> Keeping your Kerberos zone entirely in the internal network is a
> kludge? (That might, obviously, be completely impossible. Keeping
> your Kerberos zone entirely in a vlan might be possible. But IPSec
> and IPF also don't necessarily play well together without some
> coaxing, so you could still be screwed.)

That's assuming that I will never need to get to my kerberized
zone from somewhere outside of NAT.  Yeah, I could set up IPSec and IPF
and some VLANs and some tunnels and maybe some external to
internal gateway machine....but, no.