- Data on the network cannot be altered.
- Encrypted data on the network cannot be altered.
- Data cannot be accidentally corrupted, because TCP has checksums and Ethernet has CRCs
- If it's inside my perimeter firewall, that means I have total control over it
- If it doesn't return an error, then
send() sent all the data that was asked of it.
- Packets arrive in the order in which they were sent.
- Segment boundaries on a TCP stream are meaningful to the application.
- Segment boundaries on a TCP stream are not meaningful to the application.
- If you can't ping the target, then it doesn't exist.
- If you can ping the target, then it does exist.
- TCP RSTs come from end-nodes.
- Bytes must be "swapped" from the network byte-order to the host CPU byte-order.
- It's an internal web app -- outsiders won't be able to discover where it is
- The DHCP address will be the same after a reboot
- The DHCP address will remain the same until the next reboot.
- Well, it'll last a long time between changes
- Packets/PDUs go up or down the network stack, never sideways.
- The IPv4 header is 20 bytes long starting with
0x45 (options are so rare we don't have to worry about them)
- The DHCP server and local router are the same
- There is no IPv6 on my network
- NAT automatically blocks all inbound attacks
- We know all the devices attached to our network at any given time
- VLANs are just as good as physical segmentation.
- Ok, VLANs aren't as good, but they are good enough for now.
- We have good WIPS/monitors, so we don't have rogue access-points anywhere.
- No need to add it to the DNS; I'll remember it.
- Source address checking is sufficient security.
- The local network has zero latency and infinite bandwidth.
- Packets are never duplicated.
- Duplicated packets are never corrupted.
- My edge routers won't try to route out RFC1918 address packets.
- My edge routers won't accept packets with RFC1918 addresses.
- The RFC1918 addresses I pick for this network will never collide with any other network that it may connect to or VPN to.
- The MTU is always 1500 octets.
- The MTU is never more than 1500 octets.
- Putting raw IPv4 addresses into higher layer content (such as URLs in web pages) is okay.
- The DNS resolver in the end node will round robin DNS servers.
- The DNS resolver in the end node will always pick the first DNS server.
- The DNS resolver in the end node will never repeat a query until it's cache times out.
- The DNS resolver in the end node will cache queries.
- TCP connections will have some traffic at least every minute/hour/day/week.
- Packets coming from the local router with a from address of the local net are never valid.
- Packets coming from "surprising" sources with "surprising" From addresses are never valid.
- Nothing important is using multicast.
- I can block ICMP for "security reasons" without breaking anything important.
- I can block all packet types except ICMP, UDP, and TCP, for "security reasons", without breaking anything important.
- I can block all ethernet packet types except for IPv4 without breaking anything important.
- The only address ever used in 127/8 is 127.0.0.1
- Nobody uses 169.254/16 for anything important.
- 169.254/16 isn't special.
- The same device will always get the same 169.254/16 address.
- I can hardcode a 169.254/16 address into my IP stack or configuration.
- What is this 169.254/16?
- Nobody uses dialup PPP anymore.
- Especially not over an expensive sat link.
- Ethernet MAC addresses are always unique.
- I can tell if I'm in a VM container by looking at the local interface's MAC address.
- No manufacturer of Ethernet hardware has ever just made up a prefix without registering with the IEEE.
- No manufacturer of Ethernet hardware has ever just stolen someone else's prefix.
- The same goes for manufacturers of cell phone towers. They would NEVER use a duplicated or unregistered tower ID.
- The network interfaces on an end node will always come up in the same order, with the same names and numbers, with the same MAC addresses, connected to the same networks, every time the node boots up.
- A network interface always has a unique MAC address.
- Or at least some sort of globally unique layer 2 address.
- Or at least some sort of locally unique layer 2 address.
- Or some sort of address at all?