[vy8vWJlco]

But that is not a feature of NAT, that is a feature of a firewall (for example, it is possible to route incoming packets via the WAN as well as masquerade outgoing ones from the LAN - most people wouldn't even know their pants are down). It is a coincidence that home routers sometimes provide both leading people to conflate their firewall with their NAT system - but if a firewall is what is wanted (and is arguably the only valuable component), NAT is not the thing to ask for. Conflating NAT with firewalls also promotes the idea that NAT has a place in any network with abundant addresses. IMHO, it does not.

[nitrogen]

NAT will always have a place, because not everyone wants to expose a uniquely routable address for every device they own (probably based on a device's MAC address) to the world.

[IgorPartola]

The simple and much more flexible answer to this is to have a firewall rule on the edge router that simply drops all packets to and from the hosts you do not want visible. Note that this is more flexible in that if you want some hosts visible and some not, you can do that. You cannot do that with NAT: you only have one port 80 and several servers for example.

In general, use the right tool for the job. NAT provides some blunt security features incidentally. It does not, for example, prevent your server from making connections to the outside world. The firewall is what is meant to be used to restrict traffic. That is its only job and it does that well.

[vy8vWJlco]

Can you give an example that isn't based on security (since the NAT isn't providing that)? I can only think of short-term (undesirable) transition or load-balancing mechanisms - all of which have better long-term solutions (anycast, multicast, and dynamic service discovery, etc)...

[nitrogen]

What's with the widespread fixation against attributing any positive security attributes to Network Address Translation? It's like the old warning about NAT not being enough to protect a private network got cargo culted into a universal anti-NAT maxim.

What would you call it when a router at the edge of a private network presents a single IP to the world no matter how many devices are behind it, for privacy reasons?

[vy8vWJlco]

"What's with the widespread fixation against attributing any positive security attributes to Network Address Translation"

It probably has something to do with NAT being a huge obstacle later, when needs change. For example, while it might make sense at one point to have multiple hosts appear as one, it is at the expense of direct addressability, and the workaround - having a unique address+port combination - makes less sense than having a unique directly-routable address.

"What would you call it when a router at the edge of a private network presents a single IP to the world no matter how many devices are behind it, for privacy reasons?"

The wrong tool for the job. :)

The privacy is gained not by translation but by blocking direct connections (which is a feature of a firewall - not of NAT). While there is some value in NAT's ability to falsify the origin of data - ie, to take credit for non-local flows - but if those applications ever grow they will be fighting to escape the single address of NAT and are thus only suitable in the short term. Ideally, NAT would go unused because every element is uniquely addressable and fully independent... Most people would not consider someone else who continually takes credit for their or someone else's work to be a feature, and so it is with NAT.

[nitrogen]

I'm thinking more in terms of consumer networks. I really don't want my ISP to know exactly which devices I'm using or how many, nor do I want to have every web site be able to track them by globally routable IPv6 address everywhere I go. Simply blocking incoming connections doesn't solve that.

Taking credit for someone else's work is not a useful analogy for NAT, nor are the corresponding moral implications relevant.

[vy8vWJlco]

"nor do I want to have every web site be able to track them by globally routable IPv6 address everywhere I go."

So, you would rather use one address for everything, making it easy as pie to track you? You can pretty much pick IPv6 addresses at random (under your router prefix), and you have (many many many) more addresses than the whole IPv4 address space to choose from (it's a 128 bit address space and providers typically give a /48, /56, or /64 prefix at worst... that's 128-64=64 bits... that's 2^63.9999... more addresses than IPv4). In short, you don't really "map" the IPv6 space the same way you do the IPv4 space.

Taking credit for someone else's work very much is a useful analogy: if I can only speak through a third party, and I need that third party's permission to speak, let alone be spoken to, I quickly resent him or her. This is quite the case with current NAT solutions, with system administrators restricting "their" networks, making communication difficult for everyone else (by holding the only globally-routable address or "allocating" only a few; everyone else is second-class).