Here's something for folks out there to have a think about. You have your dialup PC, sitting at home, gatewaying your workstation from which you surf away on the web. Your link drops, you redial and get a new IP# for your NAT sessions. For at least some period of time, your old IP# may be black holed, or worse, allocated to another Internet user. The second case is worse because small amounts of your web session *may* leak to someone else. Whatever the case, there is a period of time in which the original endpoints believe a connection exists, which no longer does. Should a pre-emptive strike be lunched by the firewall to blow these away by doing something like sending TCP RST's ? What about for DNS/NTP queries - are ICMP unreachables appropriate ? Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:49 PDT