Description

of

NAT (Network Address Translation)

Implementation

on

Intel® Routers

Last edited: 28-02-00 09:42

_____________________________________________________________________________
Page 1
1. General 4
1.1 NAT/NAPT 4
1.2 Functional Placement 4
1.3 Filtering 5
2. Packet Handling 6
2.1 Address Translation 6
2.1.1 Transmit 6
2.1.2 Receive 7
2.2 Port Translation 9
2.2.1 Transmit 9
2.2.2 Receive 10
2.2.3 Timeout for Dynamically Assigned NAT Entries 11
3. Specifically Supported Protocols 13
3.1 RIP 13
3.2 DNS 14
3.3 FTP 14
3.3.1 Setup 16
3.3.2 Active FTP 16
3.3.3 Passive FTP 17
3.4 ICMP 18
3.5 ARP 18
4. Checksum Adjustment 19

_____________________________________________________________________________
Page 2
Copyright © 2000, Intel® Corporation, All rights reserved

The information in this paper is furnished for informational use only, is subject to
change without notice, and should not be construed as a commitment by Intel®
Corporation. Intel® Corporation assumes no responsibility or liability for any
errors or inaccuracies that may appear in this document or any software that may
be provided in association with this document.

_____________________________________________________________________________
Page 3
1. General
NAT is described in RFC 1631 (“The IP Network Address Translator (NAT)”,
http://www.ietf.org/rfc/rfc1631.txt). NAT has been extended with NAPT on which a new RFC is
on its way. A description currently exists as http://www.ietf.org/internet-drafts/draft-ietf-nat-
traditional-03.txt.

1.1 NAT/NAPT
NAT translates addresses and adjusts the checksums accordingly. NAPT translates addresses and
ports on TCP and UDP datagrams. NAPT allows the router to use a single IP address on the
Internet.

1.2 Functional Placement

Conceptually NAT works as a translation engine external to the router. A separate NAT box
could be on the WAN link and the functionality would be the same as the NAT box we have
inside the router. On a block diagram, NAT is at the border of the IP router:

Internet

NAT
Filter
WAN

IP Router

LAN

_____________________________________________________________________________
Page 4
Notice that filtering is done after NAT when receiving data and before NAT when transmitting
data.

1.3 Filtering
Even if NAT can perform some filtering it should not be considered a significant security
feature. This NAT implementation can translate source and destination addresses for all
incoming and outgoing traffic. If neither the source nor the destination matches any of the NAT
entries in the setup, the packet is silently discarded.

_____________________________________________________________________________
Page 5
2. Packet Handling
The following sections describe in detail what happens when a packet goes through the NAT
engine.

2.1 Address Translation

If the user sets up a dynamic NAT entry like 0.0.0.0/0, it is meaningless to translate both source
and destination. Therefore a special rule applies to dynamic translation:

Transmit Receive
Source Destination Source Destination
Internal net greater than external net
Translated Translated
(fewer bits in mask)
Internal net smaller than external net
Translated Translated
(more bits in mask)

2.1.1 Transmit

In the following example, a packet is transmitted through a WAN link configured with NAT.
The packet looks like:

Source Address 10.1.0.1

Source Port 1030
Destination Address 192.102.198.160
Destination Port 80

The NAT table looks like:

Mapping Internal Mask Port External Mask Port

Static c 10.1.0.5 255.255.255.255 0 193.88.251.1 255.255.255.255 0
Static r 10.1.0.0 255.255.255.255 0 193.88.251.0 255.255.255.255 0
Static r 10.1.255.255 255.255.255.255 0 193.88.251.255 255.255.255.255 0
Dynamic c 10.1.0.0 255.255.0.0 0 193.88.251.0 255.255.255.0 0
Dynamic d 10.1.0.3 255.255.255.255 0 193.88.251.2 255.255.255.255 0
Dynamic d 10.1.0.4 255.255.255.255 0 193.88.251.3 255.255.255.255 0

c
This is a configured entry
r
The router automatically installed this entry
d
This entry was dynamically allocated, based on a transmitted packet

When a packet is transmitted through NAT, it is looked up in the internal NAT cache. If there is
a cache miss, the translator checks each configured NAT entry to see if there is a match.

For simplicity, we assume that the internal NAT cache is empty.

