Comment by daft_pink
4 days ago
I feel this doesn’t really address whether we are losing something privacy or security related by not having NAT. I think my main devices are always updated Mac iPhone or iPad and can handle it, but do I really want my thermostat or doorbell or lock or garage door opener or light switch directly accessible on the Internet or is the nat serving a useful purpose? I don’t feel like this is addressed in this article.
> but do I really want my thermostat or doorbell or lock or garage door opener or light switch directly accessible on the Internet or is the nat serving a useful purpose?
You should have a firewall, regardless of v4/v6.
You should, but the exposure from having no firewall is much higher without NAT. Packets with private network IPs are martians on the internet and will not find their way to your device unless they come from the same network and the ISP's infrastructure doesn't drop them. IPv6 addresses are routable across the internet so the packets will most likely get to your router, meaning anyone on the internet can talk to your LAN in the absence of a firewall.
The reality is that consumer router firmware is horrible in every aspect, especially security, and this isn't going to change with IPv6 rollout. I fear the most likely scenario is that ISPs will set up inbound firewalls on their end, and then we'll be even worse off than we are right now.
Those naughty incoming packets can hit your private devices even with NAT-without-state full-firewall. The details depend on how your NAT actually implements the translation, but it’s perfectly possible for $randomHighPort to send all its incoming traffic straight to some device. Said another way, a NAT is not guaranteed to do something like match entries based on the layer 4 4-tuple.