With the transition to IPv6, addressing constraints that necessitated a common security architecture under network address translation (NAT) are no longer present. Instead, manufacturers are now able to choose between an open model design, where devices are end-to-end reachable, or a more familiar closed model, where the home gateway may continue to serve as a perimeter security device. The potential for further nuance, such as differences in default access control policies, filtering behaviors, and IPv6 specific requirements, present an environment defined by ambiguity. For the consumer, the potential impact of these changes are unclear. To address this uncertainty, we taxonomize the present NAT-centric model of consumer gateway security through a survey of over 300 common vulnerabilities and exposures surrounding NAT and hole punching protocols. From this survey, we contextualize the limited security NAT has provided while serving as the primary perimeter defense mechanism in home networks. We further define how this baseline security model for consumer gateways is reflected in IPv6 through an assessment of ten commonly deployed consumer gateways. Our conclusion is that familiarity of a NAT-centric design is no longer assured for IPv6, requiring an active involvement by users to limit exposures within their home networks.

随着向 IPv6 的过渡，网络地址转换 (NAT) 下需要通用安全架构的寻址限制不再存在。相反，制造商现在可以在开放模型设计（设备可端到端访问）或更熟悉的封闭模型设计（其中家庭网关可以继续充当外围安全设备）之间进行选择。潜在的进一步细微差别，例如默认访问控制策略、过滤行为和 IPv6 特定要求的差异，呈现出由模糊性定义的环境。对于消费者来说，这些变化的潜在影响尚不清楚。为了解决这种不确定性，我们通过调查 300 多个常见漏洞以及围绕 NAT 和打洞协议的漏洞，对当前以 NAT 为中心的消费者网关安全模型进行了分类。通过这项调查，我们了解了 NAT 在作为家庭网络主要外围防御机制时所提供的有限安全性。通过对 10 个常见部署的消费者网关的评估，我们进一步定义了消费者网关的基线安全模型如何在 IPv6 中体现。我们的结论是，对于 IPv6，不再保证以 NAT 为中心的设计的熟悉性，需要用户的积极参与来限制其家庭网络中的暴露。