Subject: Re: IPv6 Comment
To: Sean Doran <firstname.lastname@example.org>
From: Jason R Thorpe <email@example.com>
Date: 09/01/2000 09:27:41
On Fri, Sep 01, 2000 at 05:30:42PM +0200, Sean Doran wrote:
> NAT itself does NOT reach beyond the network address fields in
> the IP header. There are places in which the address fields are
> used that are, in effect, layering violations, viz. pseudo-headers
> and encoding IP addresses in data streams.
That is simply not true. NAT, in order to map one to many or many to
few, must translate based on address,some-other-key, which is generally
"port number" for TCP and UDP.
> You can encrypt whatever you like - NAT doesn't break the encryption,
> it doesn't scramble the bits inside, it simply rewrites the IP header,
> and your receiving application fails because either it notices that
> the IP header has been modified in a way it doesn't like (too bad), or
> it doesn't notice the change at all, and uses bad data.
...and the rewriting of the IP header is also incompatible with
integrity-ensuring protocols such as AH (which accounts for changes
to e.g. the TTL field).
-- Jason R. Thorpe <firstname.lastname@example.org>