|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: How should NAT terminate ?
Subject: Re: How should NAT terminate ?
From: TC Wolsey (twolsey
realtech.com)
Date: Mon Jan 10 2000 - 09:11:06 CST
- Next message: Mikael Olsson: "Re: How should NAT terminate ?"
- Previous message: Moore, James: "RE: VPN Glossary On Line!"
- Maybe in reply to: Darren Reed: "How should NAT terminate ?"
- Next in thread: Mikael Olsson: "Re: How should NAT terminate ?"
- Maybe reply: TC Wolsey: "Re: How should NAT terminate ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Darren Reed <darrenrreed.wattle.id.au> 01/10/00 03:13AM >>>
>
>Here's something for folks out there to have a think about.
>
>You have your dialup PC, sitting at home, gatewaying your
>workstation from which you surf away on the web. Your link
>drops, you redial and get a new IP# for your NAT sessions.
>
>For at least some period of time, your old IP# may be black
>holed, or worse, allocated to another Internet user. The
>second case is worse because small amounts of your web session
>*may* leak to someone else.
>
>Whatever the case, there is a period of time in which the original
>endpoints believe a connection exists, which no longer does. Should
>a pre-emptive strike be lunched by the firewall to blow these away
>by doing something like sending TCP RST's ? What about for DNS/NTP
>queries - are ICMP unreachables appropriate ?
>
>Darren
>
Attempting to terminate the connection seems like a good idea, but how is it done reliably in an environment where the firewall does not terminate the data-link connection to one side of the connection? In a dialup environment I would guess that you would look for host/destination unreachables from some point inside the firewall and close the connections based on that info. Of course that would require filtering on each line to prevent a DoS where one inside attacker host spoofs unreachables which would cause the firewall to close active connections to the victim host. What happens in a broadcast capable environment where the blackhole exists for a longer period (say an arp timeout)? Also in this environment the unreachables have to be filtered at two layers, the typically static data-link and the dynamic network.
Regards,
--tcw
- Next message: Mikael Olsson: "Re: How should NAT terminate ?"
- Previous message: Moore, James: "RE: VPN Glossary On Line!"
- Maybe in reply to: Darren Reed: "How should NAT terminate ?"
- Next in thread: Mikael Olsson: "Re: How should NAT terminate ?"
- Maybe reply: TC Wolsey: "Re: How should NAT terminate ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Jan 10 2000 - 17:59:09 CST