From eb0a29adaab70381867f91085ebe0ba2cc2928d7 Mon Sep 17 00:00:00 2001
From: Camil Staps
Date: Fri, 2 Oct 2015 15:02:11 +0200
Subject: Finish assignment 4

---
 netsec-assignment4-S4498062/exercise4/exercise4c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 netsec-assignment4-S4498062/exercise4/exercise4c

(limited to 'netsec-assignment4-S4498062/exercise4/exercise4c')

diff --git a/netsec-assignment4-S4498062/exercise4/exercise4c b/netsec-assignment4-S4498062/exercise4/exercise4c
new file mode 100644
index 0000000..b620710
--- /dev/null
+++ b/netsec-assignment4-S4498062/exercise4/exercise4c
@@ -0,0 +1,22 @@
+Query
+    MUST be permitted unless explicitly overridden by local policy (REQ-1)
+    Session MUST be remembered for at least 60s (REQ-2)
+
+Error
+    MUST be traversed unless IP/ICMP checksum validation fails (REQ-3)
+    Packets SHOULD only be allowed to travel between realms when belonging to an
+        existing session (REQ-4, REQ-5)
+    NAT sessions MUST NOT not be refreshed.
+
+Non-QueryError
+    MAY be dropped or appropriately handled (REQ-11)
+
+DoS
+    The NAT device helps prevent DoS attacks with lots and lots of ICMP error
+    messages by blocking them if they are not linked to an existing session. If
+    the device would not do that, we could do something like DNS amplification.
+
+Destroying sessions
+    An attacker may attempt to send bogus error messages into the NAT network
+    in order to destroy the current sessions. To prevent this, the NAT device
+    won't delete or refresh a NAT session based on an error message.
-- 
cgit v1.2.3