10.1.0.1 is looked up in the internal cache, but cannot be found. Now we check all the
configured entries:
_____________________________________________________________________________
Page 6
• Check match for 10.1.0.5 mask 255.255.255.255: Fail
• Check match for 10.1.0.0 mask 255.255.255.255: Fail
• Check match for 10.1.255.255 mask 255.255.255.255: Fail
• Check match for 10.1.0.0 mask 255.255.0.0: Success

Now we know that we need to deal with a dynamic translation. 10.1.0.1 is looked up amongst
the dynamically allocated entries, to see if we have already allocated an entry:

• Check match for 10.1.0.3: Fail

• Check match for 10.1.0.4: Fail

Since the internal mask is smaller (fewer bits, larger net) than the external mask we decide to
allocate a new dynamic entry. Once more we check all the dynamically allocated entries:

• 193.251.88.0: Taken
• 193.251.88.1: Taken
• 193.251.88.2: Taken
• 193.251.88.3: Taken
• 193.251.88.4: Vacant

The dynamically allocated entry 10.1.0.1 => 193.88.251.88.4 is added and the internal NAT
cache is updated.

Notice that the port value 0 is used as a wildcard.

We use the same process for the destination address:

• Check match for 10.1.0.5 mask 255.255.255.255: Fail

• Check match for 10.1.0.0 mask 255.255.255.255: Fail
• Check match for 10.1.255.255 mask 255.255.255.255: Fail
• Check match for 10.1.0.0 mask 255.255.0.0: Fail

The destination address cannot be translated, but it is added to the internal NAT cache.

The internal NAT cache now has two entries:

Internal Port External Port

10.1.0.1 0 193.88.251.4 0
192.102.198.160 0 192.102.198.160 0

2.1.2 Receive

If we get a reply to the packet in the transmit section, the packet looks like:

Source Address 192.102.198.160

Source Port 80
Destination Address 193.88.251.4
Destination Port 1030
_____________________________________________________________________________
Page 7
The NAT table looks like:

Mapping Internal Mask Port External Mask Port

Static c 10.1.0.5 255.255.255.255 0 193.88.251.1 255.255.255.255 0
Static r 10.1.0.0 255.255.255.255 0 193.88.251.0 255.255.255.255 0
Static r 10.1.255.255 255.255.255.255 0 193.88.251.255 255.255.255.255 0
Dynamic c 10.1.0.0 255.255.0.0 0 193.88.251.0 255.255.255.0 0
Dynamic r 10.1.0.1 255.255.255.255 0 193.88.251.4 255.255.255.255 0
Dynamic r 10.1.0.3 255.255.255.255 0 193.88.251.2 255.255.255.255 0
Dynamic r 10.1.0.4 255.255.255.255 0 193.88.251.3 255.255.255.255 0

c
This is a configured entry
r
The router automatically installed this entry
d
This entry was dynamically allocated, based on a transmitted packet

When a packet is received through NAT, it is looked up in the external NAT cache. If there is a
cache miss, the translator will check each configured NAT entry to see if there is a match.

For simplicity, we assume that the external NAT cache is empty.

192.102.198.160 is looked up in the external cache, but cannot be found. Now we check all the
configured entries:

• Check match for 193.88.251.1 mask 255.255.255.255: Fail

• Check match for 193.88.251.0 mask 255.255.255.255: Fail
• Check match for 193.88.251.255 mask 255.255.255.255: Fail
• Check match for 193.88.251.0 mask 255.255.255.0: Fail

The source cannot be translated, but it is added to the external NAT cache.

We use the same process for the destination address:

• Check match for 193.88.251.1 mask 255.255.255.255: Fail

• Check match for 193.88.251.0 mask 255.255.255.255: Fail
• Check match for 193.88.251.255 mask 255.255.255.255: Fail
• Check match for 193.88.251.0 mask 255.255.255.0: Success

Now we know that we need to deal with a dynamic translation and we check for 193.88.251.4
among the dynamically allocated entries, to see if we have a matching entry:

• Check match for 193.88.251.0: Fail

• Check match for 193.88.251.4: Success

If there is no entry that matches, we never allocate a new entry when the external mask is larger
(more bits, smaller net) than the internal mask.

Next, the external NAT cache is updated.

Notice that the port value 0 is used as a wildcard.

_____________________________________________________________________________
Page 8
The external NAT cache now has two entries:

External Port Internal Port

193.88.251.4 0 10.1.0.1 0
192.102.198.160 0 192.102.198.160 0

2.2 Port Translation

If the user sets up a dynamic NAPT entry like 0.0.0.0/0, it is meaningless to translate both source
and destination. Therefore a special rule applies to dynamic translation:

Transmit Receive
Source Destination Source Destination
Internal net greater than external net
Translated Translated
(fewer bits in mask)
Internal net smaller than external net
Translated Translated
(more bits in mask)

2.2.1 Transmit

In the following example a packet is transmitted through a WAN link configured with NAPT
(single IP). The packet looks like:

