[lacnog] A Disaster for IPv6 - Brought by Fortinet

Lun Jun 8 19:26:45 -03 2026

Hi, Carlos,

On 08/06/2026 17:15, Carlos Martinez - Cagnazzo wrote:
> 
> I think we should make a distinction between actual "NAT"  --that is, 
> hiding a bunch of things behind a single IPv4/IPv6-- and "NPT" where you 
> actually make a stateless translation where the host section of the 
> address is kept as-is.
> 
> I don't like NAT w/port translation, not in IPv4 and much less in IPv6. 
> I think it gives a false sense of security and hides behavior in ways 
> that probably can be exploited.

The argument of "NAT is not a security technology" is an old one -- and, 
IMO, a discussion that never made sense.

At the end of the day, NAT is a technology that does make the life of an 
attacker harder. Network topology information is typically of use to an 
attacker -- and NATs do hide it.  OTOH, a NAT results, as a side effect, 
in a diode-like firewall -- a policy that also makes the life of an 
attacker harder.

Discussions of the kind of "Oh! But the resulting filtering policy 
doesn't have to do with NAT itself, but is actually a side effect" seem 
more like the kind of philosophical debates one would have over a glass 
of one (for the sake of debating), than one of any practical 
implication. :-)

> Someone mentioned the ability of protocols like UPnP to punch holes in 
> NAT as a "good thing". I honestly believe it is a terrible idea, and 
> that it always has been, a a sad example of the things we've been forced 
> to accept in this IPv4 port-translated Internet. 

Again, it's tool/mechanism. In some scenarios it might be a good thing, 
in other it might not. In an Enterprise or managed network, it's 
possible a bad idea. In an unmanaged network, it's definitely orders of 
magnitude better than simlpy assigning global addresses to all devices 
and simply allowing all incoming conenctions.

> There goes your 
> supposed security layer brought by NAT. Any 10 usd piece of **** you buy 
> at the supermarket can happily punch holes in your "nat security".

There's nothing special about NATs. In fact, the same feature is 
available for NAT-less IPv6 firewalls.

> Rant aside, I can live with something like NPT, specially in Enterprise 
> scenarios. I even believe it could in some situations actually be useful 
> (multihoming without BGP, some renumbering scenarios).

Note: the NAT66 case I mentioned has more to do with human aspects than 
with technical bits.   The service in question allows me to talk to an 
IT team and say "Besides the IPv4 address, you get a private IPv6 
address, that works in the same way as IPv4... just longer addresses".
In a lot of scenarios, an IT team has better things to spend their time 
on than learning about the algorithmic address mapping in NPT, or any 
other IPv6 details, for instance.

-- 
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494