NAT gives a considerable layer of insulation in that I don't have ip addresses accessible directly from any PC on the internet (except via the router).
Surely any Windows machine would be infected in a matter of seconds if it weren’t for NAT?
BTW no-one needs uPnP (well I have it disabled in the router).

Quote from: MrC

But as Ben says - you don't need NAT. NAT was a fudge initially created to get around the old pre-CIDR restrictions and has caused a whole load of pain and complexity in a number of application protocols. There's no reason why UPnP can't work for inbound connections with IPv6 - it's actually a lot simpler without the NAT layer.

The conversation about double NAT was about interim IPv4 based solutions until IPv6 is universal.

Quote from: A

BTW no-one needs uPnP (well I have it disabled in the router).

uPnP may for many be uneeded, but double NAT still breaks many things, I just used uPnP as an example because you mentioned it and its relatively easy to explain why double NAT breaks it.

Quote from: A

Surely any Windows machine would be infected in a matter of seconds if it weren’t for NAT?

Not really - the only time NAT gives any protection is to prevent inbound connections if you have no firewall on your router, or on devices behind your router. It does nothing for the most common of exploits which rely on people initiating connections from inside their networks, eg browsing to compromised web servers.
The firewall s/w in just about all modern routers will be set to prevent all inbound connections by default and, with that in place, it doesn't matter whether NAT is active or not. There's also the point that most modern OS's implement the same policy within their own firewall s/w. When/if local native IPv6 finally gets rolled out most older routers will likely need replacing (or have new firmware installed) so the likelihood of not having such a firewall policy in place is pretty small. The same also applies to older OS versions (eg XP pre-SP2) although they'll likely not have full support for IPv6, if at all.

Quote from: A

BTW no-one needs UPnP (well I have it disabled in the router).

Quite, and FWIW  I also have it disabled here. From a strict network security standpoint UPnP has the potential for something inside the local network to remove (either maliciously, or by bad design or misconfiguration) the protection provided by the router's firewall .
Playing devil's advocate though, a lot of application networking protocols require inbound connections for peering, and UPnP takes away the need for a user to need to know about the gory details of what these are, and how to configure their firewall and NAT s/w. Another advantage of UPnP is that (if it's working properly) it revokes the firewall/NAT rule changes when they're no longer required, whereas without UPnP it's likely the firewall will end up with a lot of inbound connection rules, some of which may no longer be in use.
At least with IPv6, manually changing the router gets a bit simpler as there's no NAT layer to worry about.
The next few years are going to be very interesting for ISPs and their customers as, unless they get together to coordinate their efforts, no 2 ISPs are likely to have the same migration policies. There's grounds for a lot of confusion and FUD coming up.

Quote from: A

Surely any Windows machine would be infected in a matter of seconds if it weren’t for NAT?

I could be wrong, but most infections are caused by bots that scan IP addresses, they know for instance that PlusNet own 212.159.x.x so they can start to scan from 212.159.0.0 to 212.159.255.255 or whatever looking for vulnerable machines.  My IPV6 address on my PC is 2001:470:1f09:611:24fb:8d3e:a871:6e77, and on my mobile the IPV6 address is 2001:470:1f09:611:3ef7:2aff:fef3:dld4, so scanning (and I'm probably very wrong here!) 2001:470:1f09:611 would give them *me* but then they would need to find the address of my computers which as you can see are not numerical, so while on IPV4 my PC may be 192.168.0.10 and my mobile 192.168.0.11 the scanning range needed to find vulnerabilities is HUGE and would require a super computer to figure out my IPV6 address to start scanning.
Of course, if I look at my IPV6 address on the internet, the reply comes as 2001:470:1f09:611:bd01:d59e:6d7:70a2 which is different again, hrm, Windows actually lists both addresses giving 70a2 a temporary IPV6 address, umm, I don't have any clue as to why that is, but yeah, scanning IPV6 addresses will take a lot longer than scanning for IPV4 addresses and Windows firewall should naturally block bad traffic anyhow (don't think XP does IPV6 by default so you'll be looking at Vista and 7 which do come with firewall enabled by default).  Windows 7 and Vista are a lot more secure than XP ever could be so they wouldn't get infected just by connecting to the internet anyhow.

Scanning does seem to be a lot less useful as a way to spead with IPv6 than IPv4.  However, as others have said, the primary means of propegation are downloads of one sort or another, where your PC, or phone, or whatever, contacts an infected server, or you open an infected document, or run an infected executable.

Does the absence of NAT preclude the use of firewall software?

It has no effect on software firewalls.

NAT does NOT provide any security at all, this is a misconception.
Yes, when using NAT you get the added benefit that its stateful so only allows incoming connection to existing outgoing traffic (or where youve configured PAT) however the downside is that its not possible to connect inbound to your machines from 'the internet'
Some may see this as an advantage, but it causes all sorts of problems with P2P, chat etc where end to end conectivity is required and this also allows for new technologies in the future where end to end is a must, ie, want to tell your lights/heating to turn on from work before coming home?  Check what in the fridge? I dont fancy manually adding all the PAT details when EVERYTHING is connected
Any CPE does IPv6 will (probably) do NAT4 for your IPv4 conection and a stateful firewall (dewfault deny) for IPv6 which gives you exactly the same setup as NAT on v4.
Ben

Quote from: fourfourdevon

It has no effect on software firewalls.

Exactly what I thought. So I'm curious as to why there are security concerns about the removal of NAT.

I think it's because IPV6 has a real IP address of a real item displayed to the internet.  A website may see 123.456.789.1 and that's the IP address assigned to me from my ISP, my laptop, mobile, PC, PS3, Xbox 360, Wii, PSP, DS, Humax PVR all connect to the internet and identify themselves as 123.456.789.1, with IPV6 however they will be identifying themselves by IPV6 address which would be unique to that item allowing a direct connection which is where the firewall comes into play to drop any unsolicited traffic from entering the network. 
If you go http://www.whatismyipv6.net/?s=IPv6_ping <-- there, it'll ping your IPV6 endpoint which is a goodish indicator of if your firewall drops packets, in my case:
PING 2001:470:1f09:611:bd01:d59e:6d7:70a2(2001:470:1f09:611:bd01:d59e:6d7:70a2) 56 data bytes
--- 2001:470:1f09:611:bd01:d59e:6d7:70a2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1009ms
Which to me suggests my router is dropping the packet, shields up doesn't do IPV6 yet though for a complete test.

I understand. As you rightly point out, a software firewall in the router will address such concerns.

Of course the absence of NAT may still present privacy (as opposed to security) concerns. If IPv6 addresses are presumed to identify specific devices then there will be a temptation for others to track those IPv6 addresses across the Internet. This may be a reason to retain NAT with IPv6.

Time to start designing a IPv6 GW->IPv4 (unregistered) router with NAT, firewall, etc.

The absence of NAT is actually a good thing, IPV6 has so many possible numbers that every device could have one.  Your car could say "hey, it's almost time for a service, should I book you in?" you say "sure" and it'll connect to your dealer who'll have it's IPV6 address so have the full details of the car and book you in.  Your fridge may be running low on milk and eggs so can tell Tesco "IPV6 2001:..... needs milk and eggs" so it gets added to your shopping list.  It should make automation easier, you could control every device in your home by IP address, the possibilities are endless, or maybe not endless but greater than 1