From owner-freebsd-net@freebsd.org Wed Mar 21 23:14:01 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2F33F4C843 for ; Wed, 21 Mar 2018 23:14:01 +0000 (UTC) (envelope-from emorrasg@yahoo.es) Received: from sonic302-21.consmr.mail.ir2.yahoo.com (sonic302-21.consmr.mail.ir2.yahoo.com [87.248.110.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2D5936DF6C for ; Wed, 21 Mar 2018 23:14:00 +0000 (UTC) (envelope-from emorrasg@yahoo.es) X-YMail-OSG: PT3kqlUVM1l2ok6Q0isyQjGorAoLTkF5FwioGoD0MC8C1We3SR3oSVqmXy6vFJ7 aKrRx03D3TLoqEjLRaq5_CepPpJde9ku5fuaQEMYOiOdtaXdUIrq89YkAt.8HAnY8sKX856RkC8. M20mmkK2BXx7jiM3XFhyehmQVgJ.BT8nCfYXGTW6jTK_klBoG4Rvu2erkwfIJMGdcCHyWAfE9ooZ T4tV3QCS5ePzH1DkQGZjwlYK6EcNCQRolTJ2j00gMBnOqnegoKNyr52BWH5Q3HQnr09XgTFovXY4 5gnodIUSkntFaCu8lqA.wqMB9EN_71.NsLeqLS3optXfcqXamRoJUp.6qx_TPhk3rNVeirTkwKY4 g9y5kkGUgy6WuQlqFyBZ9hRSZB45R6K0l9s83.AXHQHXqoVz0Asv6qmKss_Y_K_0nUSiQ01cgFfH MwktUZ4p0x3ZwAHBpNdWR3Jx2xafNrRkZS644bViPKVFxEedf0FMkeQ5YxJDFqzC6y7Mj1kSl3Vt IabkVt4kSqXtqrglBwwcIVSpINql.NnSXMmU7f_BGras1Wg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ir2.yahoo.com with HTTP; Wed, 21 Mar 2018 23:13:59 +0000 Received: from 3.red-83-41-214.dynamicip.rima-tde.net (EHLO emorras.eu) ([83.41.214.3]) by smtp420.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 5129413be0673c2307c3b29c6a9aec13 for ; Wed, 21 Mar 2018 22:43:37 +0000 (UTC) Date: Wed, 21 Mar 2018 23:51:39 +0100 From: Eduardo Morras To: freebsd-net@freebsd.org Subject: Re: Same host or different? How can you tell "over the wire"? Message-Id: <20180321235139.1d96e600e76b455703f43f48@yahoo.es> In-Reply-To: <4903.1521667183@segfault.tristatelogic.com> References: <4903.1521667183@segfault.tristatelogic.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.31; amd64-portbld-freebsd11.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 23:14:01 -0000 On Wed, 21 Mar 2018 14:19:43 -0700 "Ronald F. Guilmette" wrote: > > This problem has been preplexing me for ages and ages. I looked at it > again, just briefly, and re-read parts of some potentially relevant > RFCs, just the other day, but frankly, I'm just too ignorant and/or > too stupid to be able to think up a solution, so I'll just drop the > problem description here and see if any of you more knowledgable > people can devise or suggest a solution. > > The Problem: > > Suppose that there exist two IPv4 addresses, A and A'. Both addresses > have the exact same set of ports open, and both respond in identical > ways, at least at the application level, when sent identical inputs. > In short, at the application layer level, at least, there appears to > be no way to reliably differentiate between the case where the two > IP addresses are being routed to a single common physical machine > (or to a single common virtual OS instance) or to two separate > physical machines (or two separate virtual OS instances). > > Is there any method which can be applied to A and A' over the > Internet and which could reliably differentiate these two possible > cases from one another (i.e. a single common host versus two separate > hosts)? > > If any such method or mechanism exists, I would very much like to know > all of the details thereof. Such a method, if one exists, would > certainly have value in various types of forensic investigations. > Perhaps I don't understand the question but: A ping should measure the "distance" to A and A', traceroute works too. If you disable protections (firewalls, ids, etc) you could inject tcp packets with fake ips. Or make a dDoS to one, the other should stay alive. If you go to layer 2 there are mac differences. Take the whois info from both, it will be the same, but you can ask the owner to switch off one of them. If SNMP is enabled and accesible it must show some differences (ethernet mac) > Regards, > rfg > > > P.S. It is my assumption that the kind of thing I'm looking for, if > it exists at all, will be found somewhere below the application layer. > I do not rule out however that there may be some way of > differentiating the two cases described above by looking at > application layer responses for some certain common applications. As > far as I know however, it is not possible to make the desired > differentiation on the basis of application layer responses for most > typical network applications, e.g. various makes and model numbers of > servers for HTTP, HTTPS, SMTP, SSH, DNS, etc. Of course, if I have > simply missed something, and if there is in fact a way to > differentiate the two cases on the basis of responses sent for any of > these application protocols, then I sure would like to know about > that too. _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --- --- Eduardo Morras