It was interesting article on SGNOG3 conference in Singapore presented with the topic Security in an IPv6 World: Myths and Reality.
In spite of a large useful information amount I found one slide pointed NAT as a "myth" of security. It also points that NAT can even reduce security and statefull firewall is a Bruce Willis for IPv6.
It is a point for discussion.
It is clear that NAT and other technologies is not a "secure all" button. It is a tool. One can use it in a right way and another may use it in a wrong way. So it is possible to increase and decrease security level using the same technology with different approach.
Let's examine firewall. It is a security device and it must make network safer if used. If you swap some L3 device in the network part to stateful firewall you don't become protected a lot with its' default functions. If you don't use ACL, uRPF and another features you can feel a false safety. This state of the false safety is a very harmful factor. It is the same situation as if some man buys a gun to protect himself but he can't shoot psychologically. The result may be more tragic than in the case of gun absense.
Carrier-Grade NAT for customers may decrease security level in the case of IP-address planning and stupid network architecture with customers' access to corporate infrastructure or technological platforms.
Corporate network NAT may decrease network security level in the case of misconfiguration or "too many permit" ACL.
One can see that the main cause of NAT or firewall isage fails is a human factor and technology
But if NAT 6to6 is not used you can see such disadvantages:
- Internal IP-addresses discovery. It is popular now to speak about and even to protect SCADA. I think that attention and budget is serious too. But if SCADA has a real IPv6-address routed in the Internet it is very dangerous point in SCADA network security. CEO PC IPv6 must not be routed to the Internet too. Telecom infrastructure management interfaces and financial systems must not to be accessible from the Internet too. You may filter traffic on a firewall, use proxy or even not announce these networks to the Internet but if the last point is not applicable you can use NAT.
- DDoS-attack threat. E.g. you have a piece of infrastructure with some thousands of elements routed to the Internet and somebody wants to DDoS you. Firewall can't protect from amplification attack. IP-addresses are not easy to change quickly. So you must blackhose DDoS destination (causing service unavailability) or use external scrubbing center (additional $). Fixed IP-addresses are dangerous as a constant DDoS target. NAT may save a time and money in this case. Change the Internet-routed addresses pool and enjoy.
So, I think that IPv6 NAT in the Internet edge is useful.