0

It seems that people still argue on whether to use NAT with IPv6 for its side-role as a firewall hiding inner network from the outside (providing user anonymity and security as well). I am wondering though if we could not use an actual firewall for this purpose to secure an inner IPv6 host against outsiders (this however won't protect the user anonymity) ?

sasuke_X220
  • 371
  • 3
  • 15

1 Answers1

4

NAT is mostly a non-issue with IPv6. As you say using a firewall (which should even be used with NAT, because NAT is not a proper security measure by itself) is the proper solution.

Hiding the client's IPv6 address will only cause problems for protocols, traceability and security's Knowing the client's actual address makes writing firewall rules so much easier, and therefore prevents mistakes.

As far as the technical community is concerned the consensus is to avoid NAT with IPv6.

PS: NAT64 is used for IPv6-only networks to connect to the IPv4 world, but the IPv4 world is already full of NAT so it's considered an acceptable solution.

Sander Steffann
  • 381
  • 1
  • 7
  • Could you please elaborate more on the traceability and security problems of NAT regarding IPv6? – sasuke_X220 Aug 01 '17 at 09:20
  • 1
    First of all IPv6 was designed to not need NAT, so protocols don't implement the hacks to work around its problems. As for the security: when your system is attacked from someone behind NAT then you can't see who it was anymore (just like with IPv4 today). And is you put your users behind NAT you will probably not be able to trace back who it was when they misbehave. And traceability is not only important for security. When something goes wrong it is extremely useful to see the actual address of the devices for debugging. Using Wireshark is so much easier when the addresses don't get mangled. – Sander Steffann Aug 01 '17 at 13:12
  • @SanderSteffann from the point of view of the end user it reduces security and privacy. NAT is useful in this regard for them. From the point of view of companies trying to trace individuals (for whatever reason, security, marketing, advertising, data collection) no NAT is a bonus. – Eladian Aug 16 '18 at 11:52