Multiple-IP-Address clients - ISP problem? Crypto?

Looking for ISP employees…

We’ve got a situation where it appears that some ISP’s actually spoof a different IP address for dialup users when they connect to http ports (80) or https ports (443)…is this really possible?

It sounds crazy, but it’s playing merry hell with our token-based encryption schemes when a single HTTP client is connected to a server with two different IP addresses simultaneously!

I’m trying to find a different explanation, although it’s difficult since the code’s been locked down for two weeks and in that time the problem has repeatedly appeared and disappeared for certain individual users. I know that lots of ISP’s have invisible WebCache’s that drive me up the wall - it’s really annoying when an updated webpage doesn’t update because a webcache you can’t avoid has incorrectly decided to serve the cached response (this has happened to me before - careful examination of all HTTP headers using a debugging HTTP client showed that the cache was ignoring the new timestamp on the webserver’s response ). Perhaps there’s some good reason for using different IP addresses for encrypted / plaintext transmissions?

Yes, no reason why they can’t do that.

As for why they would do it, that’s a different matter. Maybe they log all port 80 traffic, and push it all out through a certain IP to get their logger to pick it up? Don’t bother with 443 as they can’t do anything with the data anyway? Maybe it’s their simple and easy way of distinguishing non-cacheable data?

Have you ruled out the possibility that someone’s trying a man-in-middle attack on your users’ 443 traffic?

[quote]Yes, no reason why they can’t do that.

As for why they would do it, that’s a different matter. Maybe they log all port 80 traffic, and push it all out through a certain IP to get their logger to pick it up? Don’t bother with 443 as they can’t do anything with the data anyway? Maybe it’s their simple and easy way of distinguishing non-cacheable data?
[/quote]
Yeah, I was imagining similar things - but really I’m just shooting in the dark here; I don’t even know if it is the ISP, or if it’s something else. We’re working with dotted-quad IP’s so there’s no chance of DNS malarky going on, but I’m not sure if source-address-verification is currently enabled on the server (thinks: must check that now!)

[/quote]
The IP addresses concerned are from the allocated IP ranges of the ISP. Reverse-DNS suggests they are all modem-pool servers. Interestingly, the http and https connection IPs are from completely different IP blocks, and the https IPs are not en route between client and server via ICMP - but are only one hop away, suggesting possibly that the modem dialup server is multi-homed in two unrelated IP blocks, and uses a different NIC dependent on traffic.

As yet we’ve not confirmed there’s no attack going on (c.f. above re: SAV), but we do have access to one affected client, so have been able to gather the above details. I’m now wondering if perhaps there’s a hardware web accelerator device (a hardware cache?) on the modem server (hence the extra IP); or perhaps it’s modem pool doesn’t bother with data compression when it knows you’re using encrypted streams (and the modem hardware is configured to notice this based on IP address).

[quote]Looking for ISP employees…

We’ve got a situation where it appears that some ISP’s actually spoof a different IP address for dialup users when they connect to http ports (80) or https ports (443)…is this really possible?
[/quote]
As it turns out, what happened is that a major ISP changed their webcache configuration. The previous setup had either routed all http* traffic via their caches, or none - but now they route http through the cache, everything else not.

I’m not sure what they’re doing with their LAN setup in the modem pool, but the modem dialup server is one hop across PPP - and so is the webcache (i.e. web packets do NOT go through the dilaup server on their way to the webcache). I’m confused by this because I thought PPP was point-to-point only (hence PP Protocol?), not point-to-multipoint?

Anyway, what happened was that we were getting IP addresses for the PPP dialup servre (on SSL HTTP) and for the webcache (on HTTP) simultaneously- hence the difference. Obvious really; it’s just that PPP bit that’s still confusing me.