Re: How should NAT terminate ?

[Mikael Olsson <mikael.olsson () enternet se>]

Darren,

For the sake of clarity, I gather that your network setup is like
this:

PC -> Firewall with OWN dialup -> POTS -> ISP -> Internet

Darren Reed wrote:
> [Modem hanging up with active NAT sessions in your local firewall]
>
> For at least some period of time, your old IP# may be black
> holed, or worse, allocated to another Internet user.  The
> second case is worse because small amounts of your web session
> *may* leak to someone else.

Well, this is true for any unencrypted data, so I don't really see
the increased danger here. (Thinking sniffing and redirection, etc..)
I _do_ see your point however.

> Whatever the case, there is a period of time in which the original
> endpoints believe a connection exists, which no longer does.  Should
> a pre-emptive strike be lunched by the firewall to blow these away
> by doing something like sending TCP RST's ?  What about for DNS/NTP
> queries - are ICMP unreachables appropriate ?

It all really depends on who does the hang up. 

If your ISP terminates the connection (or line noise kills
it), your firewall can't do much about it. 
It COULD conceptually wait until you reconnect and then send
out a bunch of RST's using the old IP, but chances are that your
ISP will hate you for that.

If your firewall decides to terminate the dial-up connection
however, one could send out RSTs for all active TCP connections. 
This is valid behaviour, and I know there are firewalls that do 
this (send out RSTs in both directions) when they time out idle 
TCP connections. 

I don't think sending ICMP unreachables for UDP connections will
buy you a whole lot. Most UDP based protocols don't listen a 
whole lot to returned ICMP messages once the "connection" is 
"established"; they use time outs instead. Heck, most don't
even listen to ICMP messages while they "connect".

In the case of DNS, sending ICMP unreachables wouldn't buy you
anything even if the server DID listen to them. The response
should arrive within seconds of your query, and I'd be damned
surprised if someone manages to steal your old IP in the time.
The server will never attempt to "resend" old responses.

NFS and the like may be a different issue however, but if
you're running NFS over unprotected lines, you're toast 
anyway.


'nuff ranting from me now.

/Mike


BTW, your copy of ELM has Y2K problems:
"Date: Sat, 8 Jan 100 01:04:08 +1100 (EST)"  *ahem* :-)
                  ^^^

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se