IPv6 and NAT, a treatise
by tylerlarson - 2/7/08 11:25 PM
As explained in episode 655, IPv6 does, indeed, make NAT routers unnecessary as far as their original purpose is concerned. NAT is a bit of a hack that arose from the difficulty of reserving IP addresses in the limited IPv4 space, and has maintained a sort of "kludge" status among the designers of Internet protocols -- a hack they'd just as soon forget about. Protocols designed for IPv6 (such as IPSec) are decidedly unfriendly (and downright nonfunctional) in the face of NAT because it is intended and expected that NAT never be used on an IPv6 network. (Yes, really.)
Using a NAT router for security has become popular and recommended because it's nearly impossible to get wrong. This is because NAT "fails closed" -- which is to say, no inbound connections are possible without being explicitly permitted. This level of security is deeply associated with NAT, because at the time, you would never find a router without NAT set up in that configuration -- after all, who would want a device to NOT WORK by default? As everyone says, those were simpler times....
But while NAT forces security upon you, it isn't NECESSARY for security. The same "secure by default" configuration in easily available using a router without NAT, but which has similar firewall capability. Here are the basic technical ingredients:
1: Drop all inbound TCP connection attempts
2: Drop all inbound UDP packets unless an outbound packet has been recently seen with corresponding port numbers and IP addresses
3: Drop all non-UDP, non-TCP traffic
4: .... profit!
This is EXACTLY the same rules and mechanisms that a NAT router follows, but without the need to translate addresses. Obviously, an interface should also be provided to allow people to add additional exceptions, just like they can in NAT routers now. The advantage is that a lot of the sticky points associated with NAT routers go away -- things like Skype, VPNs, and gaming will just work better, and an entire class of messy, unreliable hacks will finally disappear.