IPv6 is not insecure because it lacks a NAT

Original Article ↗ Hacker News Discussion ↗

What NAT Actually Is (IPv4 vs IPv6)

  • Many distinguish classic IPv4 NAPT (address+port overloading, many‑to‑one) from 1:1 prefix translation.
  • In IPv6, NAT66/NPTv6 exist and are used mainly for prefix translation (e.g. renumbering, ULA↔global prefix), not for address+port overloading, since address scarcity isn’t a problem.
  • Some note you can emulate IPv4‑style many‑to‑one NAT with IPv6 + port rewrites, but it rarely makes sense.

NAT vs Firewall: Where Security Actually Comes From

  • Repeated clarification: NAT’s core function is address translation; it doesn’t inherently decide to drop packets.
  • On most consumer gear, NAT is bundled with a stateful firewall that defaults to “deny inbound, allow outbound”. That firewall behavior, not NAT itself, blocks unsolicited inbound traffic.
  • Several point out that without firewall rules, a NAT device will happily route packets to internal addresses if they somehow arrive on the WAN side.

“NAT Is Security in Practice” View

  • Others argue that in real deployments NAT does provide material security: it makes internal addresses unroutable from the wider Internet and forces explicit configuration (port forwarding/DMZ) for exposure.
  • They frame this as defense‑in‑depth and “safety by default”: with IPv4+NAT, many home users accidentally end up with a reasonably safe posture even if they never touch firewall settings.
  • Historical anecdotes: early broadband and PIX appliances were sold and perceived as security products; NAT reduced successful opportunistic attacks on home users.

IPv6 Security and Misconfiguration Risk

  • Consensus: IPv6 can be just as safe as IPv4+NAT if the gateway has a default‑deny stateful firewall, which most modern CPEs do.
  • Concern: misconfigured or disabled IPv6 firewalls, “passthrough” modes, or dual‑stack setups where IPv6 is left open while IPv4 is locked down. Several share real incidents of devices compromised over IPv6 because only IPv4 posture was considered.
  • Some auditors and admins still distrust IPv6 because globally routable addresses feel inherently riskier than RFC1918+NAT.

Obscurity, Addressability, and Privacy

  • One camp stresses that non‑routable RFC1918 space and NAT give a useful “namespacing” and leak less information when internal addresses appear in logs/config dumps.
  • Others call this security‑by‑obscurity: attackers can’t route RFC1918 from the global Internet anyway, and IPv6 privacy extensions plus firewalls are the right tools for privacy and exposure control.
  • Scanning full IPv6 spaces is infeasible, but harvesting addresses (e.g. via NTP or other outbound traffic) is acknowledged as a realistic technique.

NAT Downsides and Architectural Trade‑offs

  • Multiple comments highlight NAT’s technical costs: protocol ossification, broken end‑to‑end assumptions, extra complexity for P2P, SIP/FTP hacks, UPnP attack surface, and CGNAT pain.
  • Some see IPv6’s main value in removing these hacks; others value NAT’s accidental safety and clear “inside vs outside” boundary, especially for non‑experts.