On Fri, Sep 01, 2000 at 05:30:42PM +0200, Sean Doran wrote:

 > NAT itself does NOT reach beyond the network address fields in
 > the IP header.  There are places in which the address fields are
 > used that are, in effect, layering violations, viz. pseudo-headers
 > and encoding IP addresses in data streams.

That is simply not true.  NAT, in order to map one to many or many to
few, must translate based on address,some-other-key, which is generally
"port number" for TCP and UDP.

 > You can encrypt whatever you like - NAT doesn't break the encryption,
 > it doesn't scramble the bits inside, it simply rewrites the IP header,
 > and your receiving application fails because either it notices that
 > the IP header has been modified in a way it doesn't like (too bad), or
 > it doesn't notice the change at all, and uses bad data.

...and the rewriting of the IP header is also incompatible with
integrity-ensuring protocols such as AH (which accounts for changes
to e.g. the TTL field).

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>