nixCraft 🐧Jan 21
IPv6 is not insecure because it lacks a NAT https://www.johnmaguire.me/blog/ipv6-is-not-insecure-because-it-lacks-nat/
John Maguire

Show threadhokidJan 21
@nixCraft This is wrong. There is a whole section about NAT filtering in RFC4787, see https://datatracker.ietf.org/doc/html/rfc4787#section-5
The RFC acknowledges what is found in the real world: practically all NAT implementations do filter traffic. To do a "well, actually" and say the filtering is done by "an included firewall" is just hairsplitting. If you say "this machine does NAT", than everybody rightfully expects this behavior (except for sticklers, I guess).
RFC 4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP

This document defines basic terminology for describing different types of Network Address Translation (NAT) behavior when handling Unicast UDP and also defines a set of requirements that would allow many applications, such as multimedia communications or online gaming, to work consistently. Developing NATs that meet this set of requirements will greatly increase the likelihood that these applications will function properly. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.

IETF Datatracker
Show threadDr. Babor
@hokid Okay, but are there a lot of devices that do IPv4 NAT and IPv6, but without firewall functionality?
Saying that the included firewall is what does the filtering is just a fact in most cases. Just as it is most likely to work the same way with IPv6.
Jan 21 at 7:58amWeb
Show threadhokidJan 21
@babor This is not about whether ipv6 is inherently less secure (it is not). This is only about this notion "NAT only does address translation, everything else is firewall". Every NAT implementation out there is stateful and drops packets for which no established connection can be found. This is essentially a "firewall behavior", so it absolutely does provide security benefits.