rhkra...@gmail.com wrote: > On Wednesday, August 10, 2022 04:12:11 AM Curt wrote: > > I never realized that local addresses were fundamentally identical in all > > local networks because there weren't enough addresses in the first > > place, and that NAT was essentially designed to palliate this shortage. > > Yes, aiui, NAT was designed because of the address shortage, but ... > > > I thought the latter was some sort of security measure. > > at least in early versions of NAT (more below) it also provided some level of > security as it was designed to only forward incoming connections (to > computers > in a LAN) from "known" external computers. > > I.e., if a computer on the LAN contacted a computer outside the LAN, NAT > would > allow incoming data from that external computer, but not allow incoming data > from other external computers.
That's a slight confusion of NAT and packet filtering. NAT by itself doesn't do that. The varieties of NAT include: 1:1 - an outside address is mapped to an inside address. This allows you to renumber the outside address at the NAT device rather than changing every internal address. Sometimes called "static" NAT. 1:N - an outside address is mapped to many inside addresses. This is what bandaged the IPv4 address shortage. The mapping is typically dynamic but does not have to be. The NAT device needs to keep track of ports in use, because the multiplexing is done by reassigning ports as well as IP addresses. It's very common to include a packet filter here to allow TCP sessions to only be initiated from the inside -- but it is not mandatory. N:1 - rarely used, but legitimate: multiple outside IP addresses are mapped to a single internal address. It's almost always a better idea to use CNAMEs or multiple 1:1 mappings. N:M - usually this is an expansion of 1:N when you just have too many internal addresses active at the same time, so you expand the mapping from 1 outside address to several. Pretty common at medium-to-large organizations for end-user devices. CGNAT - "carrier grade NAT" is a chained N:M scenario with an extra layer in the 100.64/10 subnet, specifically so that it doesn't collide with RFC1918 addresses. Used mostly by mobile phone networks. > I'm not sure that current implementations of NAT provide that same > functionality, (but it is sort of a natural thing -- if something comes in > from an unrecognized external computer, it would not know which computer (on > the LAN) to forward it to, so it would presumably just be dropped. The problem is that if the packet filtering is not present, indiscriminate attacks occur. To many attackers, it does not matter what internal machine is being targeted -- any of them will do. "Any Windows machine" is a good target class, but so is "home wifi routers with known vulnerabilities". > my LAN consisted only of DOS (or Windows) computers. One (DOS) computer on > the LAN ran one or more software packages that (1) interfaced to the dial-up > (!!) modem and (2) provided the NAT functionality. > > I don't recall if that was one package or two, and in any case, I don't > recall > the package name(s). ipchains, replaced by iptables, which is now built on nftables (but nftables can be used alone). The general concept was called "masquerade" but is, as you have noted, 1:N NAT. The dialup software was often pppd (or before that, slipd). -dsr-
