Query
    MUST be permitted unless explicitly overridden by local policy (REQ-1)
    Session MUST be remembered for at least 60s (REQ-2)

Error
    MUST be traversed unless IP/ICMP checksum validation fails (REQ-3)
    Packets SHOULD only be allowed to travel between realms when belonging to an
        existing session (REQ-4, REQ-5)
    NAT sessions MUST NOT not be refreshed.

Non-QueryError
    MAY be dropped or appropriately handled (REQ-11)

DoS
    The NAT device helps prevent DoS attacks with lots and lots of ICMP error
    messages by blocking them if they are not linked to an existing session. If
    the device would not do that, we could do something like DNS amplification.

Destroying sessions
    An attacker may attempt to send bogus error messages into the NAT network
    in order to destroy the current sessions. To prevent this, the NAT device
    won't delete or refresh a NAT session based on an error message.