IPv6 Security Myth #3 – No IPv6 NAT Means Less Security

Security in an IPv6 WorldWe’re back again with part 3 in this 10 part series that seeks to bust 10 of the most common IPv6 security myths. Today’s myth is a doozy. This is the only myth on our list that I have seen folks raise their voices over. For whatever reason, Network Address Translation (NAT) seems to be a polarizing force in the networking world. It also plays a role in differentiating IPv4 from IPv6.

In IPv4, NAT (technically NAT overload or NAPT) is required for multiplexing due to the shortage of addresses. In IPv6 we have 340 trillion, trillion, trillion addresses available, and therefore no need for address sharing. This means that the NAT we have in IPv4 is not part of our IPv6 world. Some people keep saying this is a security issue, which brings us to today’s myth.

Myth: No IPv6 NAT Means Less Security
Reality: Stateful Firewalls Provide Security (Not NAT)

We can argue the merits of NAT, the end-to-end principle, and security until we’re blue in the face – and many have – but the reality is that NAT does not provide any real network security. Worse yet, it actually prevents many security measures and provides an additional attack surface for your network.

The cause for much of this confusion stems from the fact that NAT requires state. By “state” I mean that the NAT device must remember which internal addresses to swap for which external addresses, and vice verse. This in turn means that any device performing NAT overload must act as a stateful firewall.

A stateful firewall uses state to determine which packets to allow into the network. That is, it remembers when you send packets out and to whom so that it can allow packets back in only from those hosts with which you initiated communication. In other words, a stateful firewall stops all incoming traffic unless it is a reply to valid traffic that you sent.

While the NAT may provide a bit of obfuscation, by hiding your internal addresses, it is really this stateful firewall function that protects your network from unwanted intrusion.

What’s worse than giving NAT credit for the work of our trusty stateful firewall? NAT making you less secure. That obfuscation trait of NAT we mentioned earlier actually prevents IPsec, DNSSEC, Geolocation, and other applications – many of which are designed to provide security – from working.

NAT also introduces its own set of security flaws. NAT devices stand in front of your network as a single point of failure. All NAT’ed packets must terminate on the NAT device and get a new IP header with their new, translated, address. This means that every flow into and out of a NAT’ed network is wholly dependant on the NAT device, and consumes resources on the NAT device. This opens these devises up to many DoS attacks. An attacker can consume available connection state, available addresses or ports, or simply overload the CPU with ALG (Application Layer Gateway) or other requests.

The bottom line is that NAT is not a security feature and removing NAT from your network will NOT make it less secure. In fact, it may actually increase your overall security.

Can’t wait for the next IPv6 Security Myths post? Not to worry, you can check out tons of great IPv6 resources right now!

Read the full series of IPv6 Security Myths articles and visit our Start Here page to get started with IPv6 today!

January 27th, 2015 by | Posted in IPv6, Security | Tags: , , | 9 Comments

9 Responses to IPv6 Security Myth #3 – No IPv6 NAT Means Less Security

  1. Andrew McConachie says:

    It would be interesting to actually test the theory that IPv4/NAT is less secure than IPv6/no-NAT. In my mind the question is still open as to whether one is more or less secure than the other. There is something to be said for IPv4/NAT using RFC1918 addresses for internal hosts. It’s more than just obfuscation, attacking them requires using some form of address translation. Which means either compromising the NAT box, or creating fake state in the NAT box through abuse of uPnP or similar mechanism. Either way it requires extra work on the part of the attacker.

    I would also never suggest deploying residential IPv6 without some kind of stateful security device between the residence’s hosts and the Internet. So IPv6 doesn’t do away with a stateful middle device(e.g. firewall), it only obviates the address and port translation problem.

    As more ISPs roll out IPv6 maybe we can start to see if your theory holds true. There must be ISPs live now with both IPv4/NAT and IPv6/no-NAT. Can we get a comparison study to see which groups of hosts are facing the most security problems? This data should exist at this point in history. And it might finally put this debate to rest.

    Security is about so much more than technical possibilities. We like to focus on the technology because it’s where we’re most comfortable, and can exact the most control. However, I’d bet most security breaches relevant to this discussion are more likely to be caused by misconfiguration, or lack of user understanding. In which case the tech is less relevant, and the social/psychological issues surrounding adoption become more interesting.

  2. Nuno Garcia says:

    NAT for IPv6 does provide an additional layer of security, as it allows to obscure how many machines are present behind the NAT. I don’t quite agree with the arguments in this publication, in particular because of this NAT feature.

  3. BL says:

    The author of this article makes some good points but tries to minimize obfuscation benefits of a NAT. Companies won’t likely to open up topologies, devices, wireless sensors to the outside world, due to privacy (and security) concerns. NAT or not to NAT is not a myth vs truth thing but more of a a pros vs cons thing.

  4. […] NAT is not essential for a security through obscurity approach either. Stateful firewalls provide security, not NAT. Properly configured firewalls filter out the good from the bad traffic and make every […]

  5. Jason says:

    Cisco NAT is mainly documented as being a tool for corporate networks to merge with overlapping subnets, moving a server to another subnet but keeping the old address available, overloading too. The connection to your ISP will always be the funnel point, not the NAT device. It is never safe to expose your computers to the public. OS firewalls are decent but NAT devices add another layer of protection and deception. Decent article but it seems like it was written as what IPV6 is supposed to be, not really what it is going to be when you roll this out to your average joe internet subscriber.

  6. […] which will block traffic from the outside from getting to your devices on your LAN. Some reading: IPv6 Security Myth #3 ? No IPv6 NAT Means Less Security | Deploy360 Programme As for devices and systems with fixed IPv4 addresses I don't see a reason why you can't direct […]

  7. Ella J. says:

    So far I have had good luck with arcvpn in changing my IP.

  8. James says:

    This doesn’t make sense; every packet still needs to be inspected statefully, somewhere. It is a lot easier to manage stateful inspection at one point or distribute it through a small handful of points than it is to manage the firewall on every single device connected to the network.

    If this weren’t true, you’d be allowed to cross borders into other countries anywhere you wanted, and the border patrol would have to find you. Or when you went to a concert, someone would only check your ticket once you’d taken a seat.

    NAT isn’t an internal-to-external technology only. You can also perform external to internal NAT, which allows you to further classify and inspect traffic. It is far easier to create a targeted firewall rule against a known subnet or network than it is against all possible public address space.

  9. Your article makes some good points however there are some points I disagree with. For details, read my article


Leave a Reply

Your email address will not be published. Required fields are marked *