Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?
IPv6 usually have unique IP addresses (non-local) for every device in the network. does that mean it will malicious actors can target a device specifically inside a network?
Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.
Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.
As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.
I’d imagine that’s true for most people at home.
The global IPv6 address is usually not directly reachable from the internet for incoming traffic. There’s still the router with a firewall which blocks all incoming connections, so having an IP for each device doesn’t make a difference for security.
With IPv6 ports still have to be forwarded on consumer routers by default, the main difference is that it doesn’t have to be translated to a different IP.
This also means I can have multiple hosts on my home network listening on the same ports, because their public IP’s are different.
I haven’t setup an IPv6 network yet, but it’d have to physically traverse the packet through your router to reach the connected device still. I imagine a router would still be able to use it’s firewall to drop the packet before it gets sent to the endpoint device.