From Slashdot: Comcast goes after NAT users

[David Rush]

At 03:43 PM 1/25/02 -0600, Jeremy Fowler wrote:
> > I agree with most of your analysis, but not your conclusion.  Well,
> > actually, it depends on what you meant by "the originating device".
> >
> > Did you mean the originating device of the IP packet, or the originating
> > device of the Ethernet frame(s)?  A router is rarely the originating device
> > of an IP packet (a computer usually is), but for any IP packet the router
> > forwards over an Ethernet segment the router builds a new Ethernet frame
> > (with its own Ethernet MAC address) encapsulating the tired old IP packet.
>
>No no. Let me clarify. Actually there are two MAC addresses (As well as two IP
>addresses) in each packet going over Ethernet: A Source and a Destination MAC
>Address.

Yup, I agree.

>The Destination MAC address is set by the application Layer.

I disagree.  The destination MAC is set by layer 2 (but only if you're 
using a layer 2 technology that uses MAC addresses to get its job 
done).  When I write an application that's going to send something, the 
only layer my application (layer 4) has to deal with is IP (layer 3).

If applications had to set the MAC address, then applications would have to 
be aware of the layer 2 technology and implement code for every possible 
layer 2 implementation they wanted to work over.  We don't live in that 
world any more.

>The Source
>address is set by the Data Link layer (Ethernet card) of the sending host. 
>When
>a packet is received by a router it checks the destination MAC address and 
>if it
>matches with it's own MAC, it passes it on to the OS. The router then 
>check the
>IP address to figure out where to route it and then changes the
>***Destination*** MAC address to the next-hop router/PC in the routing table.

I agree.

>If
>the source MAC address were to be changed by each router, the routers 
>would have
>to keep state of all the connections going in and out of it. This way, it can
>simply forward packets and forget about them.

I disagree.  A router is fundamentally an IP device.  Any use of MAC 
addressing is confined to passing individual Ethernet frames to and from 
another device.

> > Supporting thesis:  An IP packet proper contains no MAC address at all.  A
> > MAC address is part of an Ethernet frame that may encapsulate an IP packet,
> > if that IP packet is traversing an ISO network layer 2 or below protocol
> > that uses MAC addresses (such as Ethernet).
>
>Correct, IP packets don't contain a MAC address, since a MAC address 
>information
>resides in the data link layer (layer 2) part of the packet and IP is the
>network layer (layer 3).
>
> > The MAC address is only used at the Ethernet layer of the protocol
> > stack.  When machine A generates an IP packet to send out over an Ethernet
> > LAN, one of the last things it does is slap its own MAC address into the
> > Ethernet frame that's going to transport the IP packet.  When machine B
> > receives the Ethernet packet, it looks at it, realizes it's an IP packet,
> > rips the IP packet out of the Ethernet frame before passing it up the
> > protocol stack to the IP layer.  The IP layer (layer 3 of the ISO stack)
> > and above neither knows or cares what a MAC address is.
>
>Yes, of the receiving host, not the router. Routers only change the 
>Destination
>MAC address and then forward the packet based on it's IP information. Source
>address remains intact.

I agree that the router uses a new destination MAC address based on it's IP 
info.

> > If machine B is a router, the IP layer of it decides where the IP packet is
> > destined for.  If its decision is that it has to go out on an interface
> > that happens to be Ethernet, then the Ethernet layer of machine B slaps
> > machine B's MAC address onto the packet before pushing it out over the
> > wire.  If the outbound interface is, say, ATM, there will be NO MAC address
> > on the ATM cells that encapsulate the IP packet.
>
>Whoa there pilgrim! ATM does NOT encapsulate IP packets. The ATM Adaptation
>Layer (AAL) converges packets from upper layers into ATM cells. If you had 
>a 1k
>packet AAL would segment it into 21 fragments and place each fragment into a
>cell for transport. It doesn't remove any information from the physical layer
>since it will need it on the other end when it puts the packet back together.

Well, okay, perhaps I didn't use the best terminology, but my point remains 
- ATM does not use MAC addresses, and will not (cannot) forward a MAC 
address (source or destination) in the process of forwarding an IP datagram.

> > A proper IP router will not (cannot) reveal a MAC address from a host on
> > one interface to another host on a different interface.
>
>I'm not catching what your throwing here...

A proper IP router works at layer 3.  Sure, it may use layer 2 (and layer 
1) on individual interfaces, but layer 2 information (such as a MAC 
address) means nothing to layer 3, which is the layer at which a router 
decides where and how to forward IP datagrams.  I don't know if that was 
any more catchable, but I'm trying.

> > Now an Ethernet bridge is another animal entirely, and some routers do a
> > nasty bit of deception called proxy ARP.
>
>Yes, bridges are a completely different thing. They are used to segment a
>network to reduce traffic. However, not used very much today since most modern
>switch act as a bridge in many ways.

David