Comment by paulddraper

18 days ago

The RFC introducing NAT -- RFC 1631 -- says:

> Unfortunately, NAT reduces the number of options for providing security [1]

Somehow, everyone forgot that, and it morphed into a cargo-culting security practice, even going so far as to propagate 1990s network limitations into the cloud(!)

[1] https://www.rfc-editor.org/rfc/rfc1631.html

4 comments

paulddraper

lq9AJ8yrfs 18 days ago

Real world CSRF attacks into hxxp://192.168.0.1 home routers and polluting DNS and DHCP settings you could argue is caused or at least facilitated by NAT, or NAT misconceptions especially.

Though IPv6 has a similar situation with well defined unicast and multicast addresses.

True story, popular browsers won't let you load a webpage via various IPv6 local address literals for this reason. Hxxp://[ff02::] addresses won't work.

/ You can have your cake by "tying a knot" with yourself and port forwarding from 127.0.0.1 to the IPv6 literal. An ssh port forward will do this with aplomb. Then load hxxp://localhost:port and it works again.

// Browser logic

direwolf20 18 days ago

[dead]

7bit 18 days ago

Thanks for that quote. Finally something to slap into the faces of those who just refuse to acknowledge that NAT is not a security feature.