On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas <mike@mtcc.com> wrote:
I didn't hear about NAT until the late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
Funny, I don't recall Bellovin and Cheswick's Firewall book discussing NAT.
And mine too, since I hadn't heard of "Firewalls and Internet Security: Repelling the Wily Hacker" and have not read it. I see that the book was published in 1994. In 1994 Gauntlet was calling their process "transparent application layer gateways," not NAT. What was called NAT in 1994 was stateless 1:1 NAT, where one IP mapped to exactly one IP in both directions. Stateless 1:1 NAT had no impact on security. But that's not the technology we're talking about in 2024. Stateless 1:1 NAT is so obsolete that support was dropped from the Linux kernel a long time ago. That actually caused a problem for me in 2017. I had a use where I wanted 1:1 NAT and wanted to turn off connection tracking so that I could do asymmetric routing through the stateless translators. No go. So it does not surprise me that a 1994 book on network security would not have discussed NAT. They'd have referred to the comparable contemporary technology, which was "transparent application layer gateways." Those behaved like what we now call NAT but did the job a different way: instead of modifying packets, they terminated the connection and proxied it. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/