You are confusing NAT and a stateful packet filter. NAT doesn't contribute anything there, the stateful packet filter does, and a stateful packet filter works just as well without NAT, just that it's much easier to make some services accessible if you want to.

>> a stateful packet filter works just as well without NAT

True, but NAT doesn't work without statefully filtering/routing packets, and unlike generic packet filters, the use of NAT is basically a requirement for most people connecting devices to the internet.

The question is: if IPV6 was around 30 years ago and no one ever needed to use NAT to stick a whole address space behind a single address, how would things be different today? How long would it have taken for packet filters to become a default feature on home routers, and what would their default settings be?

Routing isn't stateful at all, and NAT doesn't need a stateful filter, it just needs connection tracking (which is also needed for a stateful filter, if you have one).

How common are stateful packet filters on home routers today? I don't really know - thanks to NAT, you can get away without for most attack scenarios nowadays, so I wouldn't be surprised if vendors don't really bother with it. But given that connection tracking doesn't seem to be that difficult with home router hardware, I would have expected stateful packet filters in home routers as a default feature early on, with everything inbound blocked by default (and then some UPnP like protocol for opening ports as needed, just without the stupid address collisions you get with NAT).

Well, depending on the type of NAT, isn't the end effect for certain variants that non-communicating services on local ports are rendered unaddressable from the other side?

I believe that's what GP was referring to.

(Disclaimer: can't remember which variant of cone/full this is categorized as -- I thought there was a really useful "Current state of NAT in practice" blog post that was linked a few months ago)

Not really. The non-addressability comes from not globally routed ("private") addresses on the "internal" network: They may prevent someone on the other side of the planet from reaching those "internal" hosts on your local network, but that's orthogonal to NAT: You can do NAT between globally routed addresses (which thus would be reachable directly ... unless there is a (stateful) firewall preventing that!), and also, just because those addresses aren't routed globally, doesn't mean your ISP (or whoever is connected to the "outside" link of your NAT gateway) couldn't send you packets directly addressed to your internet network that your router/NAT gateway would just forward to your local network (once again, unless you have a (stateful) firewall that blocks those packets).

Now, it so happens that dynamic NAT also needs to do connection tracking in order to be able to map addresses back and forth, just like a stateful firewall does, and that therefore, it's easy to also implement stateful packet filtering on top of the same connection tracking state - however, there is no need to do NAT in order to do the connection tracking and the filtering based on that, you could have the exact same stateful packet filtering with the exact same security properties, just without messing with the address fields of the packets and all the bad things that result from that.

From a practical aspect, IPv6 (and the removal of NAT) can't come alone: standalone stateful firewalls need to be generalized as well, to replace the way they are embedded in the NAT implementation inside people's modem/routers nowadays.

Hu? I don't get what you are trying to say ... yes, one usually should have a stateful packetfilter at the uplink, with IPv6 just as with IPv4, with NAT just as without, what is your point?

There is a difference between theory and practice: there is no specific use of stateful firewalls in today's IPv4 mr. nobody home router (i.e. most of the routers do not use the --state option of iptables). If we move to IPv6 only, ISPs need to (and will) use --state (or equivalent). The way mr. nobody has a sort of "stateful firewall" nowadays is actually thanks to the popular use of Masquerading NAT (i.e. iptables -t nat -j MASQUERADE). So jackweirdy is kind of right "NAT" (in practice) as become a pillar of internet security, in spite of itself.