diff options
Diffstat (limited to 'netsec-assignment4-S4498062/exercise4')
| -rw-r--r-- | netsec-assignment4-S4498062/exercise4/exercise4a | 7 | ||||
| -rw-r--r-- | netsec-assignment4-S4498062/exercise4/exercise4b | 6 | ||||
| -rw-r--r-- | netsec-assignment4-S4498062/exercise4/exercise4c | 22 |
3 files changed, 35 insertions, 0 deletions
diff --git a/netsec-assignment4-S4498062/exercise4/exercise4a b/netsec-assignment4-S4498062/exercise4/exercise4a new file mode 100644 index 0000000..5646f65 --- /dev/null +++ b/netsec-assignment4-S4498062/exercise4/exercise4a @@ -0,0 +1,7 @@ +This is in REQ-4. Error messages should only be in an existing session +(otherwise we can send error messages `gratuitiously', like in gratuitious ARP, +and thus influence a NAT from outside). So, we SHOULD drop these packets. + +If such an error message does belong to an existing session, NAT should simply +translate the address and forward the message to the internal host, so that it +receives the message correctly. diff --git a/netsec-assignment4-S4498062/exercise4/exercise4b b/netsec-assignment4-S4498062/exercise4/exercise4b new file mode 100644 index 0000000..d742ecb --- /dev/null +++ b/netsec-assignment4-S4498062/exercise4/exercise4b @@ -0,0 +1,6 @@ +This is in REQ-5. Error messages should only be in an existing session, so these +packets SHOULD be dropped. However, there does not seem to be any risk with for- +warding those packets (which is why it is no MUST). + +For messages belonging to an existing session, the source address should be +translated and the packet should be forwarded to the external realm. diff --git a/netsec-assignment4-S4498062/exercise4/exercise4c b/netsec-assignment4-S4498062/exercise4/exercise4c new file mode 100644 index 0000000..b620710 --- /dev/null +++ b/netsec-assignment4-S4498062/exercise4/exercise4c @@ -0,0 +1,22 @@ +Query + MUST be permitted unless explicitly overridden by local policy (REQ-1) + Session MUST be remembered for at least 60s (REQ-2) + +Error + MUST be traversed unless IP/ICMP checksum validation fails (REQ-3) + Packets SHOULD only be allowed to travel between realms when belonging to an + existing session (REQ-4, REQ-5) + NAT sessions MUST NOT not be refreshed. + +Non-QueryError + MAY be dropped or appropriately handled (REQ-11) + +DoS + The NAT device helps prevent DoS attacks with lots and lots of ICMP error + messages by blocking them if they are not linked to an existing session. If + the device would not do that, we could do something like DNS amplification. + +Destroying sessions + An attacker may attempt to send bogus error messages into the NAT network + in order to destroy the current sessions. To prevent this, the NAT device + won't delete or refresh a NAT session based on an error message. |