IPv6 is not insecure because it lacks a NAT.

Not this asinine shit again. I hate this idiot and idiots like this in general. That is, the “Well, ackshually” shitheels who ignore how anything is in the real world, standard practices, and how things actually work. And also do not really understand the tech, either.

First of all, you stupid motherfucker, a device can (and most consumer crap does) implement NAPT/PAT with dynamic state but often has¹ no explicit packet-filter policy engine (what most people would term a “firewall”), yet will still refuse unsolicited inbound flows simply because these flows don’t match any mapping/state. That is in fact de facto protection via reachability restriction. And that behavior is explicitly defined in NAT RFCs. The NAT RFCs in fact directly discuss filtering behavior associated with NAT operations (not just a separate firewall). Check out RFC 4787 (BCP 127), RFC 5382 (BCP 142), RFC 5508 (BCP 148) and RFC 7857 for how NAT really works. I’ve read those documents in toto several times over the years. I can guarantee that doofus has not.

Miraculously, he is right that “NAT isn’t designed as security,” but the clown-ass shitstain then uses that to imply “NAT adds no security value,” which is false in actual practice. Nearly every existing IPv4 NAT (NAPT/PAT) gateway² enforces stateful inbound blocking out of the box. This NAT — independent of the router’s firewall function — does provide decent default-on security for home users.

On the other hand, his core premise (“modern routers default-deny inbound IPv6 anyway”) is absolutely not a sure thing. Standards and real deployments often have non-optimal defaults, including configs that default-forward unsolicited inbound IPv6 traffic. This is because unlike IPv4, IPv6 expects end-to-end connectivity. So that means many router vendors ship equipment that way. Thus, having NAT adds quite hardy extra protection in practice. That is to say, with any IPv4 home NAT you need both a firewall hole and a port-forward/mapping mistake to expose a device. With IPv6 global addressing, exposure can occur with only one minor screw-up. Then boom, your whole network is out there on the wide-open internet.

This disphit’s NAT explanation is also crazy sloppy (he frames it as mainly destination-rewrite based on static port forwards), just glossing over or ignoring that the real “default deny” effect largely comes from dynamically created state. He overstates a conditional truth (“IPv6 is fine if you keep equivalent edge filtering”) into an unsupported and often-wrong universal claim, using cherry-picked vendor defaults as if they were always the case. Also, he deliberately handwaves away as irrelevant the safety margin NAT provides in reality every damn day.

NAT wasn’t designed for security, wah wah. Carbon steel wasn’t designed for armor, either, but we use it for that in the real world.

My conclusion: Fuck this fucking clown who doesn’t know a damn thing, and what he thinks he knows is wrong. Read the RFCs, motherfucker. I’ll wait. You won’t understand them anyway, but I’ll still wait.

1. And does not require.
2. I have not seen one in 20+ years that does not.