One of the startups I worked for did business with Ford. We needed info about their networks to get them connected to our service in AWS, and in the process we learned that they still use public IPs for everything. Every workstation, server, router, etc. connected to the internet from a public IP, no NAT and only protected by extremely complicated firewall rules. Their IT team must be in constant distress, or super defensive about their architecture haha
If you have enough IPs then not using NAT makes everything less complicated without any downside to security. If you think otherwise then IPv6 is going to cause you some problems.
NAT isn’t “security” in the cryptographic sense, but saying “no NAT has no downside to security” ignores what NAT + private addressing is used for: a hard boundary that prevents a whole class of accidental exposure.
Easy examples:
Home network analogy: Your laptop has a private IP (192.168.x.x). People on the internet can’t just connect to it unless you explicitly port-forward. If your router’s firewall rule is messy or you temporarily enable a service, that laptop still isn’t automatically internet-reachable. With public IPs on every device, a single bad rule can put that laptop directly on the internet.
Someone enables RDP/SSH “just to test something"? Behind NAT, it’s usually still not reachable inbound unless you publish it. With public addressing everywhere, one mis-scoped firewall rule (or host firewall disabled) can instantly make it reachable from anywhere.
With NAT, “what’s internet-facing?” is basically “what did we intentionally publish on the edge” (load balancer, reverse proxy, VPN gateway). With public IPs on every endpoint, “what’s internet-facing?” becomes “prove the firewall posture for thousands of hosts and ports,” which is harder and riskier at scale.
You’re right that IPv6 removes the address shortage reason for NAT. But IPv6 does not mean “everything must be publicly reachable.” The IPv6 equivalent of “internal-only” is using ULA (fc00::/7) for internal addressing, and/or using globally routable IPv6 but keeping a default-deny inbound firewall and publishing only through controlled ingress (reverse proxy, load balancer, VPN/Zero Trust).
So the point isn’t “NAT = security.” The point is: NAT + private addressing is a very effective exposure control and mistake-buffer. You can replicate the security model without NAT (especially in IPv6), but you do it with addressing design + strict firewalling + controlled ingres, not by claiming there’s no downside.
You don’t want every device on your network publicly addressable, it’s going to cause you some problems.
Just wait until the day ipv6 is finally adopted readily and we’ll have this same argument about whether IPv6 addresses are a security feature when a /64 is too big a range to scan
Lots of text here but a firewall with inbound deny default rule is considerably easier to manage than port and ip address translation. It’s also possible to get unexpected inbound traffic with NAT. It’s how Tailscale works for example. Sounds like a security failure to me.
Your firewall is typically the device doing the NAT (or directly on the router if you’re a home user and don’t have a dedicated hardware firewall). Your firewall/router sits on the edge, exposed with a public IP.
If you desire to expose your laptop, for example, you setup an ingress rule that translates to the laptops local address, and your firewall/router translates all traffic matching the rule and sends it to the laptop.
From a network component perspective NAT is not a Firewall. It might run on the same device but it is entirely different function
A stateful Firewall is what provides the security. That has nothing to do with NAT. You can port forward a service or you can create a firewall exception. They both do exactly the same thing.
Sure but the point was that nat allows you to choose private addresses that are by default not routed: the NAT becomes the only way internet traffic can reach your devices
If you have enough IPs then not using NAT makes everything less complicated without any downside to security. If you think otherwise then IPv6 is going to cause you some problems.
From my reading, it’s asserting that you don’t have to worry about private addressing, which is simply not true.
And from a net admin perspective, the complexity of NATing ipv4 public to private and exposing ULAs (whether you use NAT66 or NPTv6) is comparable.
If they just meant you don’t have to worry about the underlying complexity of translating, that’s both technically correct and unhelpful. You already don’t have to worry about that.
It’s this part that makes it clear to me they meant you don’t have to worry about private addressing at all: “If you think otherwise then IPv6 is going to cause you some problems.”
And I’ve explained it a few different ways in this thread already, so I don’t want to repeat myself, but they are technically correct in that you absolutely could give every device a public IP, and it would be a headache to manage just like OP’s example, where they give every device an ipv4 address without NATing…
Please explain what I got wrong. I’m not perfect, and I might have made a mistake in my explanation, but I don’t think I got the networking wrong…
With NAT:
Inbound to laptop/printer from Internet is blocked by default because there is no globally routable path to them. Devices are only exposed if you intentionally publish: firewall rule + port-forward.
Same security if configured properly, NAT just makes it so you don’t even have to worry about a whole class of exposure, because there isn’t a path to block.
I feel like you’re forgetting about subnetting and default gateways. You can’t just route to an internal host if there isn’t a route. That route, if designed correctly, will be behind a firewall that has things subnetter to default deny all for anything “internal” that shouldn’t be publicly routable.
