From Slashdot: Comcast goes after NAT users

ky0dr at kc.rr.com ky0dr at kc.rr.com
Fri Jan 25 20:35:17 CST 2002 

Jeremy:

>So when the packet is received on the other end, the MAC address IS the 
>address
>of the originating device. Not the last router that encountered the packet.
>
>IP Masquerading changes the IP Header information ONLY, not the MAC address.

I agree with most of your analysis, but not your conclusion.  Well, 
actually, it depends on what you meant by "the originating device".

Did you mean the originating device of the IP packet, or the originating 
device of the Ethernet frame(s)?  A router is rarely the originating device 
of an IP packet (a computer usually is), but for any IP packet the router 
forwards over an Ethernet segment the router builds a new Ethernet frame 
(with its own Ethernet MAC address) encapsulating the tired old IP packet.

Supporting thesis:  An IP packet proper contains no MAC address at all.  A 
MAC address is part of an Ethernet frame that may encapsulate an IP packet, 
if that IP packet is traversing an ISO network layer 2 or below protocol 
that uses MAC addresses (such as Ethernet).

The MAC address is only used at the Ethernet layer of the protocol 
stack.  When machine A generates an IP packet to send out over an Ethernet 
LAN, one of the last things it does is slap its own MAC address into the 
Ethernet frame that's going to transport the IP packet.  When machine B 
receives the Ethernet packet, it looks at it, realizes it's an IP packet, 
rips the IP packet out of the Ethernet frame before passing it up the 
protocol stack to the IP layer.  The IP layer (layer 3 of the ISO stack) 
and above neither knows or cares what a MAC address is.

If machine B is a router, the IP layer of it decides where the IP packet is 
destined for.  If its decision is that it has to go out on an interface 
that happens to be Ethernet, then the Ethernet layer of machine B slaps 
machine B's MAC address onto the packet before pushing it out over the 
wire.  If the outbound interface is, say, ATM, there will be NO MAC address 
on the ATM cells that encapsulate the IP packet.

A proper IP router will not (cannot) reveal a MAC address from a host on 
one interface to another host on a different interface.

Now an Ethernet bridge is another animal entirely, and some routers do a 
nasty bit of deception called proxy ARP.

David

More information about the Kclug mailing list