两国之间的专用应用程序 IP 路由
我在口语考试中被问到一个问题:
You are accessing a website whose webserver is located in country A. You are in Country B. You know that the TCP/UDP Packets pass through Country C while travelling from Country B to Country A. How will you avoid your packets to travel via Country C, and rather select a different route ?
有答案吗?
I was asked a question in my oral exams:
You are accessing a website whose webserver is located in country A. You are in Country B. You know that the TCP/UDP Packets pass through Country C while travelling from Country B to Country A. How will you avoid your packets to travel via Country C, and rather select a different route ?
Any answers for this ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
拓扑如下所示(我已将网络服务器注释为
Z,如下):执行摘要
由于没有其他规则,因此国家 A 和 B 可以做的最聪明事情是购买 A 和 B 之间的直接光纤1。 B 国必须管理两侧的路由器,并在 BGP 中宣布一条从 A 国 B 的路由器到 B 国 B 的路由器的一条小路由(类似于
/24块)。B 应该获得新的 ASN 用于此目的(我们将其称为 ASN 777)。重要详细信息
现在,确保需要连接到 B 国 Z 的所有用户都可以通过 eBGP2 直接连接到与 B 的洲际路由器对等的 ISP。国家 A 必须确保 Z 直接连接到首选通过国家 A 中的路由器到达国家 B 的路由的 ISP2。
之所以有效,是因为 eBGP 根据 ISP 跳数3选择一条最短路径;所有的变量都直接在B国和A国的控制之中。
结束说明
即使这是跨洋光纤线路;最大的要求是它不经过C的领土(甚至不靠近他们的盟友,如果安全非常关键的话)。如果您通过任何第三方在国家/地区之间传递流量(在另一个答案中包含代理建议),您确实无法控制。另请理解,暗光纤可能不会削减它......由于国家之间通常存在距离,因此需要内嵌托管光纤中继器。
所有相关 ISP 必须拒绝通过任何其他 ASN 的 Z 和 B 路由,除非通过 ASN 777。如果您过于偏执(这在管理上是可能的),请将 Z 以及 Z 中数据的所有用户放入 ASN 777。
从技术上讲,ISP 跃点测量为 自治系统编号,这是 eBGP 评估路由偏好的方式(交叉的 ASN 数量越少,路由越好)。< /p>
The topology looks like this (I have annotated the webserver as
Z, below):Executive Summary
Since there are no rules otherwise, the smartest thing countries A and B could do is purchase a direct fiber run between A and B1. Country B must administer the routers on both sides and announce a small route (something like a
/24block) in BGP from B's router in country A to B's router in B. B should obtain a new ASN for this purpose (we'll call it ASN 777).Important Details
Now ensure that all users needing connectivity to Z in country B have a direct connection to an ISP peering with B's intercontinental routers via eBGP2. Country A must ensure that Z is directly connected to an ISP that prefers routes to country B through their router in country A2.
The reason this works is because eBGP picks one shortest path based on the number of ISP hops3; and all the variables are directly in country B and country A's control.
END NOTES
Even if this is a trans-oceanic fiber run; the biggest requirement is that it does not pass through C's territory (or even close to their allies, if security is very critical). You really have no control if you pass traffic between the coutries via any third party (to include the proxy-suggestion in another answer). Also understand that dark-fiber probably will not cut it... due to the distances that are usually involved between countries, managed fiber repeaters will be required in-line.
All ISPs in question must refuse routes for Z and B via any other ASN, except through ASN 777. If you are ultra-paranoid (and it's administratively possible), put Z and all users of the data from Z into ASN 777.
Technically, ISP hops are measured as Autonomous System Numbers, which is how eBGP evaluates route preference (lower numbers of ASNs crossed are better routes).
只是一个想法:使用代理?
D国家的代理,您知道从B到D的数据包不会经过C,并且数据包从D到A也不经过C。所以路线是:B->[E]->D->[F]->A,其中
E和F是您可以发送数据包的一些国家/地区。只有我这样吗,还是
C看起来像China? :-)Just a thought: use a proxy?
Proxy in country
D, which you know that packets fromBtoDdoes not go throughC, and packets fromDtoAdoesn't go throughCeither. So the route would be:B->[E]->D->[F]->A,where
EandFare some countries that you can send your packets through.Is it only me, or is
Clooks likeChina? :-)您可以使用简单的 AS 路径过滤器,以便您只知道不穿过不需要的 AS 的路径。
You could use simple AS path filters so that you only know of a path that does not traverse the undesired AS.