Source Address 10.1.0.1

Source Port 1030
Destination Address 192.102.198.160
Destination Port 80

The NAT table looks like:

Mapping Internal Mask Port External Mask Port

Static Port c 10.1.0.5 255.255.255.255 25 193.88.251.1 255.255.255.255 25
Single IP c 0.0.0.0 0.0.0.0 0 193.88.251.1 255.255.255.255 0
Static c 10.1.0.10 255.255.255.255 0 193.88.251.1 255.255.255.255 0
Single IP d 10.1.15.2 255.255.255.255 1030 193.88.251.1 255.255.255.255 1030
Single IP d 10.1.131.1 255.255.255.255 1042 193.88.251.1 255.255.255.255 1042

c
This is a configured entry
d
This entry was dynamically allocated, based on a transmitted packet

When a packet is transmitted through NAT, it is looked up in the internal NAT cache. If there is
a cache miss, the translator will check each configured NAT entry to see if there is a match.

The internal NAT cache is empty.

10.1.0.1;1030 is looked up in the internal cache, but cannot be found. Now we check all the
configured entries:

_____________________________________________________________________________
Page 9
• Check match for 10.1.0.5 mask 255.255.255.255: Fail
• Check match for 0.0.0.0 mask 0.0.0.0: Success

Now we know that we need to deal with a single IP translation and we check for 10.1.0.1;1030
among the dynamically allocated entries, to see if we have already allocated an entry:

• Check match for 10.1.15.2;1030: Fail

• Check match for 10.1.131.1;1030: Fail

Since the internal mask is smaller (fewer bits, larger net) than the external mask we decide to
allocate a new dynamic entry. We attempt to use the port untranslated, and increase the port
number until we reach an unused port:

• 193.251.88.1;1030: Taken
• 193.251.88.1;1031: Vacant

The dynamically allocated entry 10.1.0.1;1030 => 193.88.251.88.1;1031 is added and the
internal NAT cache is updated.

We use the same process for the destination port address:

• Check match for 10.1.0.5;25 mask 255.255.255.255: Fail

• Check match for 0.0.0.0 mask 0.0.0.0: Success

Since the internal mask is smaller (fewer bits, larger net) than the external mask we decide not to
translate the address/port.

The destination cannot be translated, but it is inserted in the internal NAT cache.

The internal NAT cache now has two entries:

Internal Port External Port

10.1.0.1 1030 193.88.251.1 1031
192.102.198.160 0 192.102.198.160 0

Notice that the port value 0 is used as a wildcard.

2.2.2 Receive

If we get a reply to the packet in the transmit section, the packet looks like:

Source Address 192.102.198.160

Source Port 80
Destination Address 193.88.251.1
Destination Port 1031

The NAT table looks like:

Mapping Internal Mask Port External Mask Port

Static Port c 10.1.0.5 255.255.255.255 25 193.88.251.1 255.255.255.255 25

_____________________________________________________________________________
Page 10
Single IP c 0.0.0.0 0.0.0.0 0 193.88.251.1 255.255.255.255 0
Static c 10.1.0.10 255.255.255.255 0 193.88.251.1 255.255.255.255 0
Single IP d 10.1.0.1 255.255.255.255 1030 193.88.251.1 255.255.255.255 1031
Single IP d 10.1.15.2 255.255.255.255 1030 193.88.251.1 255.255.255.255 1030
Single IP d 10.1.131.1 255.255.255.255 1042 193.88.251.1 255.255.255.255 1042

c
This is a configured entry
d
This entry was dynamically allocated, based on a transmitted packet

When a packet is received through NAT, it is looked up in the external NAT cache. If there is a
cache miss, the translator will check each configured NAT entry to see if there is a match.

The external NAT cache is empty.

192.102.198.160 is looked up in the external cache, but cannot be found. Now we check all the
configured entries:

• Check match for static port 193.88.251.1;25 mask 255.255.255.255: Fail

• Check match for single IP 193.88.251.1 mask 255.255.255.255: Fail
• Check match for static 193.88.251.1 mask 255.255.255.255: Fail

The source cannot be translated, but it is added to the external NAT cache.

We use the same process for the destination port address:

• Check match for static port 193.88.251.1;25 mask 255.255.255.255: Fail

• Check match for single IP 193.88.251.1 mask 255.255.255.255: Success

Now we know that we need to deal with a single IP translation and we check for
193.88.251.1;1031 among the dynamically allocated entries, to see if we have a matching entry:

• Check match for 193.88.251.1;1031: Success

If there is no entry that matches, we never allocate a new entry when the external mask is larger
(more bits, smaller net) than the internal mask.

