewall enabled by default. NAT is distinctly not the only thing protecting most home users. Not to mention every OS I know of shipping with its own firewall enabled with default deny on inbound.

[xl-brain]

You are stuck on the theory of what is protecting this population. In practice, less than 1% of these users can or will turn NAT off.

Can you imagine how great things would work out with a public IP on all your nana's computers, NAT turned off, protected by the prowess of her Arris gateway's stateful firewall?

[denkmoon]

Telstra, one of Australia's massive telcos who are the "go to" telco for nannas who don't know anything about this internet thingy, have IPv6 enabled by default on their CPE routers. Without NAT. With a stateful firewall. Works perfectly fine for their millions of customers.

[bigstrat2003]

It would work out just fine, because NAT was never providing any actual security to your nana. It was only ever the firewall which made her secure, not NAT.

[mrsssnake]

With NAT turned on nana's computer is still protected by the same Arris gateway.

[Dagger2]

That's not the case at all. You could disable their NAT and they wouldn't lose any protection whatsoever.

[xl-brain]

Yes, it is the case. In the real world, there are malfunctioning ALGs, permissive defaults, and connectionless protocols that are poorly tracked by these sloppy, underpowered "SPI" devices.

[Dagger2]

It's not, because in the real world NAT only affects your outbound connections. That means that turning it off only changes the behavior of outbound connections, not inbound ones.

Any inbound connection that would have worked before you turned it off will still work afterwards, and any that wouldn't have worked before will still not work afterwards.

[xl-brain]

Think about what 99% of SOHO users have: PAT (Nat Overload). This NAT impacts the way a connection is established in BOTH directions. Inbound connection attempts from the Internet to the NAT public IP address of the SOHO router can go no further than the router. We are talking what 99% of users have installed.

Maybe this is the reason for some of the disagreement. I am focusing on what is installed at 99% of user installations (PAT). I would agree with the comments that a 1-to-1 NAT offers no EXTRA security.

[Dagger2]

That's the type of NAT I've been talking about the entire time. It doesn't do anything to inbound connections unless you explicitly tell it to.

Connections to the router's IP address go to the router, but you need to consider what happens to connections that go to IP addresses on the network behind the router too.