I’m not forgetting subnetting/default gateways… that’s exactly what I’m describing.
If you assign public addresses to internal hosts, then by definition your ISP routes that public prefix to your edge, and your edge routes it to the internal subnets. At that point, reachability exists (there is a route); whether traffic gets through is entirely a question of firewall correctness. One bad zone assignment or an overly-broad “temporary” allow can make a host directly reachable.
With typical IPv4 NAT/PAT, the default posture is different: those internal addresses are not globally routable, and there is no inbound mapping/state unless you intentionally publish something (port-forward/reverse-proxy/VPN). So a lot of “oops” mistakes fail closed. NAT isn’t a security control in theory, but it is a very real operational guardrail against accidental internet exposure.
And on IPv6: the architecture isn’t “give everything a public IP and call it done.” IPv6 can use global addresses with a default-deny stateful firewall, but the IETF also standardized ULA (fc00::/7) specifically for local communications not expected to be routable on the public Internet.
IPv4 NAT was largely driven by address exhaustion, but the reason people keep defending “internal is not directly addressable” is the exposure boundary and change-control safety margin it provides, not a belief that NAT magically replaces a firewall.
Point being there is still a firewall in place with a default deny. Nothing fundamentally has changed.
I actually appreciate your diagram because it makes it easy to see. The firewall will not route packets you haven’t expressly opened in both scenarios.
That’s not a situation that is going to arise since devices should block all incoming by default. You could need to explicitly poke holes in the Firewall.
Again, it’s a free way to eliminate an attack surface.
It’s a situation that can easily arise… you temporarily disable firewall on device to test something, you install a program that exposed a port and don’t realize it, whatever the case, without a public IP that device isn’t reachable from anywhere except the upstream firewall, which requires explicit NAT/port forwarding rules to allow access. Your devices are isolated by default and must be explicitly routed by policy.
Without NAT/ULA (private ipv6 addresses), your devices are routable by default and must be isolated by explicit policy.
The point is, you don’t need NAT (that’s exclusively ipv4), but you do need private addressing. That’s the point I was responding to.
Without NAT/ULA (private ipv6 addresses), your devices are routable by default and must be isolated by explicit policy.
Yes, that’s where the basic firewall configuration comes in.
I’m running native v6 at home, with no private addressing (Since it was never implemented right in OSs unfortunately), each system has it’s own public IP address, and even an entirely unsecured device is protected since there’s still a firewall between my network and the internet.
hard boundary that prevents a whole class of accidental exposure.
Yeah, that’s a firewall. I fucking hate hearing about how NAT is more “secure” than public IPs. It’s not. It’s not a fucking security feature and should not be treated as one or relied upon implicitly or in any way at all. This is the kind of shit that slows down IPv6 adoption because it’s “less secure”
JFC if you’re relying on NAT for security then you’re doing it wrong. Period.
Security wasn’t the main concern in this particular case, the headache came from the fact that they were working in IP classes, and we were working in CIDRs (EC2 security groups, for example)
I hosted the CISO dinner at Auto-ISAC a few years ago. Very calm and collected group who know they’re on the precipice of Armageddon at all times.
GM dude was particularly kind. All but harassed me until I promised to change my travel habits and take red-eyes bc to optimize the amount of minutes with family is p0. Stuck with me.
I recognize its not a firewall like an iron door on your house blocking intruders, its more like the intruders don’t know your address. But it is a layer of security help as per this quote from CISCO
"NAT is a networking feature that can help reduce organizational security risk by hiding internal networks from public networks. By default, outside public IPs cannot communicate to an internal private IP host if there is no pre-existing NAT translation. So, NAT separates public and private networks.
Additionally, organizations that use NAT can implement and maintain multilayer security to block threats and protect against malicious activity. Your edge platform may be able to perform these essential security services."
…connected to the internet from a public IP, no NAT and only protected by extremely complicated firewall rules. Their IT team must be in constant distress, or super defensive about their architecture haha
Why they will be protected like everyone else. With the same default rule like every other company.
I think it more odd that they haven’t sold it for a lot of money.
One of the startups I worked for did business with Ford. We needed info about their networks to get them connected to our service in AWS, and in the process we learned that they still use public IPs for everything. Every workstation, server, router, etc. connected to the internet from a public IP, no NAT and only protected by extremely complicated firewall rules. Their IT team must be in constant distress, or super defensive about their architecture haha
If you have enough IPs then not using NAT makes everything less complicated without any downside to security. If you think otherwise then IPv6 is going to cause you some problems.
NAT isn’t “security” in the cryptographic sense, but saying “no NAT has no downside to security” ignores what NAT + private addressing is used for: a hard boundary that prevents a whole class of accidental exposure.
