Finish assignment 4

8 files changed, 57 insertions, 0 deletions

diff --git a/netsec-assignment4-S4498062/exercise3/exercise3a b/netsec-assignment4-S4498062/exercise3/exercise3a
new file mode 100644
index 0000000..fcc4a08
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise3/exercise3a
@@ -0,0 +1,4 @@
+All traffic to the VPN server goes through the normal interface. Otherwise, we
+cannot reach the server anymore because we're VPNing the VPN server with itself.
+All other traffic not matched by any other route goes to 10.50.9.1, because
+that's where the VPN client is running.
diff --git a/netsec-assignment4-S4498062/exercise3/exercise3b b/netsec-assignment4-S4498062/exercise3/exercise3b
new file mode 100644
index 0000000..82f0f3c
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise3/exercise3b
@@ -0,0 +1,7 @@
+Internal (NAT) traffic is not meant to be VPNed. IP addresses like 10.*.*.*
+(route 4), 172.0x1*.*.* (route 5) and 192.168.*.* (route 6) can be find by your
+machine, but (usually) not by the VPN, that's why they need to be excluded and
+handled by wlp3s0. These are standard numbers, so the VPN knows about it.
+The same goes for route 9. In the DHCP dump we can see that 145.116.128.0/22 all
+belongs to a small network, and if we'd attempt to VPN this, we cannot reach the
+gateway or any other machine in our local network any more.
diff --git a/netsec-assignment4-S4498062/exercise3/exercise3c b/netsec-assignment4-S4498062/exercise3/exercise3c
new file mode 100644
index 0000000..ed215e1
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise3/exercise3c
@@ -0,0 +1,2 @@
+10.50.9.* belongs to the virtual network of tap0. If we'd let this go through
+wlp3s0, we cannot reach tap0 any more.
diff --git a/netsec-assignment4-S4498062/exercise3/exercise3d b/netsec-assignment4-S4498062/exercise3/exercise3d
new file mode 100644
index 0000000..b5ea318
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise3/exercise3d
@@ -0,0 +1,5 @@
+This is added to not VPN the DNS service on 131.174.117.20. From the DHCP lease
+of tap0 we can see that this VPN service does not provide a DNS server. So, if
+we don't allow the other name server (if this rule were not there), we cannot
+resolve any hostnames. However, there are VPNs that do have a DNS service (see 
+http://security.stackexchange.com/a/13907/21287)
diff --git a/netsec-assignment4-S4498062/exercise3/exercise3e b/netsec-assignment4-S4498062/exercise3/exercise3e
new file mode 100644
index 0000000..b5e22fa
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise3/exercise3e
@@ -0,0 +1,4 @@
+This is to let traffic to the VPN go through wlp3s0. Otherwise, we will VPN the
+VPN with itself, and we cannot use it at all. 
+This also means that SSHing to the machine of the VPN server will not go through
+the VPN server itself.
diff --git a/netsec-assignment4-S4498062/exercise4/exercise4a b/netsec-assignment4-S4498062/exercise4/exercise4a
new file mode 100644
index 0000000..5646f65
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise4/exercise4a
@@ -0,0 +1,7 @@
+This is in REQ-4. Error messages should only be in an existing session
+(otherwise we can send error messages `gratuitiously', like in gratuitious ARP,
+and thus influence a NAT from outside). So, we SHOULD drop these packets.
+
+If such an error message does belong to an existing session, NAT should simply
+translate the address and forward the message to the internal host, so that it
+receives the message correctly.
diff --git a/netsec-assignment4-S4498062/exercise4/exercise4b b/netsec-assignment4-S4498062/exercise4/exercise4b
new file mode 100644
index 0000000..d742ecb
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise4/exercise4b
@@ -0,0 +1,6 @@
+This is in REQ-5. Error messages should only be in an existing session, so these
+packets SHOULD be dropped. However, there does not seem to be any risk with for-
+warding those packets (which is why it is no MUST).
+
+For messages belonging to an existing session, the source address should be
+translated and the packet should be forwarded to the external realm.
diff --git a/netsec-assignment4-S4498062/exercise4/exercise4c b/netsec-assignment4-S4498062/exercise4/exercise4c
new file mode 100644
index 0000000..b620710
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise4/exercise4c
@@ -0,0 +1,22 @@
+Query
+    MUST be permitted unless explicitly overridden by local policy (REQ-1)
+    Session MUST be remembered for at least 60s (REQ-2)
+
+Error
+    MUST be traversed unless IP/ICMP checksum validation fails (REQ-3)
+    Packets SHOULD only be allowed to travel between realms when belonging to an
+        existing session (REQ-4, REQ-5)
+    NAT sessions MUST NOT not be refreshed.
+
+Non-QueryError
+    MAY be dropped or appropriately handled (REQ-11)
+
+DoS
+    The NAT device helps prevent DoS attacks with lots and lots of ICMP error
+    messages by blocking them if they are not linked to an existing session. If
+    the device would not do that, we could do something like DNS amplification.
+
+Destroying sessions
+    An attacker may attempt to send bogus error messages into the NAT network
+    in order to destroy the current sessions. To prevent this, the NAT device
+    won't delete or refresh a NAT session based on an error message.