On 2/9/2016 10:21 PM, Masataka Ohta wrote: >>> Tunneling, encapsulation, VPNs, IP-in-IP are all network activities. >> > >> > Tunneling is an end system activity. >> > >> > Nodes that encap or decap are acting as sources or sinks, not relays. > A problem is that relays (firewalls) are involved in decap. The only problem there is believing that a device is defined by its product literature, rather than its behavior. I repeat: nodes that encap or decap are acting as sources or sinks, not relays. Nodes such as NATs and firewalls act as end hosts on the public side and routers on the private side. Which is why they need to obey RFC1122 semantics on the public side. What happens on the private side that drives the public side behavior is irrelevant. Joe