On 2/16/24 6:33 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel <ryan@rkhtech.org> wrote:
Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family. Hi Ryan,
Correct. The examples illustrated a difference between a firewall implementing address-overloaded NAT and a firewall implementing everything except the address translation. Either example could be converted to the other address family and it would work the same way.
All things aside, I agree with Dan that NAT was never ever designed to be a security tool. It is used because of the scarcity of public address space, and it provides a "defense" depending on how it is implemented, with minimal effort. This video tells the story of NAT and the Cisco PIX, straight from the creators https://youtu.be/GLrfqtf4txw NAT's story, the modern version of NAT when we talk about IPv4 firewalls, started in the early '90s with the Gauntlet firewall. It was described as a transparent application layer gateway. Gauntlet focused on solving enterprise security issues. Gauntlet's technology converged with what was then 1:1 NAT to produce the address-overloaded NAT like what later appeared in the Cisco PIX (also first and foremost a security product) and is present in all our DSL and cable modems today.
Security came first, then someone noticed it'd be useful for address conservation too. Gauntlet's customers generally had or could readily get a supply of public IP addresses. Indeed, when Gauntlet was released, IP addresses were still available from hostmaster@internic.net at zero cost and without any significant documentation. And Gauntlet was expensive: folks who couldn't easily obtain public IP addresses also couldn't afford it.
Funny, I don't recall Bellovin and Cheswick's Firewall book discussing NAT. That was sort of the go-to book for hard-on-the-outside soft-on-the-inside defense. Maybe they were unaware of this, or maybe they didn't agree with the premise. I didn't hear about NAT until the late 90's, iirc. I've definitely not heard of Gauntlet. As I recall, it was very much an afterthought with cable/DOCSIS to use NAT to conserve addresses. The headend DHCP server just gave public addresses to whoever asked. DOCSIS CPE at that time was just an L2 modem. NAT traversal absolutely was not on the table with Packetcable back in the late 90's, and believe me we were very concerned about the security of MGCP since it was UDP based. Which is to say that NAT came around to preserve address space. Any security properties were sort of a post-hoc rationalization and hotly debated given all the things NAT broke. Mike