Easy examples:
Home network analogy: Your laptop has a private IP (192.168.x.x). People on the internet can’t just connect to it unless you explicitly port-forward. If your router’s firewall rule is messy or you temporarily enable a service, that laptop still isn’t automatically internet-reachable. With public IPs on every device, a single bad rule can put that laptop directly on the internet.
Someone enables RDP/SSH “just to test something"? Behind NAT, it’s usually still not reachable inbound unless you publish it. With public addressing everywhere, one mis-scoped firewall rule (or host firewall disabled) can instantly make it reachable from anywhere.
With NAT, “what’s internet-facing?” is basically “what did we intentionally publish on the edge” (load balancer, reverse proxy, VPN gateway). With public IPs on every endpoint, “what’s internet-facing?” becomes “prove the firewall posture for thousands of hosts and ports,” which is harder and riskier at scale.
You’re right that IPv6 removes the address shortage reason for NAT. But IPv6 does not mean “everything must be publicly reachable.” The IPv6 equivalent of “internal-only” is using ULA (fc00::/7) for internal addressing, and/or using globally routable IPv6 but keeping a default-deny inbound firewall and publishing only through controlled ingress (reverse proxy, load balancer, VPN/Zero Trust).
So the point isn’t “NAT = security.” The point is: NAT + private addressing is a very effective exposure control and mistake-buffer. You can replicate the security model without NAT (especially in IPv6), but you do it with addressing design + strict firewalling + controlled ingres, not by claiming there’s no downside.
You don’t want every device on your network publicly addressable, it’s going to cause you some problems.
Just wait until the day ipv6 is finally adopted readily and we’ll have this same argument about whether IPv6 addresses are a security feature when a /64 is too big a range to scan
Lots of text here but a firewall with inbound deny default rule is considerably easier to manage than port and ip address translation. It’s also possible to get unexpected inbound traffic with NAT. It’s how Tailscale works for example. Sounds like a security failure to me.
That’s not how that works
NAT is not a firewall. If you don’t have a Firewall in place bad things will happen.
For IPv6 you just set your Firewall to deny all and then add exceptions as needed. That is the default pretty much everywhere.
I never suggested NAT is a firewall.
Your firewall is typically the device doing the NAT (or directly on the router if you’re a home user and don’t have a dedicated hardware firewall). Your firewall/router sits on the edge, exposed with a public IP.
If you desire to expose your laptop, for example, you setup an ingress rule that translates to the laptops local address, and your firewall/router translates all traffic matching the rule and sends it to the laptop.
I’m not sure which part you’re not clear on.
From a network component perspective NAT is not a Firewall. It might run on the same device but it is entirely different function
A stateful Firewall is what provides the security. That has nothing to do with NAT. You can port forward a service or you can create a firewall exception. They both do exactly the same thing.
Sure but the point was that nat allows you to choose private addresses that are by default not routed: the NAT becomes the only way internet traffic can reach your devices
I never suggested NAT is a firewall.
The comment I responded to:
From my reading, it’s asserting that you don’t have to worry about private addressing, which is simply not true.
And from a net admin perspective, the complexity of NATing ipv4 public to private and exposing ULAs (whether you use NAT66 or NPTv6) is comparable.
If they just meant you don’t have to worry about the underlying complexity of translating, that’s both technically correct and unhelpful. You already don’t have to worry about that.
It’s this part that makes it clear to me they meant you don’t have to worry about private addressing at all: “If you think otherwise then IPv6 is going to cause you some problems.”
And I’ve explained it a few different ways in this thread already, so I don’t want to repeat myself, but they are technically correct in that you absolutely could give every device a public IP, and it would be a headache to manage just like OP’s example, where they give every device an ipv4 address without NATing…
No that image was for the last part of your comment “I’m not sure which part you’re not clear on.”
You’re right lol this image is for the person your wrote that too sorry.
What’s not how what works? What about the other poster’s comment is inaccurate?
Yep.
Too many people learned ipv4 and not actual networking.
Please explain what I got wrong. I’m not perfect, and I might have made a mistake in my explanation, but I don’t think I got the networking wrong…
With NAT: Inbound to laptop/printer from Internet is blocked by default because there is no globally routable path to them. Devices are only exposed if you intentionally publish: firewall rule + port-forward.
INTERNET | [Edge Firewall + Public IP] | [NAT] | [Private LAN: 10.0.0.0/24] |- laptop 10.0.0.10 |- printer 10.0.0.20 |- tablet 10.0.0.30Without NAT on ipv4, (every device has a pubic IP): inbound to your laptop/printer is blocked by policy.
INTERNET | [Edge Firewall] | [Public LAN: 203.0.113.0/24] |- laptop 203.0.113.10 |- printer 203.0.113.20 |- whatever 203.0.113.30Same security if configured properly, NAT just makes it so you don’t even have to worry about a whole class of exposure, because there isn’t a path to block.
