Comment by lq9AJ8yrfs

8 hours ago

NAT causes security issues too. Reflection attacks are much harder to stop if the endpoint and its network address are decoupled.

You can provoke loops and tangles of many sorts, some at the same protocol level and others going up and down.

My memory is fading but I vaguely recall a time when all of AOL shared something like a dozen egress addresses for certain traffic -- might have been proxies as opposed to NAT/"PAT" as we know it today. Iow, you couldn't block one without blocking 1/12 of AOL users.

Stronger memories of a time when your IP address (some were nat, some were not, varied by ISP) depended on which modem bank you dialed into, which was strongly influenced by what phone number you dialed. Which diluted the identity value of a given IP for a computer or user.

2 comments

lq9AJ8yrfs

Reply
paulddraper  8 hours ago

The RFC introducing NAT -- RFC 1631 -- says:

> Unfortunately, NAT reduces the number of options for providing security [1]

Somehow, everyone forgot that, and it morphed into a cargo-culting security practice, even going so far as to propagate 1990s network limitations into the cloud(!)

[1] https://www.rfc-editor.org/rfc/rfc1631.html

  • 7bit  10 minutes ago

    Thanks for that quote. Finally something to slap into the faces of those who just refuse to acknowledge that NAT is not a security feature.