Network topology concealment using address permutation

What is claimed is: 1. A method in a network element interfacing an internal network with an external network for translating an Internet Protocol (IP) address of a client of the internal network and using the translated IP address to route packets associated with the client to and from a remote node of the external network without exposing an internal network portion of the IP address of the client to the remote node, the method comprising the steps of: receiving a first packet from the client over the internal network that is destined for the remote node of the external network, wherein the first packet is associated with a first packet flow, and wherein the first packet includes a source IP address separated into an internal network portion that identifies a location of the client in the internal network and separated into an external network portion that identifies a location of the internal network accessible by the external network; obfuscating the internal network portion of the source IP address of the first packet to conceal the location of the client in the internal network according to a first invertible function; rewriting the source IP address of the first packet by rewriting the internal network portion of the source IP address of the first packet with the obfuscated internal network portion while maintaining the current external network portion of the source IP address; transmitting the first packet to the remote node over the external network with the rewritten internal network portion of the source IP address, whereby the location of the client in the internal network is concealed from the remote node while allowing the remote node to reach the internal network through the external network portion of the source IP address; collecting flow state information about existing communication sessions, wherein the flow state information is to be used to identify packets belonging to the existing communication sessions, wherein the existing communication sessions include the first packet flow; beginning a stateful grace period by, for packets received from clients of the internal network and destined to the external network, using a second invertible function for obfuscating those of the received packets not identified as belonging to the existing communication sessions in the collected flow state information, while contemporaneously obfuscating those of the received packets identified as belonging to the existing communication sessions in the collected flow state information using the first invertible function for at least a period of time until an end of the stateful grace period; and ending the stateful grace period by using only the second invertible function to obfuscate packets received from the clients of the internal network that are destined to the external network until another stateful grace period begins. 2. The method of claim 1 , wherein the step of obfuscating comprises permuting a subnet identifier and an interface identifier of the source IP address. 3. The method of claim 1 , wherein the step of obfuscating comprises performing at least one of a bit flip and bit swap operations on a plurality of bits of the internal network portion of the source IP address. 4. The method of claim 1 , further comprising the steps of: during the stateful grace period, receiving a second packet from the remote node over the external network destined for the client, wherein the second packet is associated with the first packet flow and includes a destination IP address that matches the rewritten IP address; responsive to identifying the second packet as belonging to the existing communication sessions in the collected flow state information, deobfuscating the destination IP address of the second packet according to an inverse of the first invertible function to reveal the location of the client in the internal network; replacing the destination IP address of the second packet with the deobfuscated destination IP address, wherein the deobfuscated destination IP address is identical to the original source IP address of the first packet; transmitting the second packet to the client over the internal network, whereby the client is reachable by the remote node without revealing the location of the client in the internal network; during the stateful grace period, receiving a third packet from the client over the internal network that is destined for the remote node of the external network, wherein the third packet belongs to the first packet flow; responsive to identifying the third packet as belonging to the existing communication sessions in the collected flow state information, obfuscating the internal network portion of the source IP address of the third packet to conceal the location of the client in the internal network according to the first invertible function; rewriting the source IP address of the third packet by rewriting the internal network portion of the source IP address of the third packet with the obfuscated internal network portion while maintaining the current external network portion of the source IP address; and transmitting the third packet to the remote node over the external network with the rewritten internal network portion of the source IP address, whereby the location of the client in the internal network is concealed from the remote node while allowing the remote node to reach the internal network through the external network portion of the source IP address. 5. The method of claim 4 , further comprising the steps of: during the stateful grace period, receiving a fourth packet from the client over the internal network that is destined for the remote node of the external network, wherein the fourth packet is associated with a second packet flow not belonging to the existing communication sessions in the collected flow state information; responsive to identifying that the fourth packet does not belong to the existing communication sessions in the collected flow state information, obfuscating the internal network portion of the source IP address of the fourth packet to conceal the location of the client in the internal network according to the second invertible function; rewriting the source IP address of the fourth packet by rewriting the internal network portion of the source IP address of the fourth packet with the obfuscated internal network portion while maintaining the current external network portion of the source IP address; transmitting the fourth packet to the remote node over the external network with the rewritten internal network portion of the source IP address, whereby the location of the client in the internal network is concealed from the remote node while allowing the remote node to reach the internal network through the external network portion of the source IP address; during the stateful grace period, receiving a fifth packet from the remote node over the external network destined for the client, wherein the fifth packet is associated with the second packet flow; responsive to identifying that the fifth packet does not belong to the existing communication sessions in the collected flow state information, deobfuscating the destination IP address of the fifth packet according to an inverse of the second invertible function to reveal the location of the client in the internal network; replacing the destination IP address of the fifth packet with the deobfuscated destination IP address; and transmitting the fifth packet to the client over the internal network, whereby the client is reachable by the remote node without revealing the location of the client in the internal network. 6. A network element interfacing an internal network with an external network for translating an Internet Protocol (IP) address of a client of the internal network and