top | item 46469200

(no title)

>CGNAT is nowhere near the common case yet. And frankly, I’m horrified that anyone’s describing it as a good thing.

For some reason, "CGNAT == privacy" is a very common sentiment on Hacker News. Yeah, Hacker News. It's bewildering, and after my last comment [0] talking about it, I have kinda already given up trying to convince people that CGNAT is devilish and not at all a privacy protector.

[0]: https://news.ycombinator.com/item?id=40180058

discuss

kstrauser|1 month ago

It’s right up there with “NAT == security”, which is also disappointing for here. It’s not so much the sentiment, as how confidently it’s asserted.

magicalhippo|1 month ago

Without NAT my computer isn't on the internet, because my ISP only affords me one IP which my router uses. If it's not on the internet, and adversary can't send my computer any packets.

With NAT, an adversary can't send my computer any packets either unless I explicitly set up port mappings.

So, if you can't send my computer any packets, how is it not providing security?

Of course, it doesn't provide full security like a firewall can do, since there's ways to punch holes in the NAT from the inside. But it seems just as incorrect to fully dismiss "NAT == security".

NAT provides some functional security. It is not a replacement for a proper firewall.