On 4/1/13, Karl Auer <kauer@biplane.com.au> wrote:
So it may well be that a particular device, capable of doing NAT and other things, of NATting some packets but not others, may permit
Yes. Many NAT devices of reasonable quality are fully capable of such things. And skipping NAT or NAT'ing the source IP address on the outgoing interface to the same as the source IP address the packet had on the incoming interface, is the likely default, when NAT has been configured based on source IP address range, on some devices.
spoofed-because-not-NATted outbound packets, but I remain unconvinced that a spoofed packet can make it through a NAT process and head outbound without getting its source address clamped to a configured range of outside addresses.
Ah, but did you actually test your guess on a reasonably large variety of NAT platforms? It just takes 1 instance of the right platform to be in significant use for something to be different than expected. I remain unconvinced that all CPEs in all common configurations will clamp the source address to a legitimate one in all cases. It would just be way too much luck and convenience for that to happen by coincidence.
Now I'm imagining a NAT process that translates only *destination* addresses - hm, is there such a beast?
Of course there is... in some implementations you may need two NAT rules to define a 1:1; a source NAT rule, and a destination NAT rule; if you define only the Source NAT rule, you just translate the source IP address ranges selected to the translation IP address range(s) selected for outgoing connections, and new incoming connections are not translated; if you define only the DNAT rule, you translate only the WAN interface destination IP for incoming connections, and outgoing connections are not translated. In various implementations you can have full-cone NAT, address-restricted cone NAT, port-restricted cone NAT, symmetric NAT, and various combinations and variations (even different kinds of NAT in different directions), for each of source and destination address, with or without storage of a mapping for return traffic. Different source or destination IP ranges or TCP/UDP ports might be NAT'ed differently or not at all. Not all implementations allow all possible useful NAT configurations.
Continuing to seek enlightenment...
Regards, K. -- -JH