From owner-freebsd-net@freebsd.org Wed Mar 21 21:53:37 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52C95F6A994 for ; Wed, 21 Mar 2018 21:53:37 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-pl0-x22b.google.com (mail-pl0-x22b.google.com [IPv6:2607:f8b0:400e:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C85886A8F2 for ; Wed, 21 Mar 2018 21:53:36 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by mail-pl0-x22b.google.com with SMTP id b7-v6so3975587plr.8 for ; Wed, 21 Mar 2018 14:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=dApe6qVOnvKDBJojzTiiyzcPXeHgsdY8kB2iKCJJRW0=; b=SFtqQQETFxZoyOys+JSbk6aNdf2NYmRmfxdddtIf+2BYbqdscQ6AUu0m/F8qhBppb6 yDqSDFnov2qg0OqVecH5NTyhrGdJrT4r4v3K+xX0eqLmmFmkk2Xln9iRNUPX+jgRKkfi GgftaiG0lzPpYsPI0vcFLCVcQh/EYmCUaCHXoQITbGrN+ri49bZdzuRhOSogTteFLpzA Xn6RvHyz8z2tjg5QO0SSl/TYfjVeCcIeOUuTel21VPL3E2bOY0TDjnmgbG/mpjdExuGh +ngecMgJGRRkvrQ1FuFbqIv/6yqzk7866SK4Hkzvp2Qsoojr12vGIQrNGKvZKzEIpmEv 0aXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=dApe6qVOnvKDBJojzTiiyzcPXeHgsdY8kB2iKCJJRW0=; b=PNRfbHf3NZO4GnQ2uAGiW2pCstjfvkPkQGlAHpKKN25DqQMf5A0OI2q1aAx86MnWBK qSvWo2CqRriYg2YBRDDcfxQXL+Z3k95byfVeANev4q00uyva+Qf8NJzNCOP9pfpdACHY itBWAruqvJFEOJdLDOPOMbkndRyWIeYQN+kfgRKVms0k03dAzIeZFkMsyD4t+b1TgvOT vp2+cqTobNNNTYqTChVJv0PsqgYUpsJ75/9IK4enFsdO+0N6umquxrBU6B2363t3WfW5 DwCPnqBMSCvWGO9+b5yijVnimSzSlSLPY0cgTUPmhHQZlyT54rLGr6M42Q7ffr5Csfbl LQfA== X-Gm-Message-State: AElRT7GSXoe6566bTdEjk7F06+5V3VDWQc1iYpL4VCHNuulaMlRMCMqB YyUvWiUp+ScgbueovDj067CGqxOqxZLDzVZRcbQ= X-Google-Smtp-Source: AG47ELtFtO5K71tUwsNcyJ6dqjeEVHb43a+zJpAqCQxTkeZw2uTxIX/xOB8/80HuHDIDL+hnocRMAf3PwWiYYFRd4Z8= X-Received: by 2002:a17:902:2e43:: with SMTP id q61-v6mr21985206plb.404.1521669215512; Wed, 21 Mar 2018 14:53:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.174.20 with HTTP; Wed, 21 Mar 2018 14:53:35 -0700 (PDT) In-Reply-To: <4903.1521667183@segfault.tristatelogic.com> References: <4903.1521667183@segfault.tristatelogic.com> From: Kurt Buff Date: Wed, 21 Mar 2018 14:53:35 -0700 Message-ID: Subject: Re: Same host or different? How can you tell "over the wire"? To: FreeBSD Net Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 21:53:37 -0000 Do you mean that the application banners for all applications are the same? A comprehensive scan with nmap shows no differences? I know you specified SSH as outside of the application layer, but I would think if it's even to the point that the same SSH key (or credentials) work for both machines, and upon login provide the same hostname in the prompt, you'd have to dig and see if the NIC configs show a difference, or perhaps that there are multiple NICs, or a single NIC aliased with the IP addresses you're reviewing. Kurt On Wed, Mar 21, 2018 at 2:19 PM, Ronald F. Guilmette wrote: > > This problem has been preplexing me for ages and ages. I looked at it > again, just briefly, and re-read parts of some potentially relevant > RFCs, just the other day, but frankly, I'm just too ignorant and/or > too stupid to be able to think up a solution, so I'll just drop the > problem description here and see if any of you more knowledgable > people can devise or suggest a solution. > > The Problem: > > Suppose that there exist two IPv4 addresses, A and A'. Both addresses > have the exact same set of ports open, and both respond in identical > ways, at least at the application level, when sent identical inputs. > In short, at the application layer level, at least, there appears to > be no way to reliably differentiate between the case where the two > IP addresses are being routed to a single common physical machine > (or to a single common virtual OS instance) or to two separate physical > machines (or two separate virtual OS instances). > > Is there any method which can be applied to A and A' over the > Internet and which could reliably differentiate these two possible > cases from one another (i.e. a single common host versus two separate > hosts)? > > If any such method or mechanism exists, I would very much like to know > all of the details thereof. Such a method, if one exists, would > certainly have value in various types of forensic investigations. > > > Regards, > rfg > > > P.S. It is my assumption that the kind of thing I'm looking for, if > it exists at all, will be found somewhere below the application layer. > I do not rule out however that there may be some way of differentiating > the two cases described above by looking at application layer responses > for some certain common applications. As far as I know however, it is > not possible to make the desired differentiation on the basis of > application layer responses for most typical network applications, > e.g. various makes and model numbers of servers for HTTP, HTTPS, > SMTP, SSH, DNS, etc. Of course, if I have simply missed something, > and if there is in fact a way to differentiate the two cases on the > basis of responses sent for any of these application protocols, then > I sure would like to know about that too. > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"