RE: How should NAT terminate ?

[Ben Nagy <bnagy () cpms com au>]

I think I know what you're getting at...

First, a note: IP isn't designed for security. Add this to your daily Mantra
of Facts About the Internet.

If any packets for your old session get thrown at the new owner of your IP
address, the state machine in that IP stack will see them, notice that they
aren't part of an existing connection, and dump them. For TCP, it is
supposed to TCP-RST them, from memory.

Not that the TCP-RST packet will be accepted by the remote end - on their
machine, the session will just hang around in FIN-WAIT for ages.

So, that part is all covered. Nobody can resume your old sessions unless
they are:
a) a sequence number guessing genius (assuming you run a sane OS)and 
b) lucky enough to get your IP address when they dial up, and 
c) fast enough so that the packets you're worried about don't get bounced in
the meantime by the ISP who has just removed the routes to that IP address
(since you disconnected).

If you're worried about the new owner of your IP address being EVIL and
running sniffers and stuff, then you need to make sure that anything that
you're doing which is sensitive is encrypted. But you do that anyway, right?
I thought so.

Your NAT sessions will all die horribly and will need to be re-established.
You cannot pick up an old TCP session with a new IP address.

One final note: Once you get the new IP address there's nothing you can do
to close down those old sessions - the stack at the remote end won't accept
RSTs from you since you've now got a new IP address and aren't part of the
old session. The only way your pre-emptive strike could work is if it were
performed before the link dropped - this is likely to be impossible.

Is this what you were talking about or have I just shot my mouth off? ;)

Oh, and if none of that made sense, drop me a line. 8)

> -----Original Message-----
> From: Darren Reed [mailto:darrenr () reed wattle id au]
> Sent: None
> To: firewall-wizards () nfr net
> Subject: How should NAT terminate ?
>
>
>
> Here's something for folks out there to have a think about.
>
> You have your dialup PC, sitting at home, gatewaying your
> workstation from which you surf away on the web.  Your link
> drops, you redial and get a new IP# for your NAT sessions.
>
> For at least some period of time, your old IP# may be black
> holed, or worse, allocated to another Internet user.  The
> second case is worse because small amounts of your web session
> *may* leak to someone else.
>
> Whatever the case, there is a period of time in which the original
> endpoints believe a connection exists, which no longer does.  Should
> a pre-emptive strike be lunched by the firewall to blow these away
> by doing something like sending TCP RST's ?  What about for DNS/NTP
> queries - are ICMP unreachables appropriate ?
>
> Darren

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520