Security gain from NAT

Nathan Ward nanog at
Wed Jun 6 21:31:31 UTC 2007

On 7/06/2007, at 3:59 AM, Stephen Sprunk wrote:

> Thus spake "Roger Marquis" <marquis at>
>>> I, for one, give up. No matter what you say I will never
>>> implement NAT, and you may or may not implement it if people
>>> make boxes that support it.
>> Most of the rest of us will continue to listen to both sides and
>> continue to prefer NAT, in no small part because of the absurd
>> examples and inconsistent terminology NATophobes seem to feel is
>> necessary to make their case.
> The thing is, with IPv6 there's no need to do NAT.  What vendors  
> have (so far) failed to deliver is a consumer-grade firewall that  
> does SI with the same rules on by default that v4 NAT devices  
> have.  Throw in DHCP PD and addressing (and renumbering) are  
> automatic.  This is simpler than NAT because no "fixup" is  
> required; a v6 firewall with SI and public addresses on both sides  
> just needs to inspect packets, not modify them.
> The same device will probably be a v4 NAT device; nobody is trying  
> to take that away because it's a necessary evil.  However, NAT in  
> v6 is not necessary, and it's still evil.

People keep saying that this device doesn't exist, infact it does.  
First let me say that vendors haven't failed, as they (for the most  
part) haven't tried yet. I'd consider them to have failed if they  
delivered a bunch of IPv6 boxes without SI, and that hasn't happened.  
(ok, Cisco delivered an IPv6 capable CPE in the 8xx series, but IPv6  
on those things is hardly a consumer-configurable setting to enable.)

Anyway, my Apple Airport Extreme base station (the new draft-802.11n  
one) does IPv6 SI and IPv4 NAT perfectly fine, infact, that was the  
primary reason I bought it. It also does 6to4 or static tunnels if  
you don't have native IPv6. 6to4 with IPv6 SI is the default out of  
the box configuration. If you just configure the IPv4 stuff, you get  
IPv6 for free, by default.

IPv6 SI /was/ disabled by default in the original firmware, and while  
the firmware update is pretty hard to miss when configuring the thing  
(it pops up and says "new software, install?" or similar), I believe  
it leaves the SI checkbox where you'd left it - the new default only  
kicks in if you do a factory reset. However, I believe that new units  
ship with the new software, so I suspect it's not really a widespread  
problem in the grand scheme of things.

This was the first IPv6 capable consumer router, as far as I'm aware,  
and this issue was found and fixed within weeks. I've got no doubt  
that other vendors will learn from this mistake.

Nathan Ward

(Disclaimer: On reading my post it sounds like advertising - I don't  
work for, and am not otherwise affiliated with, Apple.)

More information about the NANOG mailing list