Private IP addresses in an internet facing service?
By KitchenSink on Jun 16, 2008
Many of Sun's sites, particularly those that facilitate downloads or share knowledge, ie. Sunsolve, do a RDNS (reverse dns) check. This check makes sure that the user's IP address isn't coming from one of the embargoed countries (ie. North Korea, etc).
We provide the RDNS (also called GLS - geo location service) service to the rest of Sun's external facing web sites as a service. It's a pretty basic and simple service, either it returns "pass" or "fail" given a particular IP address. It's also internet facing, albeit firewalled, so all requests come over the open internet. So we were a little confused on why we were getting "private" ip addresses as data. In talking with our ops team, we were told that "private" IP addresses meant that the request had never been "nat'ed" ie, not traveled over the open internet. Of course we were failing them because we could not determine the geo location.
We were sure that these requests were actually generated by Sun employees accessing our external web sites. That was where the complaints about getting denied access was coming from. But even that didn't make sense, as for a Sun employee to browse the external sites, they would have either gone through a proxy or were on a DIA (direct internet access) machine, which meant that they had to have traveled over the open internet
But not exactly. Turns out there is some legacy routing that actually allows traffic on the Sun internal network to reach some external sites without ever traveling the open internet. So mystery solved. Now to figure out how to fix.