[devman0]

It isn't a big if, it is literally the same connection tracking stack except without the address and port mapping.

If you take away the mapping the tracking doesn't go away. Inbound traffic still needs to match to to a session created by outbound traffic.

[hot_gril]

Yes, and every router has to do it properly by default, which so far they haven't really been. NAT is a lot harder to do wrong, cause the local IPs aren't even addressible.

[icehawk]

Its not harder to do wrong, its just less noticeable when done wrong, it's been a security consideration since NAT was created, and a persistent issue since then:

https://datatracker.ietf.org/doc/html/rfc2993#page-22

https://threatpost.com/remote-attackers-internal-network-dev... https://www.anvilsecure.com/blog/dhcp-games-with-smart-route...

[hot_gril]

It's defense in depth. I don't understand if and how this exploit allows an attacker to hit port 80 on my PC for instance, but either way it looks like a pretty sophisticated attack only discovered in 2021, and I still don't see panic over it.

[devman0]

If they haven't really been, then NAT wouldn't be working either, that's the point I'm making. NAT requires connection tracking to function, because NAT is actually an extra step on top of a basic stateful firewall, and the mapping part isn't the part that provides security, it is the connection tracking part.