IPv6 Myths Broken, Part 2
by VPNHaus | 09/22/2011 |IPv6
*Editor's Note: This is thein a two-part series on IPv6 myths
By Nicholas Greene
In the first part of this series, I laid out some persistent IPv6 myths. Now it's time for the reality.
In actuality, the notion that NAT increases security is essentially absurd. It is middleware designed to overcome a shortage of addresses in IPv4. Since IPv6 suffers from no such issues, it doesn’t need NAT. What little security is provided by NAT is completely negligible- as stated by security blogger Earl Carter, “it does no more than prevent random attacks; it prevents no real barrier to a skilled attack. And of course, it is no barrier at all to attacks coming in as email payloads or via open ports.”
The elimination of NAT could actually end up improving security and performance in the long run. According to Hurricane Electric’s Owen Delong, “NAT introduces a number of problems. Many of these problems have been made invisible to the end user and even to the network administrator deploying NAT. But if you ask any software vendor that has had to develop software in spite of NAT, you’ll rapidly find out that it’s making software much more expensive, complex, and even larger than it needs to be. In addition, it makes it hard for users stuck behind NAT to offer any services from their machines…I maintain the position that the choice to offer a service to the Internet or not should rest with the owner of the machine in question in most cases.” And for those who claim there needs to be some method of protection against random attacks in IPv6, “a good firewall can still solve the problem.”
IPsec is the same security solution no matter where it’s implemented. And NAT simply doesn’t do all that much for security. As a result, IPv6 is no more or less secure than IPv4 --- and IPsec still remains one of the best solutions for security on either platform.