IPv6 is not insecure because it lacks a NAT
I recently saw a discussion where someone argued that IPv4 is more secure than IPv6 because “the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy.” This is a common misconception that I think is worth addressing.
The fundamental issue here is conflating NAT (Network Address Translation) with security. NAT isn’t actually a security feature—it’s an address conservation mechanism that became necessary because we ran out of IPv4 addresses. (Although it is totally possible to use a NAT with IPv6 too!)
NAT allows multiple devices on a home network to share a single IP address on the public Internet by rewriting the destination IP of a packet based on its destination port. It chooses a new destination IP based on the “port mappings” or “port forwards” configured by the network admin.
The consequence of this is that when receiving inbound traffic to a NAT’d IP, packets with an unexpected destination port (one which has not been forwarded) will keep the destination IP of the public machine and will not be routed to another machine on the network.
But the security benefits people attribute to NAT actually come from the stateful firewall that’s typically bundled with NAT routers. Modern routers ship with firewall policies that deny inbound traffic by default, even when a NAT is not being used. The firewall will drop packets with an unexpected destination before even considering whether to rewrite or route the packets. For example, UniFi routers ship with these default IPv6 firewall rules:
- Allow Established/Related Traffic (outbound return traffic)
- Block Invalid Traffic
- Block All Other Traffic
Therefore, in order to allow unsolicited inbound traffic to any IPv6 device hosted behind the router, you must explicitly add a firewall rule to allow the traffic, whether using a NAT or not.