Re: How should NAT terminate ?

["TC Wolsey" <twolsey () realtech com>]

> Darren Reed <darrenr () reed wattle id au> 01/10/00 03:13AM >>>
>
> Here's something for folks out there to have a think about.
>
> You have your dialup PC, sitting at home, gatewaying your
> workstation from which you surf away on the web.  Your link
> drops, you redial and get a new IP# for your NAT sessions.
>
> For at least some period of time, your old IP# may be black
> holed, or worse, allocated to another Internet user.  The
> second case is worse because small amounts of your web session
> *may* leak to someone else.
>
> Whatever the case, there is a period of time in which the original
> endpoints believe a connection exists, which no longer does.  Should
> a pre-emptive strike be lunched by the firewall to blow these away
> by doing something like sending TCP RST's ?  What about for DNS/NTP
> queries - are ICMP unreachables appropriate ?
>
> Darren

Attempting to terminate the connection seems like a good idea, but how is it done reliably in an environment where the 
firewall does not terminate the data-link connection to one side of the connection? In a dialup environment I would 
guess that you would look for host/destination unreachables from some point inside the firewall and close the 
connections based on that info. Of course that would require filtering on each line to prevent a DoS where one inside 
attacker host spoofs unreachables which would cause the firewall to close active connections to the victim host. What 
happens in a broadcast capable environment where the blackhole exists for a longer period (say an arp timeout)? Also in 
this environment the unreachables have to be filtered at two layers, the typically static data-link and the dynamic 
network. 

Regards,

--tcw