[mindslight]

Ah, I got you. I hear session layer and think something a bit more ingrained in the core network, but I can see how that would work. Relying on a secret 32 bit nonce chaffs me a bit, but there is a similar problem with guessing sequence numbers (modulo source IP spoofing, which has been greatly clamped down on). And there could always have been some extensions adding cryptographic security, timeout the roaming functionality if lots of wrong packets trying to guess session identifiers were received, etc.

Developing on that last bit I threw out, especially since you're lamenting the non-adoption of SCTP. With the retrospective from NAT, it feels like it would have been good to factor out the "port" part of TCP/UDP and put it in the IP header instead ("flow ID" or something). Then define (saddr, daddr, protocol#, flowID) as a "flow tuple" for middle boxes to operate on. TCP/UDP/SCTP could then define and present those bits as port numbers.

This could even be size-negative if you threw out that whole fragmentation thing in favor of completely punting it to a higher layer instead.

(I realize this goes against the end to end principle and strict layer separation, but the fact is that despite the goal, middle boxes are mucking with packets, and when that mechanism cannot be prevented, facilitating it would be better for maintaining flexibility)