From Slashdot: Comcast goes after NAT users
ky0dr at kc.rr.com
ky0dr at kc.rr.com
Fri Jan 25 20:35:17 CST 2002
Jeremy:
>So when the packet is received on the other end, the MAC address IS the
>address
>of the originating device. Not the last router that encountered the packet.
>
>IP Masquerading changes the IP Header information ONLY, not the MAC address.
I agree with most of your analysis, but not your conclusion. Well,
actually, it depends on what you meant by "the originating device".
Did you mean the originating device of the IP packet, or the originating
device of the Ethernet frame(s)? A router is rarely the originating device
of an IP packet (a computer usually is), but for any IP packet the router
forwards over an Ethernet segment the router builds a new Ethernet frame
(with its own Ethernet MAC address) encapsulating the tired old IP packet.
Supporting thesis: An IP packet proper contains no MAC address at all. A
MAC address is part of an Ethernet frame that may encapsulate an IP packet,
if that IP packet is traversing an ISO network layer 2 or below protocol
that uses MAC addresses (such as Ethernet).
The MAC address is only used at the Ethernet layer of the protocol
stack. When machine A generates an IP packet to send out over an Ethernet
LAN, one of the last things it does is slap its own MAC address into the
Ethernet frame that's going to transport the IP packet. When machine B
receives the Ethernet packet, it looks at it, realizes it's an IP packet,
rips the IP packet out of the Ethernet frame before passing it up the
protocol stack to the IP layer. The IP layer (layer 3 of the ISO stack)
and above neither knows or cares what a MAC address is.
If machine B is a router, the IP layer of it decides where the IP packet is
destined for. If its decision is that it has to go out on an interface
that happens to be Ethernet, then the Ethernet layer of machine B slaps
machine B's MAC address onto the packet before pushing it out over the
wire. If the outbound interface is, say, ATM, there will be NO MAC address
on the ATM cells that encapsulate the IP packet.
A proper IP router will not (cannot) reveal a MAC address from a host on
one interface to another host on a different interface.
Now an Ethernet bridge is another animal entirely, and some routers do a
nasty bit of deception called proxy ARP.
David
More information about the Kclug
mailing list