Subj : NAT To : Markus Reschke From : Victor Sudakov Date : Sat Jan 26 2019 21:49:42 Dear Markus, 26 Jan 19 12:12, you wrote to me: VS>> With the proliferation of IPv6 I hear more and more often that VS>> NAT is a great security mechanism because it hides your intranet VS>> infrastructure from outsiders, MR> There's a lot of misunderstanding of NAT and security. The typical MR> case is that NAT is done by a dedicated firewall or a router with MR> firewall features, i.e. the firewall/router does packet filtering and MR> NAT. So a lot of people think that NAT implies security, but it MR> doesn't. The security guidelines I have read don't specify "NAT must be used." They specify "RFC1918 addresses must be used in the internal network." MR> NAT is exactly what the acronym says: network address MR> translation. An 1:1 NAT simply translates one address or subnet to MR> another. How could that provide any security? A static NAT has limited usage and indeed does not provide much additional security. But the dynamic NAT and especially PAT provide a very important security feature no packet filter provides: they *hide* the *source* *addresses* of internal hosts thus effectively hiding the network structure from outsiders. MR> What you need is packet MR> filtering (plus proxies and so on). Yes, a proxy would do the same hiding as a dynamic NAT. VS>> infrastructure from outsiders, and how unfit IPv6 is for VS>> enterprise networks because it lacks the notion of NAT VS>> which makes IPv6 networks so very very much insecure. MR> There's also NAT for IPv6. Never heard of that, other than DNS64/NAT64 which are for a different purpose. MR> BTW, IPv6 has a nice feature called Privacy MR> Extensions to automatically change IP addresses regularly. Yes, with Privacy Extensions it becomes more difficult to map a single host, but all your /64 internal networks are still mappable. For example, by analyzing browsing behaviour, you can easily guess which /64 in your company is for engineering staff and which is for the management. Victor Sudakov, VAS4-RIPE, VAS47-RIPN --- GoldED+/BSD 1.1.5-b20160322-b20160322 * Origin: Ulthar (2:5005/49) .