← Back to context

Comment by simoncion

17 hours ago

Ah, I see what you're driving at.

It's a security feature in the same way that a power-cut switch is a security feature. A power-cut switch's purpose is cut power to a machine so that it can -say- be safely worked on or relocated (or simply to not draw power when the machine's not in use), the machine also happens to be inaccessible while its power is cut.

Sure. It's not technically a lie to call a power-cut switch a security feature for most pieces of kit. I'd still laugh at the salesman that made the assertion. If I were feeling particularly cunty, I'd ask him if he injured himself from that great big stretch.

7 comments

simoncion

Reply
tptacek  17 hours ago

I can't emphasize enough how much of a retcon it is to say "it's not technically a lie" that NAT is a security feature. It was deployed in hundreds of networks specifically as a security feature, and it is part of the security posture of hundreds of thousands of home networks today. People who say "NAT isn't a security feature" are simply wrong.

There are lots of security features I personally don't like either. I don't claim they're not security features; I say they're bad security features.

  • zamadatix  7 hours ago

    You've repeatedly re-emphasized your personal claim "this is how it was" while continually refusing to provide any external evidence, yet have the gumption to continue repeating it must be others letting their personal feelings get in the way of looking at what NAT was that leads to the disagreement about the history.

    NAT does not care about anyone's personal feelings, one way or the other. Bringing up what you think other's personal feelings are does not help you redefine the original purpose and usage of NAT to be about security.

    If you were solely arguing pure NAT could possibly be used today as (or that a few had eventually made poor attempts to use pure NAT as) a way to have better-than-nothing security then I'd agree. Instead you're insisting to rewrite history to make it sound like that's the way NAT was always intended to be used or what it was widely deployed for based on your personal recollection alone, other evidence be damned. If, e.g., the RFC had given more to say about being for security instead of address exhaustion, I highly doubt you would have completely ignored any reference to it in these ~dozen messages.

  • Dylan16807  17 hours ago

    The PIX evidence above doesn't make it look like a retcon. Do you have something better to show about those hundreds of networks?

    • kortilla  16 hours ago

      > Since there's no way for anyone on the Internet to know which machine on the corporate network is using a Class C address at any given time, it's impossible to establish a telnet or FTP session with any particular device.

      This is a security feature ad, nothing else. And it’s 100% because of NAT, not anything else in the PIX feature set.

      1 reply →