Re: [fw-wiz] Duplicate Public IP Addresses?



On Fri, 1 Jan 2010, arvind doraiswamy wrote:

What though if the internal network suddenly decided to make one of
his systems a web server , put a site onto it and pushed it on to the
Internet with the same 80.x.x.x address that was assigned to the
server when it was part of the Internal Network? Effectively it means
that now.. 2 servers ; the original web server (A) and the new web
server (B) both have an IP of 80.x.x.x (SAME).

The place doing this would have to be able to advertise their AS as a
route to that network and have their upstream providers also re-advertise
the route as a part of their peering announcements.

This used to happen occasionally way back when, but it seems pretty rare
in the modern era- all the upstreams and peering points have gotten
through the hassles, and most places don't actually own their address
space anymore, their ISPs do, and advertise it out of their AS's rather
than the customer's AS.

Am I missing something? It just seems to easy to do..so I thought I'd
post here and get educated :)

It's difficult to do- first of all, you generally have to be peering with
your provider(s,) and most providers are picky about accepting routes from
customers (for the obvious reasons)- I can't imagine a major provider
who'd accept odd routes from any customer, they generally lock down what
advertisements they'll accept. Secondly, you have to get that provider to
accept a route to an address you don't own. Then that provider has to get
the provider they use, or their peers to accept them as a route to that
address space...

This seems reasonably complete though it's been a good number of years
since I've had to peer with multiple tier-1 providers so it may be a
little dated but it should give you a basic understanding of BGP peering:

http://www.cs.princeton.edu/~jrex/papers/policies.pdf

I think there's been a fair amount of work on detecting bogus BGP routing
information since I had to deal with peering routers- and there don't seem
to be enough incidents to make everyone want to solve anything, like
getting the IRR to a near complete status.

Routing has no effect on DNS other than which server the traffic gets sent
to. I'm not sure what you're confusing to get DNS into the picture-
routes don't get advertised via DNS, simply resource and address mappings,
which are an entire different matter- with the caveat that some folks
seem to be trying to use DNSSec to validate BPG validity.

Traffic goes to the "best" route, the document linked shows the order of
evaluation in the routing tables, which should be tempered with the fact
that they're going to be filtered for most providers that are accepting
routes from a customer.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Route added by RRAS that overrides local LAN route on NIC
    ... I am using SBS as the VPN server. ... The route I am speaking of is the route to local LAN that is put in the ... After the RAS client connects there is another route added so the two ...
    (microsoft.public.windows.server.sbs)
  • RE: Route added by RRAS that overrides local LAN route on NIC
    ... your ISP DNS server IP should be ... On the client workstation, ... Assigned by DHCP on SBS or your hardware router ... Route added by RRAS that overrides local LAN route on NIC ...
    (microsoft.public.windows.server.sbs)
  • Exchange Sync Issues
    ... ActiveSync encountered network problems or an internal server error while ... Dumping Route information ... Dumping Ipconfig information ... LSP - RSVP UDP Service Provider ...
    (microsoft.public.pocketpc.activesync)
  • Re: VPN Router query
    ... >From your route print, it seems there is some problem on the routing table, ... would be set to 20 by default on every workstation and server computer. ... to see if you can access the Windows 2003 server directly from remote site; ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: Route added by RRAS that overrides local LAN route on NIC
    ... when the DNS/WINS returns the PPP adapter address instead of the LAN adapter ... When the second route is added by the RRAS ... routes are added to the routing table on the server when a RAS client ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)