Firewall Wizards mailing list archives
Re: Duplicate Public IP Addresses?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 7 Jan 2010 20:53:19 -0500 (EST)
On Fri, 1 Jan 2010, arvind doraiswamy wrote:
What though if the internal network suddenly decided to make one of his systems a web server , put a site onto it and pushed it on to the Internet with the same 80.x.x.x address that was assigned to the server when it was part of the Internal Network? Effectively it means that now.. 2 servers ; the original web server (A) and the new web server (B) both have an IP of 80.x.x.x (SAME).
The place doing this would have to be able to advertise their AS as a route to that network and have their upstream providers also re-advertise the route as a part of their peering announcements. This used to happen occasionally way back when, but it seems pretty rare in the modern era- all the upstreams and peering points have gotten through the hassles, and most places don't actually own their address space anymore, their ISPs do, and advertise it out of their AS's rather than the customer's AS.
Am I missing something? It just seems to easy to do..so I thought I'd post here and get educated :)
It's difficult to do- first of all, you generally have to be peering with your provider(s,) and most providers are picky about accepting routes from customers (for the obvious reasons)- I can't imagine a major provider who'd accept odd routes from any customer, they generally lock down what advertisements they'll accept. Secondly, you have to get that provider to accept a route to an address you don't own. Then that provider has to get the provider they use, or their peers to accept them as a route to that address space... This seems reasonably complete though it's been a good number of years since I've had to peer with multiple tier-1 providers so it may be a little dated but it should give you a basic understanding of BGP peering: http://www.cs.princeton.edu/~jrex/papers/policies.pdf I think there's been a fair amount of work on detecting bogus BGP routing information since I had to deal with peering routers- and there don't seem to be enough incidents to make everyone want to solve anything, like getting the IRR to a near complete status. Routing has no effect on DNS other than which server the traffic gets sent to. I'm not sure what you're confusing to get DNS into the picture- routes don't get advertised via DNS, simply resource and address mappings, which are an entire different matter- with the caveat that some folks seem to be trying to use DNSSec to validate BPG validity. Traffic goes to the "best" route, the document linked shows the order of evaluation in the routing tables, which should be tempered with the fact that they're going to be filtered for most providers that are accepting routes from a customer. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Duplicate Public IP Addresses? arvind doraiswamy (Jan 07)
- Re: Duplicate Public IP Addresses? Paul D. Robertson (Jan 07)
- Re: Duplicate Public IP Addresses? Orca (Jan 08)
- Re: Duplicate Public IP Addresses? Mark (Jan 08)