Re: NSHost and the IP addresses ...
Re: NSHost and the IP addresses ...
- Subject: Re: NSHost and the IP addresses ...
- From: Michael Gersten <email@hidden>
- Date: Thu, 11 Jul 2002 16:19:07 -0700
>
>You said you needed the local address to create a port command for
>
>an ftp client. Why not ask the control socket (I suppose you have
>
>one?) for it's local name?
>
>
>
>Check out getsockname().
>
>
This is the correct solution. In a multihomed environment,
>
only the connected socket knows the correct local protocol address
>
for the corresponding connection. Anything that doesn't ultimately
>
get the local address from the connected socket is broken.
Ok, how does this work?
I want to get a connection to another machine. I open a connection to that machine. I then ask my connection for the IP address that it thinks it is using.
192.168.0.1, when I want my NAT address.
I open a connection to myself, trying to get my local (LAN) address.
127.0.0.1, when I want 192.168.0.1
The only way to get the local address is to ask the person that you are talking to who they are talking to. And that can vary based on who you talk to.
I'm multi-homed.
I talk to site1.com.
It reports that it talks to 198.242.78.36 (out ISP 1)
I talk to site2.com.
It reports that it talks to 37.33.15.5 (out ISP 2).
And I still only have a 192.168.0.1 local LAN address, I may not even know that my NAT gateway is multi-homed.
Yes, if I have a connection to someone, and that someone is co-operating, I can find out what IP address is used. How can I get that address before I open a connection to someone? If that person doesn't have such a command in their protocol? (FTP doesn't).
Bottom line: Absent any changes to the IP protocol (just a simple ICMP would suffice, but in today's firewalled, secure environment, it would never work), I can't tell what my IP address is based on any information accessible to me. All I can tell is the IP of who I think I'm talking to. Given proxies/forwarding gateways/etc., that may have no relationship to the IP of the destination. At best I know that I connected to this IP, this port; there's no guarantee that the same IP/port will get to the same app, or even the same machine, the next time (server farms.)
And any such protocol change that would guarantee me the ability to get to the same machine would HAVE to include source routing -- first go to the NAT gateway, then to server farm X. But every "How to secure your system from attack" documents starts by saying "Disable any source routed packet!".
IP was designed in an environment of fixed IPs, static routing tables, and "We'll never run out of these addresses". Routing has changed at least four times (RIP, class-independent routing/GGP, NATs, server farms). Fixed IP's have all but disappeared for most connected computers. We're running out of IP's. Virtually all of the assumptions of IP v4 are now broken.
Michael
--
I am a Mac OS X-Cocoa/WOF/EOF developer, and I'm available for hire. Please contact me at michael-job @ stb.nccom.com if interested. Resume at
http://resumes.dice.com/keybounce
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.