Re: Nat as a security measure
"NAT makes for better privacy. The use of IPv6 without any NAT is likely to make each device in your site uniquely identifiable by its global address."
What you are thinking of as "privacy" is use of RC1918 address space. This is actually a designed in feature of IPv6 (fd00::/7 and fe80::/16 addresses) which was back-ported to IPv4 several decades ago.
* In IPv4 the only way to get use of it is with a NAT44 translating between the private and public addresses.
* In IPv6 every machine is allocated with at least one of these addresses alongside one static global address, and a /64 subnet of alternative addresses that it can pick and choose from
A single slip-up in the NAT device, router, or the application layer software and the "private" address gets sent out to the global network. Correlate with the global NAT'ed IP and goodbye privacy. Thats three points of weakness.
The private IPv6 address is completely private. Routers are hardwired not to transfer the fe80 ones outside the subnet, or the fd00/fc00 ones to a global uplink. The /64 used for IPv6 address randomisation when making client connections globally provides far better pivacy than an IPv4 NAT will ever be able to achieve. Software all the way up to the application layer if it looks up the IP address gets informed of the end-to-end IPv6 address applicable to the connection. Be that the private one for LAN connections or the global IP for Internet connections. No weak points.
"IPv4 NAT with PAT makes an external network capture very difficult to correlate with an internal device. Only the router/firewall doing the address/port translation knows which of the many temporarily assigned ports on one external IPV4 address - are mapped to which internal device's local IPv4 address."
"very difficult" takes on a whole new meaning when every UDP packet, and every TCP connection has a unique IPv6 source address, and potentially a unique IPv6 destination address as well. Even when the same two client and server are talking. IPv4 more private? lol.
Additionally the IPv4 NAT device in the middle retains records of the mappings. This makes it the weakest link. It can be queried later for info about what mappings were used by which client IP, to access a given server. Think about that in context of NAT444 (carrier NATs for ISP operators) and recent laws enacted worldwide.
NAT-busting is the name for the techniques used to find active mappings in a NAT device and gain access to an internal client device by pretending to be the remote server it was talking to on an earlier NAT session. It also works from outside with the right tools. More secure? heck no.
Consider this: the static IPv6 address (of the server) is used to find the server in the first place, after which it is up to the software whether to re-use those IPv6 or a new connection made from a randomly generated server private IP to the clients current private IP. They can both swerve off into connections with private endpoint IPv6 addresses, TCP connections moving randomly around address space as the IPs change. Add strong encryption on top of that and it should be clear IPv6 offers privacy and security of a kind even Tor users can only dream about in IPv4-only networks.