Comment by ok123456
5 days ago
> never designed to be a security feature
It's virtually always used with some firewall rules, so it sort of is? It's just dogma to insist that there are no security benefits to having a single choke point for traffic.
5 days ago
> never designed to be a security feature
It's virtually always used with some firewall rules, so it sort of is? It's just dogma to insist that there are no security benefits to having a single choke point for traffic.
It's almost always done in devices capable of being firewalls because many-to-few translations require stateful tracking. Firewalls already did that, so it was a natural place to apply NAT policies.
NAT also include many-to-many and one-to-one translations, and those are just as easily implemented in anything routing with no extra memory and complexity required. This is sometimes referred to as symmetric NAT.
The firewall rules are what is providing the protection, by applying a policy that traffic must be initiated by a host on the "more trusted" network or whatever your prefered terminology is. That can happen without NAT and does all the time. Techniques for forcing translations have been well known as long as NAT, and there are probably some unobvious ones out there too. In the 1990s it was still common to get multiple IPv4 addresses if you went to the trouble of having ISDN or whatever, and they were equally protected by a firewall that did not do NAT.
The firewall is very much a separate thing, and part of the efforts to make v6 properly available for home customers was introducing somewhat standard firewall setup that replicates what people think NAT does for security (and what NAT definitely does not do, if only by virtue of being broken by the classic connect/connect vs connect/listen connection)
The firewall is what is providing security, not NAT. And you can equally easily have a firewall in front of an IPv6 network.