0

NAT is so standard for IPv4 that nobody thinks about it but for IPv6 it's considered a really bad option. (Article from APNIC) Of course there's the stateless NPTv6 and the firewall can be configured such that the clients don't get unwanted inbound connections unless explicitly configured like with the IPv4 NAT. Also IPv6 has new security options compared to IPv4, namely IPv6 Privacy Extensions which can be used to change the public addresses frequently.

In some sense it seems NAT66 is just considered a crutch to avoid the real work of adopting IPv6, maybe at worst giving a false sense of security because other best practices haven't been followed. Since it's stateful it's even more work for the firewall, not to speak about additional complexity.

Considering all that, could using NAT66 still be a net-win for security since it hides information about the clients?

Philip
  • 199
  • 1
  • 7

1 Answers1

1

NAT is a hack required to let everyone have IP even with the lack of one IP per device. This in turn also reduced the possibility for prefix delegation.

NAT is not security, it is just broken by design which has potential side effects. But does in no way replace proper firewalling. (There is many incorrect NAT setups which can be penetrated due to this)

In terms of IPs that gives security by "hiding" behind NAT, what we talk about here is Privacy, not security. How would "here is one IP that probably have multiple users" be better for privacy then "here is one of many IPs that a user was using, and we don't know anything about which is which"?

NAT is not security. Never has been, never will be.

NiKiZe
  • 134
  • 3
  • 1
    This has the same answer I wanted to post. NAT is not the same as security. To be secure one should not require NAT, one should require a firewall with proper rules. It is just that you need to set up some things in order to use NAT44 that means that you need some kind of firewall, but that does not make it safer 'because of NAt', it makes it safer 'because of firewall'. (and yes, I am aware of the downsides of not being able to reach IPs behind a NAT from the outside, but that also is not the solution to security, justr a nasty downside from NAT) – Hennes Aug 16 '22 at 08:21