Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
rhkramer@gmail.com wrote:
> On Wednesday, August 10, 2022 04:12:11 AM Curt wrote:
> > I never realized that local addresses were fundamentally identical in all
> > local networks because there weren't enough addresses in the first
> > place, and that NAT was essentially designed to palliate this shortage.
>
> Yes, aiui, NAT was designed because of the address shortage, but ...
>
> > I thought the latter was some sort of security measure.
>
> at least in early versions of NAT (more below) it also provided some level of
> security as it was designed to only forward incoming connections (to computers
> in a LAN) from "known" external computers.
>
> I.e., if a computer on the LAN contacted a computer outside the LAN, NAT would
> allow incoming data from that external computer, but not allow incoming data
> from other external computers.
That's a slight confusion of NAT and packet filtering. NAT by
itself doesn't do that.
The varieties of NAT include:
1:1 - an outside address is mapped to an inside address. This allows you
to renumber the outside address at the NAT device rather than changing
every internal address. Sometimes called "static" NAT.
1:N - an outside address is mapped to many inside addresses. This is
what bandaged the IPv4 address shortage. The mapping is typically dynamic
but does not have to be. The NAT device needs to keep track of ports in
use, because the multiplexing is done by reassigning ports as well as IP
addresses. It's very common to include a packet filter here to
allow TCP sessions to only be initiated from the inside -- but
it is not mandatory.
N:1 - rarely used, but legitimate: multiple outside IP addresses
are mapped to a single internal address. It's almost always a
better idea to use CNAMEs or multiple 1:1 mappings.
N:M - usually this is an expansion of 1:N when you just have too many
internal addresses active at the same time, so you expand the mapping
from 1 outside address to several. Pretty common at medium-to-large
organizations for end-user devices.
CGNAT - "carrier grade NAT" is a chained N:M scenario with an extra
layer in the 100.64/10 subnet, specifically so that it doesn't collide
with RFC1918 addresses. Used mostly by mobile phone networks.
> I'm not sure that current implementations of NAT provide that same
> functionality, (but it is sort of a natural thing -- if something comes in
> from an unrecognized external computer, it would not know which computer (on
> the LAN) to forward it to, so it would presumably just be dropped.
The problem is that if the packet filtering is not present, indiscriminate
attacks occur. To many attackers, it does not matter what internal machine
is being targeted -- any of them will do. "Any Windows machine" is a good
target class, but so is "home wifi routers with known vulnerabilities".
> my LAN consisted only of DOS (or Windows) computers. One (DOS) computer on
> the LAN ran one or more software packages that (1) interfaced to the dial-up
> (!!) modem and (2) provided the NAT functionality.
>
> I don't recall if that was one package or two, and in any case, I don't recall
> the package name(s).
ipchains, replaced by iptables, which is now built on nftables (but
nftables can be used alone). The general concept was called "masquerade"
but is, as you have noted, 1:N NAT. The dialup software was
often pppd (or before that, slipd).
-dsr-
Reply to: