Re: Duplicate Public IP Addresses?

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 1 Jan 2010, arvind doraiswamy wrote:

> What though if the internal network suddenly decided to make one of
> his systems a web server , put a site onto it and pushed it on to the
> Internet with the same 80.x.x.x address that was assigned to the
> server when it was part of the Internal Network? Effectively it means
> that now.. 2 servers ; the original web server (A) and the new web
> server (B) both have an IP of 80.x.x.x (SAME).

The place doing this would have to be able to advertise their AS as a 
route to that network and have their upstream providers also re-advertise 
the route as a part of their peering announcements.

This used to happen occasionally way back when, but it seems pretty rare 
in the modern era- all the upstreams and peering points have gotten 
through the hassles, and most places don't actually own their address 
space anymore, their ISPs do, and advertise it out of their AS's rather 
than the customer's AS.

> Am I missing something? It just seems to easy to do..so I thought I'd
> post here and get educated :)

It's difficult to do- first of all, you generally have to be peering with 
your provider(s,) and most providers are picky about accepting routes from 
customers (for the obvious reasons)- I can't imagine a major provider 
who'd accept odd routes from any customer, they generally lock down what 
advertisements they'll accept.  Secondly, you have to get that provider to 
accept a route to an address you don't own.  Then that provider has to get 
the provider they use, or their peers to accept them as a route to that 
address space... 

This seems reasonably complete though it's been a good number of years 
since I've had to peer with multiple tier-1 providers so it may be a 
little dated but it should give you a basic understanding of BGP peering:

http://www.cs.princeton.edu/~jrex/papers/policies.pdf

I think there's been a fair amount of work on detecting bogus BGP routing 
information since I had to deal with peering routers- and there don't seem 
to be enough incidents to make everyone want to solve anything, like 
getting the IRR to a near complete status.

Routing has no effect on DNS other than which server the traffic gets sent 
to.  I'm not sure what you're confusing to get DNS into the picture- 
routes don't get advertised via DNS, simply resource and address mappings, 
which are an entire different matter- with the caveat that some folks 
seem to be trying to use DNSSec to validate BPG validity.

Traffic goes to the "best" route, the document linked shows the order of 
evaluation in the routing tables, which should be tempered with the fact 
that they're going to be filtered for most providers that are accepting 
routes from a customer.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards