[dissent]

NAT isn't protecting them. Not being on the public internet at all is protecting them.

NAT is then unprotecting them a little by letting them punch out again. It's super easy for routers to implement this behaviour by default if your LAN is publicly addressable, and removes a whole class of exploits caused by applications making NAT hacks.

[xl-brain]

This is splitting hairs. The point stands that PAT is the de facto firewall for most soho users.

[dissent]

Not in the context of claiming NAT offers protection.

An ipv6 lan with default ingress deny is more secure than ipv4+nat

[xl-brain]

I think you missing my point. My point is not that IPv6 cannot be secured, it is that the author's take is controversial because people are skeptical about whether networks ARE being secured when NAT is not present. This skepticism is backed up by the research paper that I quoted and real world experience. IPv6 is deployed in many places incorrectly and without the good defaults. IPv4 NAPT in residential networks acts as a last line of defense because most users have been incapable of turning it off.

I suppose I will distill my thought into the assertion that the author should have prefixed his title with "In capable hands,"...

[Dagger2]

The point is that NAT offers no security, so it doesn't make sense to be skeptical about the security of a network just because it doesn't have NAT.

The only way to be confident is to have a firewall, and you can do that on v6 just as well as you already do on v4.