Next, the external NAT cache is updated.

Notice that the port value 0 is used as a wildcard.

The external NAT cache now has two entries:

External Port Internal Port

193.88.251.1 1031 10.1.0.1 1030
192.102.198.160 0 192.102.198.160 0

2.2.3 Timeout for Dynamically Assigned NAT Entries

The dynamically assigned entries all have a timer associated. The timer "TCP/UDP Timeout" is
default set to 3600 seconds. To improve performance, the timers are not updated on a per packet
_____________________________________________________________________________
Page 11
basis. Instead the timers are checked every 10 minutes and if half the time has passed, the cache
entries are cleared. If the NAT entry is still "alive" (i.e. TCP/UDP packets flow) the cache entry
reappears and the timer is updated (age set to 0). In other words:

• The NAT entries are checked every 10 minutes.

• If an entry's age is greater than half the timeout value, it is removed from the cache.
• If an entry's age is greater than the timeout value, it is removed from the NAT table
• When an entry is added to the cache its age is set to zero.

_____________________________________________________________________________
Page 12
3. Specifically Supported Protocols

3.1 RIP (Routing Information Protocol)

RIP replies from the router and RIP replies to the router are translated via NAT. It is not obvious
what to do with network entries that are not specifically listed in the NAT table and they will be
skipped. This means that a 0.0.0.0/0 entry must be added to allow all network entries in a RIP
packet, which do not match any NAT entries, to pass unprocessed.

NAT will process RIP-1 and RIP-2 packets, but it is mandatory that both the address and the
mask match a NAT entry to "get through".

Example:

The NAT table is configured with the following entries:

Mapping Internal Mask Port External Mask Port

Dynamic 10.1.0.0 255.255.0.0 0 193.88.251.0 255.255.255.0 0
Dynamic 10.2.0.0 255.255.0.0 0 193.88.252.0 255.255.255.0 0

Now, a RIP-2 update is transmitted:

Network Mask
10.1.0.0 255.255.0.0
10.2.5.0 255.255.255.0
10.3.0.0 255.255.0.0

The resulting update contains:

Network Mask
193.88.251.0 255.255.255.0

If the NAT table is changed to:

Mapping Internal Mask Port External Mask Port

Dynamic 10.1.0.0 255.255.0.0 0 193.88.251.0 255.255.255.0 0
Dynamic 10.2.0.0 255.255.0.0 0 193.88.252.0 255.255.255.0 0
Static 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0

And a RIP-2 update is transmitted:

Network Mask
10.1.0.0 255.255.0.0
10.2.5.0 255.255.255.0
10.3.0.0 255.255.0.0

_____________________________________________________________________________
Page 13
The resulting update contains:

Network Mask
193.88.251.0 255.255.255.0
10.2.5.0 255.255.255.0
10.3.0.0 255.255.0.0

3.2 DNS
DNS packets are processed by NAT. All A records are translated if possible. This means that a
DNS reply may contain external addresses, which are converted to internal addresses.

3.3 FTP
Although FTP support is a challenge this NAT implementation supports active FTP (PORT
command) and passive FTP (PASV command).

_____________________________________________________________________________
Page 14
FTP sets up a control connection from the client to port 21 on the server. The communication on
this control connection determines the address and port for the data connection. NAT needs to
translate the ASCII string in the PORT command for active FTP and the reply to the PASV
command for passive FTP. It is quite that FTP is based on ASCII strings, as the string can get
longer or shorter when the address is translated.

The control connection is a TCP connection. TCP uses sequence and acknowledge numbers.
Whenever <n> bytes are transmitted (pushed) the sequence number is incremented by <n> bytes.
When the receiver gets the <n> bytes the acknowledge number is incremented by <n> bytes.

_____________________________________________________________________________
Page 15
Since the ASCII string is almost always converted to a longer or shorter string NAT must adjust
both sequence and acknowledge numbers accordingly.

3.3.1 Setup

In the following sections we will consider the following setup:

89.20.0.1/16
NAT
FTP Server
LAN

IP Router

LAN

156.27.156.20/16
FTP Client

3.3.2 Active FTP

A PORT command (from the client to the server) might look like:

"PORT 156,27,156,20,5,70<cr><nl>"

The client requests the server to set up a TCP connection from port 20 to the address
156.27.156.20 port 1350 (5*256+70).

If, we have a NAT table like:

Mapping Internal Mask Port External Mask Port

Static 156.27.0.0 255.255.0.0 0 156.127.0.0 255.255.0.0 0

The new PORT command will be:

"PORT 156,127,156,20,5,70<cr><nl>"

_____________________________________________________________________________
Page 16
As you can see, the string length was incremented and an entry is added to the NAT internal FTP
table where the sequence and acknowledge numbers are stored for this particular control
connection. The numbers must be adjusted with delta set to 1.

