Comment by deknos
17 days ago
Of course it's not insecure because of NAT.
NAT (in all its forms) is just a very convenient technology for many people and niche situations.
And adoption of IPv6 will be hindered as long as NAT is not a first class citizen.
And of course, mostly NAT should not be used as "firewall replacement". But what many firewall proponents forget here:
NON-IT People at home cannot run and manage a firewall (and proxies). For them, NAT is a convenient and mostly okayish replacements.
Another niche would be IP Packet Handling of VMs.
Surely for the people who cannot run and manage a firewall the default 'deny incoming' rule that basically every single consumer router ships with works just as well to protect from incoming traffic as NAT? I notice many comments are assuming a sanely preconfigured NAT on routers, but are also assuming either no firewall or one without any preconfigured rules. It seems like a strawman to me.
We haven't forgotten that, but we're also aware that non-IT people can't run NAT either. They can plug in a box that already has NAT configured though, and if they can manage that then they can also plug in a box that already has a firewall configured.
VMs work fine without NAT too -- DHCPv6-PD lets the VM software automatically request a routed prefix.