Is IPv6 Less Secure Without NAT?


NAT (Network Address Translation) is an IPv4 tool that is not used in most IPv6 deployments. This has caused some users to ask whether IPv6 is as secure as IPv4.

What is NAT?

NAT is a tool that allows multiple computers behind an Internet connection to share the single address of that connection. Thus, if I have thirty computers in my office, they can all share a single connection. On the Internet, all the traffic comes from the address of the connection; inside the local network, each computer has an address that is unique on that LAN. The mechanism is simple to implement and is found in most routers, including home and small office routers.

NAT was never intended as a security feature, per se! It was designed and deployed to "address" the diminishing number of IPv4 addresses available. It does have some security value, however: the addresses of the individual computers on a network do not appear on the internet so attackers cannot see them directly.

Why doesn't IPv6 use NAT?

The main reason IPv6 doesn't use NAT is that it doesn't need it! There are many more IPv6 addresses than IPv4 addresses (340,282,366,920,938,463,463,374,607,431,768,211,456 vs 4294967296, though not all in each group are usable!) and thus every device can have a unique one. There is a specification for NATv6, but it is seldom used.

One issue with not using NAT is that if a computer uses a consistent address over the Internet, it can be tracked and potentially identified. Fortunately, there is a fix for that. The fix is to use a temporary address that changes every so often. In that way, observers on the Internet cannot see and track a specific address. The first part of the temporary address will reflect the Internet provider and organization, and the last part will change. How big each of those parts is will depend on the size of the organization. In my case, the last 64 bits of the address change.

The Windows tool ipconfig shows the addresses a device uses. Here is part of the output from my desktop PC (with the prefix obscured):

   IPv6 Address. . . . . . . . . . . :xxxxxxxxxxxxxxxxxxxx:791a:da6a:a3b8:5759

Temporary IPv6 Address. . . . . . :xxxxxxxxxxxxxxxxxxxx:25b3:a2b4:167d:da10

Link-local IPv6 Address . . . . . : fe80::791a:da6a:a3b8:5759%6

Note the temporary v6 address. The third line is my address on the local network. Here is what the site https://whatismyv6.com/ shows as my address:

Note that it is my temporary address.

So is a temporary address enough?

No. A temporary address provides some anonymity, but will not protect your computer. To protect your computer you need two things: a filtering firewall (as in a corporate firewall or the firewall in your home router, and a personal firewall on your computer (whether the one in Windows or a third party such as Zonealarm). Please use both: this is called "defense in depth" and is a core of good physical or network security.

You can test to see whether the firewall is blocking ports by using an online scanning tool. I have used https://www.ipv6scanner.com/cgi-bin/main.py, but I'm not endorsing it, per se.

So even though NAT is not generally a part of an IPv6 deployment, the available features provide the anonymity NAT did. Good practices such as a network and personal firewall continue to be necessary to protect local devices.

To your safe computing,

Written by John McDermott

John McDermott, CPLP, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.