Dear Markus,   
      
   26 Jan 19 12:12, you wrote to me:   
      
    VS>> With the proliferation of IPv6 I hear more and more often that   
    VS>> NAT is a great security mechanism because it hides your intranet   
    VS>> infrastructure from outsiders,   
      
    MR> There's a lot of misunderstanding of NAT and security. The typical   
    MR> case is that NAT is done by a dedicated firewall or a router with   
    MR> firewall features, i.e. the firewall/router does packet filtering and   
    MR> NAT. So a lot of people think that NAT implies security, but it   
    MR> doesn't.   
      
   The security guidelines I have read don't specify "NAT must be used." They   
   specify "RFC1918 addresses must be used in the internal network."   
      
    MR> NAT is exactly what the acronym says: network address   
    MR> translation. An 1:1 NAT simply translates one address or subnet to   
    MR> another. How could that provide any security?   
      
   A static NAT has limited usage and indeed does not provide much additional   
   security. But the dynamic NAT and especially PAT provide a very important   
   security feature no packet filter provides: they *hide* the *source*   
   *addresses* of internal hosts thus effectively hiding the network structure   
   from outsiders.   
      
    MR> What you need is packet   
    MR> filtering (plus proxies and so on).   
      
   Yes, a proxy would do the same hiding as a dynamic NAT.   
      
    VS>> infrastructure from outsiders, and how unfit IPv6 is for   
    VS>> enterprise       networks because it lacks the notion of NAT   
    VS>> which makes IPv6 networks     so very very much insecure.   
      
    MR> There's also NAT for IPv6.   
      
   Never heard of that, other than DNS64/NAT64 which are for a different purpose.   
      
    MR> BTW, IPv6 has a nice feature called Privacy   
    MR> Extensions to automatically change IP addresses regularly.   
      
   Yes, with Privacy Extensions it becomes more difficult to map a single host,   
   but all your /64 internal networks are still mappable. For example, by   
   analyzing browsing behaviour, you can easily guess which /64 in your company   
   is for engineering staff and which is for the management.   
      
   Victor Sudakov, VAS4-RIPE, VAS47-RIPN   
   --- GoldED+/BSD 1.1.5-b20160322-b20160322   
    * Origin: Ulthar (2:5005/49)