IPv6 is not insecure because it lacks a NAT - John Maguire
John Maguire Home Posts Friends IPv6 is not insecure because it lacks a NAT Jan 20, 2026 I recently saw a discussion where someone argued that IPv4 is more secure than IPv6 because “the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy.” This is a common misconception that I think is worth addressing.
The fundamental issue here is conflating NAT (Network Address Translation) with security. NAT isn’t actually a security feature—it’s an address conservation mechanism that became necessary because we ran out of IPv4 addresses. (Although it is totally possible to use a NAT with IPv6 too!)
NAT allows multiple devices on a home network to share a single IP address on the public Internet by rewriting the destination IP of a packet based on its destination port. It chooses a new destination IP based on the “port mappings” or “port forwards” configured by the network admin.
The consequence of this is that when receiving inbound traffic to a NAT’d IP, packets with an unexpected destination port (one which has not been forwarded) will keep the destination IP of the public machine and will not be routed to another machine on the network.
But the security benefits people attribute to NAT actually come from the stateful firewall that’s typically bundled with NAT routers. Modern routers ship with firewall policies that deny inbound traffic by default, even when a NAT is not being used. The firewall will drop packets with an unexpected destination before even considering whether to rewrite or route the packets. For example, UniFi routers ship with these default IPv6 firewall rules:

Allow Established/Related Traffic (outbound return traffic)
Block Invalid Traffic
Block All Other Traffic

Therefore, in order to allow unsolicited inbound traffic to any IPv6 device hosted behind the router, you must explicitly add a firewall rule to allow the traffic, whether using a NAT or not.
© 2026 John Maguire Instagram Github

John Maguire’s analysis centers on a frequently expressed argument asserting that IPv6’s lack of Network Address Translation (NAT) inherently translates to greater security compared to IPv6, stemming from NAT's default "deny all" behavior. Maguire directly challenges this assertion, establishing that the perceived security advantage of IPv6’s architecture is misconstrued. The core of his argument rests on differentiating between NAT as an address conservation technique and its consequential impact on network security. NAT, fundamentally, is designed to mitigate IPv4 address exhaustion by enabling multiple devices within a private network to share a single public IP address. This is achieved through a process of rewriting the destination IP address within network packets based on configured port mappings, or port forwards. These port forwards determine which internal device should receive a particular packet.

The implication of this mechanism is that unsolicited incoming traffic destined for an IPv6 device behind a NAT router will be rejected if the packet’s destination port doesn’t align with any previously established port forwarding rules. The router will then drop the packet, preventing it from reaching the intended destination. However, Maguire posits that the security benefits commonly attributed to NAT are, in reality, a product of the stateful firewall functionality that is routinely integrated into modern routers, irrespective of whether NAT is utilized. These routers are shipped with default firewall policies that operate on a principle of “deny all” inbound traffic, effectively implementing a robust security posture. The default firewall rules on routers such as UniFi commonly include provisions to allow established or related outbound traffic, block invalid traffic, and block all other incoming traffic.

Consequently, Maguire contends that to permit unsolicited inbound traffic to an IPv6 device located behind a router, the user must proactively implement specific firewall rules. These rules explicitly allow the desired traffic to pass, demonstrating a clear understanding of the network’s security requirements. It's crucial to grasp that the inherent “deny all” nature of the router’s firewall, coupled with the requirement to define explicit inbound rules, represents the true security foundation of IPv6, rather than the absence of NAT. This approach underscores the importance of active network administration and security configuration, rather than relying on a passive security mechanism like NAT.