Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin <bill () herrin us>]

On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel <ryan () rkhtech org> wrote:
> Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family.

Hi Ryan,

Correct. The examples illustrated a difference between a firewall
implementing address-overloaded NAT and a firewall implementing
everything except the address translation. Either example could be
converted to the other address family and it would work the same way.

> All things aside, I agree with Dan that NAT was never
> ever designed to be a security tool. It is used because
> of the scarcity of public address space, and it provides
> a "defense" depending on how it is implemented, with
> minimal effort. This video tells the story of NAT and the
> Cisco PIX, straight from the creators
> https://youtu.be/GLrfqtf4txw

NAT's story, the modern version of NAT when we talk about IPv4
firewalls, started in the early '90s with the Gauntlet firewall. It
was described as a transparent application layer gateway. Gauntlet
focused on solving enterprise security issues. Gauntlet's technology
converged with what was then 1:1 NAT to produce the address-overloaded
NAT like what later appeared in the Cisco PIX (also first and foremost
a security product) and is present in all our DSL and cable modems
today.

Security came first, then someone noticed it'd be useful for address
conservation too. Gauntlet's customers generally had or could readily
get a supply of public IP addresses. Indeed, when Gauntlet was
released, IP addresses were still available from
hostmaster () internic net at zero cost and without any significant
documentation. And Gauntlet was expensive: folks who couldn't easily
obtain public IP addresses also couldn't afford it.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/