Must be a nightmare to manage the scenario in OP.
I feel like you’re forgetting about subnetting and default gateways. You can’t just route to an internal host if there isn’t a route. That route, if designed correctly, will be behind a firewall that has things subnetter to default deny all for anything “internal” that shouldn’t be publicly routable.
I’m not forgetting subnetting/default gateways… that’s exactly what I’m describing.
If you assign public addresses to internal hosts, then by definition your ISP routes that public prefix to your edge, and your edge routes it to the internal subnets. At that point, reachability exists (there is a route); whether traffic gets through is entirely a question of firewall correctness. One bad zone assignment or an overly-broad “temporary” allow can make a host directly reachable.
With typical IPv4 NAT/PAT, the default posture is different: those internal addresses are not globally routable, and there is no inbound mapping/state unless you intentionally publish something (port-forward/reverse-proxy/VPN). So a lot of “oops” mistakes fail closed. NAT isn’t a security control in theory, but it is a very real operational guardrail against accidental internet exposure.
And on IPv6: the architecture isn’t “give everything a public IP and call it done.” IPv6 can use global addresses with a default-deny stateful firewall, but the IETF also standardized ULA (fc00::/7) specifically for local communications not expected to be routable on the public Internet.
IPv4 NAT was largely driven by address exhaustion, but the reason people keep defending “internal is not directly addressable” is the exposure boundary and change-control safety margin it provides, not a belief that NAT magically replaces a firewall.
Point being there is still a firewall in place with a default deny. Nothing fundamentally has changed.
I actually appreciate your diagram because it makes it easy to see. The firewall will not route packets you haven’t expressly opened in both scenarios.
That’s not a situation that is going to arise since devices should block all incoming by default. You could need to explicitly poke holes in the Firewall.
Again, it’s a free way to eliminate an attack surface.
It’s a situation that can easily arise… you temporarily disable firewall on device to test something, you install a program that exposed a port and don’t realize it, whatever the case, without a public IP that device isn’t reachable from anywhere except the upstream firewall, which requires explicit NAT/port forwarding rules to allow access. Your devices are isolated by default and must be explicitly routed by policy.
Without NAT/ULA (private ipv6 addresses), your devices are routable by default and must be isolated by explicit policy.
The point is, you don’t need NAT (that’s exclusively ipv4), but you do need private addressing. That’s the point I was responding to.
What’s stopping you from accidentally port forwarding?
For that matter, sometimes ISPs route private addresses even though they aren’t suppose to.
Yes, that’s where the basic firewall configuration comes in.
I’m running native v6 at home, with no private addressing (Since it was never implemented right in OSs unfortunately), each system has it’s own public IP address, and even an entirely unsecured device is protected since there’s still a firewall between my network and the internet.
Yeah, that’s a firewall. I fucking hate hearing about how NAT is more “secure” than public IPs. It’s not. It’s not a fucking security feature and should not be treated as one or relied upon implicitly or in any way at all. This is the kind of shit that slows down IPv6 adoption because it’s “less secure”
JFC if you’re relying on NAT for security then you’re doing it wrong. Period.
https://cloudnetworking.pro/nat-as-a-security-measure-safeguarding-home-office-users-for-two-decades/
Security wasn’t the main concern in this particular case, the headache came from the fact that they were working in IP classes, and we were working in CIDRs (EC2 security groups, for example)
I hosted the CISO dinner at Auto-ISAC a few years ago. Very calm and collected group who know they’re on the precipice of Armageddon at all times.
GM dude was particularly kind. All but harassed me until I promised to change my travel habits and take red-eyes bc to optimize the amount of minutes with family is p0. Stuck with me.
Gm dude sounds like a good dude
NAT is not a security feature
What it does do is make everything more complicated
I realize its not 100% security but this article lists security benefits. https://cloudnetworking.pro/nat-as-a-security-measure-safeguarding-home-office-users-for-two-decades/
That’s a myth spread by those who have never done networking without NAT
I recognize its not a firewall like an iron door on your house blocking intruders, its more like the intruders don’t know your address. But it is a layer of security help as per this quote from CISCO
"NAT is a networking feature that can help reduce organizational security risk by hiding internal networks from public networks. By default, outside public IPs cannot communicate to an internal private IP host if there is no pre-existing NAT translation. So, NAT separates public and private networks.
Additionally, organizations that use NAT can implement and maintain multilayer security to block threats and protect against malicious activity. Your edge platform may be able to perform these essential security services."
Whoa… That’s incredibly stupid.
Why they will be protected like everyone else. With the same default rule like every other company.
I think it more odd that they haven’t sold it for a lot of money.
Same for mercedes (and now Daimler truck)