Date: Wed, 21 Mar 2018 14:19:43 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: Same host or different? How can you tell "over the wire"? Message-ID: <4903.1521667183@segfault.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
This problem has been preplexing me for ages and ages. I looked at it again, just briefly, and re-read parts of some potentially relevant RFCs, just the other day, but frankly, I'm just too ignorant and/or too stupid to be able to think up a solution, so I'll just drop the problem description here and see if any of you more knowledgable people can devise or suggest a solution. The Problem: Suppose that there exist two IPv4 addresses, A and A'. Both addresses have the exact same set of ports open, and both respond in identical ways, at least at the application level, when sent identical inputs. In short, at the application layer level, at least, there appears to be no way to reliably differentiate between the case where the two IP addresses are being routed to a single common physical machine (or to a single common virtual OS instance) or to two separate physical machines (or two separate virtual OS instances). Is there any method which can be applied to A and A' over the Internet and which could reliably differentiate these two possible cases from one another (i.e. a single common host versus two separate hosts)? If any such method or mechanism exists, I would very much like to know all of the details thereof. Such a method, if one exists, would certainly have value in various types of forensic investigations. Regards, rfg P.S. It is my assumption that the kind of thing I'm looking for, if it exists at all, will be found somewhere below the application layer. I do not rule out however that there may be some way of differentiating the two cases described above by looking at application layer responses for some certain common applications. As far as I know however, it is not possible to make the desired differentiation on the basis of application layer responses for most typical network applications, e.g. various makes and model numbers of servers for HTTP, HTTPS, SMTP, SSH, DNS, etc. Of course, if I have simply missed something, and if there is in fact a way to differentiate the two cases on the basis of responses sent for any of these application protocols, then I sure would like to know about that too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4903.1521667183>