Firewall Wizards mailing list archives
RE: How should NAT terminate ?
From: Ben Nagy <bnagy () cpms com au>
Date: Mon, 10 Jan 2000 16:44:51 +1030
I think I know what you're getting at... First, a note: IP isn't designed for security. Add this to your daily Mantra of Facts About the Internet. If any packets for your old session get thrown at the new owner of your IP address, the state machine in that IP stack will see them, notice that they aren't part of an existing connection, and dump them. For TCP, it is supposed to TCP-RST them, from memory. Not that the TCP-RST packet will be accepted by the remote end - on their machine, the session will just hang around in FIN-WAIT for ages. So, that part is all covered. Nobody can resume your old sessions unless they are: a) a sequence number guessing genius (assuming you run a sane OS)and b) lucky enough to get your IP address when they dial up, and c) fast enough so that the packets you're worried about don't get bounced in the meantime by the ISP who has just removed the routes to that IP address (since you disconnected). If you're worried about the new owner of your IP address being EVIL and running sniffers and stuff, then you need to make sure that anything that you're doing which is sensitive is encrypted. But you do that anyway, right? I thought so. Your NAT sessions will all die horribly and will need to be re-established. You cannot pick up an old TCP session with a new IP address. One final note: Once you get the new IP address there's nothing you can do to close down those old sessions - the stack at the remote end won't accept RSTs from you since you've now got a new IP address and aren't part of the old session. The only way your pre-emptive strike could work is if it were performed before the link dropped - this is likely to be impossible. Is this what you were talking about or have I just shot my mouth off? ;) Oh, and if none of that made sense, drop me a line. 8)
-----Original Message----- From: Darren Reed [mailto:darrenr () reed wattle id au] Sent: None To: firewall-wizards () nfr net Subject: How should NAT terminate ? Here's something for folks out there to have a think about. You have your dialup PC, sitting at home, gatewaying your workstation from which you surf away on the web. Your link drops, you redial and get a new IP# for your NAT sessions. For at least some period of time, your old IP# may be black holed, or worse, allocated to another Internet user. The second case is worse because small amounts of your web session *may* leak to someone else. Whatever the case, there is a period of time in which the original endpoints believe a connection exists, which no longer does. Should a pre-emptive strike be lunched by the firewall to blow these away by doing something like sending TCP RST's ? What about for DNS/NTP queries - are ICMP unreachables appropriate ? Darren
Cheers, -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
Current thread:
- How should NAT terminate ? Darren Reed (Jan 09)
- Re: How should NAT terminate ? Mikael Olsson (Jan 10)
- Re: How should NAT terminate ? Darren Reed (Jan 12)
- Re: How should NAT terminate ? Mikael Olsson (Jan 15)
- Y2K fix for 'elm' (Was: Re: How should NAT terminate ?) Joseph S D Yao (Jan 20)
- Re: Y2K fix for 'elm' (Was: Re: How should NAT terminate ?) Darren Reed (Jan 20)
- Re: How should NAT terminate ? Darren Reed (Jan 12)
- <Possible follow-ups>
- RE: How should NAT terminate ? Ben Nagy (Jan 10)
- RE: How should NAT terminate ? Johnny Shelley (Jan 12)
- Re: How should NAT terminate ? Darren Reed (Jan 12)
- Re: How should NAT terminate ? TC Wolsey (Jan 10)
- RE: How should NAT terminate ? James R Grinter (Jan 12)
- RE: How should NAT terminate ? Ben Nagy (Jan 13)
- Re: How should NAT terminate ? Mikael Olsson (Jan 10)