Private Application IP routing between two countries
I was asked a question开发者_如何学Go in my oral exams:
You are accessing a website whose webserver is located in country A. You are in Country B. You know that the TCP/UDP Packets pass through Country C while travelling from Country B to Country A. How will you avoid your packets to travel via Country C, and rather select a different route ?
Any answers for this ?
The topology looks like this (I have annotated the webserver as Z
, below):
new fiber (in ASN 777)
+-------+
| |
Z----A---C---B
| | |
<INTERNET>
Executive Summary
Since there are no rules otherwise, the smartest thing countries A and B could do is purchase a direct fiber run between A and B1. Country B must administer the routers on both sides and announce a small route (something like a /24
block) in BGP from B's router in country A to B's router in B. B should obtain a new ASN for this purpose (we'll call it ASN 777).
Important Details
Now ensure that all users needing connectivity to Z in country B have a direct connection to an ISP peering with B's intercontinental routers via eBGP2. Country A must ensure that Z is directly connected to an ISP that prefers routes to country B through their router in country A2.
The reason this works is because eBGP picks one shortest path based on the number of ISP hops3; and all the variables are directly in country B and country A's control.
END NOTES
Even if this is a trans-oceanic fiber run; the biggest requirement is that it does not pass through C's territory (or even close to their allies, if security is very critical). You really have no control if you pass traffic between the coutries via any third party (to include the proxy-suggestion in another answer). Also understand that dark-fiber probably will not cut it... due to the distances that are usually involved between countries, managed fiber repeaters will be required in-line.
All ISPs in question must refuse routes for Z and B via any other ASN, except through ASN 777. If you are ultra-paranoid (and it's administratively possible), put Z and all users of the data from Z into ASN 777.
Technically, ISP hops are measured as Autonomous System Numbers, which is how eBGP evaluates route preference (lower numbers of ASNs crossed are better routes).
Just a thought: use a proxy?
Proxy in country D
, which you know that packets from B
to D
does not go through C
, and packets from D
to A
doesn't go through C
either. So the route would be:
B
-> [E]
-> D
-> [F]
-> A
,
where E
and F
are some countries that you can send your packets through.
Is it only me, or is C
looks like C
hina? :-)
You could use simple AS path filters so that you only know of a path that does not traverse the undesired AS.
精彩评论