With IPv6 do we need to use NAT any more?

There is some widespread confusion about NAT.

NAT has never been meant to be used as a security feature. However, it so happens that in most cases (not all), when a machine has access to the Internet through NAT only, then the machine is somehow "protected". It is as if the NAT system was also, inherently, a firewall.

Let's see how it works:

  • An IP packet has a source and a destination address. Each router, upon seeing the destination address, decides to which subsequent router the packet shall be sent.
  • When a router implements NAT, it forwards outgoing packets under a guise; namely, the packets bear the router's external IP as source address, not the actual source. For incoming packets, the router does the reverse operation. The TCP/UDP port numbers are used to know to what internal host the packets relate.
  • However, from the point of view of the router, the internal hosts have (private) IP addresses which are directly reachable. NAT is for communications between the internal hosts and machines beyond the router.

Let's take an example:

Inner <---> HomeRouter <---> ISPRouter <---> The Internet

"Inner" is your PC. "HomeRouter" is the router which does the NAT. "ISPRouter" is the router at your ISP.

The "firewall effect" is the following: usually, even if "Inner" has an open port (it runs a remotely reachable service, e.g. a local Web server on port 80), people from "the Internet" will not be able to connect to it. The reason is the following: there are two ways by which an IP packet may be transferred by HomeRouter to Inner:

  • An incoming packet may come with HomeRouter's address as destination, and targeting a port which HomeRouter knows to be associated with an outgoing connection from Inner to somewhere on the Internet. This works only for a connection which was initiated by Inner, and this implies that the port will not match that of the server which runs on Inner.

  • An IP packet contains Inner's private IP address as destination and is somehow brought to the attention of HomeRouter. But ISPRouter does not know Inner's private IP, and would not forward an IP packet meant for that address to HomeRouter. Source routing could be used to tag a packet with Inner's private IP address as destination and HomeRouter's public IP address as intermediate host. If ISPRouter supports source routing, then such a packet will reach Inner, regardless of NAT. It so happens that almost no ISP actually supports source routing.

Therefore, the "firewall effect" of NAT relies on two properties:

  • Attackers are far: attackers do not inject packets directly on the link between the home router and the ISP; all their attempts must go through the ISP routers.
  • ISP don't allow source routing. This is the (very) common case.

So in practice there are a lot of machines, in private homes and small business, which could be hacked into in a matter of seconds except that they benefit from the "firewall effect" of NAT.


So what of IPv6 ? NAT was designed and deployed (widely deployed) in order to cope with the scarcity of free IPv4 addresses. Without NAT, the IPcalypse would have already destroyed civilization (or triggered IPv6 actual usage, maybe). IPv6 uses 128-bit addresses, instead of the meagre 32-bit IPv4 addresses, precisely so that crude workarounds like NAT need not be used.

You can use NAT with IPv6, but it makes little sense - if you can live with NAT, why would you switch to IPv6 at all ?

However, without NAT, then no "firewall effect", flimsy as it could be. Most operating systems are now IPv6 ready, and will use it automatically if given the chance. Therefore, if an ISP decides to switch IPv6 on, just like that, then a lot of machines which were hitherto "hidden" behind a NAT will become reachable from the outside. This could well turn into a worldwide hacking orgy. It is no wonder that ISP are somewhat... reluctant.

To switch to IPv6 nicely, you have to couple its enabling with some solid, well-thought firewalling rules, which will prevent incoming connections which were not possible in a NAT world (with the caveats explained above), but are now feasible thanks to the magic of IPv6. The operational word here is "think": this will require some time from some people, and that's not free.

So it can be predicted that IPv4 will be used and maintained as long as it can be tolerated, and, thanks to NAT and transparent proxies, this will be a long time (especially if we succeed at containing human population below 10 billions).


Biggest issue to me in removing NAT is the reduction of privacy. With IPv6 I notice all my LAN devices have a unique public IPv6 address, which allows each device on a LAN to be identified uniquely. Which then allows easier identification of individual devices and users.

Privacy implications like the ability to track your activity across domains. Ad providers obviously do this type of tracking already with cookies, but removing NAT makes their job easier to track an individual device.


Note: the details of this answer will assume you use a Linux box as your firewall. If you use another platform details may vary but most of the principles should still hold.

I'm wondering how to use NAT with IPv6.

Nat for ipv6 is strongly discouraged by IETF. nevertheless there are implementations out there if you really want it. For example linux added it in version 3.7.

The Linux implementation works in basically the same way as the Linux NAT implementation for IPv4. I can't speak to other implementations.

Seems that you don't even need it any more.

People use NAT for a variety of reasons.

  1. Address availability, they want more addresses for internal hosts than they have public addresses.
  2. Address independence, they want to maintain their internal addresses independent of changes to their connectivity.
  3. Privacy, they want to hide the details of their internal network and of which internal host is making the request from the outside world.
  4. Security, a NAT ends up acting as a crude stateful firewall (though it may not be a very good one). Furthermore it is likely to fail closed, if the NAT rules fail to load then the likely result is the absence of connectivity rather than wide open connectivity.

Equally though NAT has a number of downsides (and at least some of those downsides have security implications).

  1. Some protocols may be broken by the NAT (though this may also be true of stateful firewalls)
  2. Every connection has to be tracked and there is a limited supply of ports, this can lead to denial of service vulnerabilities.
  3. When abuse is detected NAT can hide the source of the abuse.
  4. Handling of incoming services can be troublesome. Access by local clients to external IPs can be a particular point of complexity.

Ipv6 solves the address shortage, it goes some way to solving the problem of ISP-independence by allowing you to run public and private addresses in parallel (though that creates issues of it's own). Privacy extensions hide which computer on a subnet is making a request but they don't hide what subnet it is on.

So what exactly is the concept behind firewall configurations in IPv6 environments?

You can do stateful packet filtering without NAT, for example a basic configuration to allow all outgoing connections while forbidding incoming connections might look something like.

ip6tables -P FORWARD DROP
ip6tables -A FORWARD -i ethinternal -j ACCEPT
ip6tables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

The firewall still keeps track of connections in much the same way a nat would but it only uses that information to filter packets, not to perform translation.

One thing you need to be careful about is making sure your firewall fails closed. I would suggest that you DO NOT enable forwarding in sysctl.conf, instead enable it at the end of your firewall script and use "set -e" in your firewall script. That way forwarding is only enabled if the firewall script runs successfully.

If you also want to filter traffic to/from the firewall itself you have to think about ICMP. Some types of ICMP need to be allowed from link local or the network will break badly.

Other than that it's really not that much different from ipv4, decide what you want to allow and allow it.