Dear Tony,

26 Jan 19 20:29, you wrote to me:

 VS>> With the proliferation of IPv6 I hear more and more often that
 VS>> NAT is a great security mechanism because it hides your intranet
 VS>> infrastructure from outsiders, and how unfit IPv6 is for
 VS>> enterprise networks because it lacks the notion of NAT which
 VS>> makes IPv6 networks so very very much insecure.

 VS>> Do you have good conter-arguments?

 TL> NAT was never intended as a security mechanism,

It was not intended as a security mechanism initially, but over time, it became 
one, and is required by many security guidelines. Ask some computer security 
specialist you trust, if you don't believe me.

 TL> and it does nothing
 TL> more than a goof packet filter could do.

Of course it does more! No packet filter *hides* *src* *addresses* of your 
internal hosts, and that is exactly what security people love NAT for.

 VS>> Indeed, in some corporate networks I've seen, the use of the
 VS>> RFC1918 address space is written into security guidelines as a
 VS>> requirement.

 VS>> Then again, as I come to think of it, even if your IPv6 intranet
 VS>> has a good firewall on the border, your internal network
 VS>> addresses are still exposed to the Internet. Is that a problem?

 TL> If your firewall is blocking traffic, you can hardly say you're
 TL> exposed.

Sorry you are mistaken. Very few attacks nowdays are based on injecting 
malicious traffic into your network, those times are long gone. Information 
gathering about your intranet could be much more important than the ability to 
send traffic into it from outside.

 TL> NAT still creates a lot of problems, ask anyone who'd wrestled with
 TL> port forwarding, to try and get services opened to the Internet.

That's a different story, I myself have wrestled enough with IPv4 NAT. So I 
would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have 
not heard anything new so far.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322