I think I know what you're getting at... First, a note: IP isn't designed for security. Add this to your daily Mantra of Facts About the Internet. If any packets for your old session get thrown at the new owner of your IP address, the state machine in that IP stack will see them, notice that they aren't part of an existing connection, and dump them. For TCP, it is supposed to TCP-RST them, from memory. Not that the TCP-RST packet will be accepted by the remote end - on their machine, the session will just hang around in FIN-WAIT for ages. So, that part is all covered. Nobody can resume your old sessions unless they are: a) a sequence number guessing genius (assuming you run a sane OS)and b) lucky enough to get your IP address when they dial up, and c) fast enough so that the packets you're worried about don't get bounced in the meantime by the ISP who has just removed the routes to that IP address (since you disconnected). If you're worried about the new owner of your IP address being EVIL and running sniffers and stuff, then you need to make sure that anything that you're doing which is sensitive is encrypted. But you do that anyway, right? I thought so. Your NAT sessions will all die horribly and will need to be re-established. You cannot pick up an old TCP session with a new IP address. One final note: Once you get the new IP address there's nothing you can do to close down those old sessions - the stack at the remote end won't accept RSTs from you since you've now got a new IP address and aren't part of the old session. The only way your pre-emptive strike could work is if it were performed before the link dropped - this is likely to be impossible. Is this what you were talking about or have I just shot my mouth off? ;) Oh, and if none of that made sense, drop me a line. 8) > -----Original Message----- > From: Darren Reed [mailto:darrenrat_private] > Sent: None > To: firewall-wizardsat_private > Subject: How should NAT terminate ? > > > > Here's something for folks out there to have a think about. > > You have your dialup PC, sitting at home, gatewaying your > workstation from which you surf away on the web. Your link > drops, you redial and get a new IP# for your NAT sessions. > > For at least some period of time, your old IP# may be black > holed, or worse, allocated to another Internet user. The > second case is worse because small amounts of your web session > *may* leak to someone else. > > Whatever the case, there is a period of time in which the original > endpoints believe a connection exists, which no longer does. Should > a pre-emptive strike be lunched by the firewall to blow these away > by doing something like sending TCP RST's ? What about for DNS/NTP > queries - are ICMP unreachables appropriate ? > > Darren Cheers, -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:51 PDT