A subsequent PORT command:

"PORT 156,27,156,20,5,75<cr><nl>"

translates to:

"PORT 156,127,156,20,5,75<cr><nl>"

which means that the delta is incremented and takes the value 2.

3.3.3 Passive FTP

A PASV command is simply (from the client to the server):

"PASV<cr><nl>"

The reply might look like (from the server to the client):

"227 Entering Passive Mode (89,20,0,1,16,4)<cr><nl>"

The server requests the client to set up a TCP connection to the address 89.20.0.1 and the port
4096 (16*256+4). Notice that the number 227 at the beginning of the string is the reply code as
defined in RFC 959. The code uniquely identifies the string as a reply to a PASV command.

If, we have a NAT table like:

Mapping Internal Mask Port External Mask Port

Static 189.20.0.0 255.255.0.0 0 89.20.0.0 255.255.0.0 0

The new reply will be:

"227 Entering Passive Mode (189,20,0,1,16,4)<cr><nl>"

As you can see, the string length was incremented and an entry is added to the NAT internal FTP
table where the sequence and acknowledge numbers are stored for this particular control
connection. The numbers must be adjusted with delta set to 1.

A subsequent passive reply:

"227 Entering Passive Mode (89,20,0,1,16,74)<cr><nl>"

Translates to:

"227 Entering Passive Mode (189,20,0,1,16,74)<cr><nl>"

which means that the delta is incremented and takes the value 2.

_____________________________________________________________________________
Page 17
3.4 ICMP (Internet Control Message Protocol):
ICMP are handled in NAT. ICMP is supported by:

• If the router runs single IP, the router will reply ICMP echo requests destined to the single IP
address.
• The inner part of ICMP packets may contain the internet header and 64 bits of the original
datagram. The addresses in the original header and eventual TCP/UDP ports are translated as
necessary. This enables the usage of traceroute.

3.5 ARP (Address Resolution Protocol)

ARP packets are translated if NAT is enabled on a LAN.

_____________________________________________________________________________
Page 18
4. Checksum Adjustment
NAT normally translates source addresses for transmit packets and destination addresses for
received packets.

Consider a complete TCP-packet:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The header checksum must be recalculated if the source address or destination address is
modified. The checksum can be modified incrementally. The checksum algorithm is
straightforward: A 16-bit ADC (add with carry) is performed throughout the header, and the
result must be 0xffff. Example:

45 00 00 2c 05 7e 00 00 30 06 13 bc 80 11 0a 64
c7 0b 20 12

Data 32-bit ADD 16-bit ADC

45 00 4500 4500
00 2c 452c 452c
05 7e 4aaa 4aaa
00 00 4aaa 4aaa
30 06 7ab0 7ab0

_____________________________________________________________________________
Page 19
 13 bc 8e6c 8e6c
80 11 10e7d 0e7e
0a 64 118e1 18e2
c7 0b 1dfec dfed
20 12 1fffe ffff

If we change the source address from 0x80110a64 to 0x0a010001 we must adjust the header
checksum 0x13bc. RFC 1624 describes a method for doing this. First we adjust with 0x8011 and
0xa001 and then with 0xa064 and 0x0001.

~(~0x13bc + ~0x8011 + 0x0a01) = ~(0xec43 + 0x7fee + 0x0a01) = ~0x17632

with ADC:
= ~0x7633 = 0x89cc

~(~0x89cc + ~0x0a64 + 0x0001) = ~(0x7633 + 0xf59b + 0x0001) = ~0x16bcf

with ADC:
= ~0x6bd0 = 0x942f

Data 32-bit ADD 16-bit ADC

45 00 4500 4500
00 2c 452c 452c
05 7e 4aaa 4aaa
00 00 4aaa 4aaa
30 06 7ab0 7ab0
2a 30 8e6c 8e6c
0a 01 118e0 18e1
00 01 118e2 18e2
c7 0b 1dfec dfed
20 12 1fffe ffff

For TCP datagrams, the TCP checksum must also be adjusted. This is because TCP and UDP
include a pseudo header in the checksum calculation. The pseudo header looks like:

+--------+--------+--------+--------+
| Source Address |
+--------+--------+--------+--------+
| Destination Address |
+--------+--------+--------+--------+
| zero | PTCL | TCP Length |
+--------+--------+--------+--------+

The checksum must therefore be adjusted with respect to changed source/destination addresses.

_____________________________________________________________________________
Page 20