> The difference between denial of service and policy enforcement > is primarily a question of authorization. Since the people who > install NAT generally own the networks in question, characterizing > NAT as a DoS attack doesn't really seem right. Well, yeah, but ... NAT is far too crude in its policy capabilities to be able to credibly claim that it's a policy enforcement device. That's why we have all these ghastly work-arounds - effectively they're for the purposes of refining the policy semantics. I think this may be one of those cases where it's neither a furniture polish nor a dessert topping. I'm not sure that labelling it a "DoS attack" is particularly helpful, though. Melinda