浮动IP地址（Float IP）与 ARP欺骗技术

浮动IP地址：

一个网卡是可以添加多个IP的。

就是多个主机工作在同一个集群中，即两台主机以上。每台机器除了自己的实IP外，会设置一个浮动IP，浮动IP与主机的服务（HTTP服务/邮箱服务）绑在一起的。即应用服务在哪台机器上启动，浮动IP也在这台机器上激活，这台机器看上去就有两个IP地址。对于客户端它只需访问浮动IP即可。

即使主机端的机器由于故障发生切换，客户端只要连接上浮动IP，就可以找到主机端的服务。

好处就是一旦其中一台机器不能工作了，可以很快的将服务切换到另外一台主机上。提高系统的冗余性。

当业务比较繁忙时候，可以通过float IP在主机之间实现负载均衡。

实际实现可能会用到ARP欺骗技术来解决MAC地址的问题。

在做双机的时候，设定的一个IP，通过访问这个IP，具体到后台哪台机器，由系统指定。浮动IP是随资源一起走的。

其实就是由软件根据具体情况把该IP设置在某一台机器上，对外提供服务为了避免因为一台机器宕机而导致不能对外提供服务，致使业务中断，使用两台机器进行提供服务，但是用户怎么知道自己使用哪个IP进行连接呢？使用其中的一个，如果这个宕机了，就仍然会中断服务。于是就使用一个ha软件，其根据主机情况，指定一个IP在两台主机中的任何一个，如果一台主机宕掉了，就把这个IP自动切换到另外一台机器上，这样用户仍然只需要使用这个IP，任何一台主机挂掉了，都不会导致服务中断.说白了，就是这个IP可以根据具体情况，自动的在不同的N台机器间进行设置。

浮动IP，顾名思义就是飘渺不定的IP，这个IP地址可以漂浮在任一一台主机上，但是IP地址本身数字不会发生变化！一般的集群软件都会使用浮动IP对外服务,对用户也是透明的。

什么是浮动IP

The internet – plainly put – consists of many computers connected by cables, fiber optic cables, and wireless receivers. They exchange data based on a common ‘language’. This common standard is known as the Internet Protocol (IP). Data is arranged in such a way that computers, which understand the common protocol, can interpret it.

因特网简单来说说是许多计算机由电缆、光纤、无线接收器连接组成的网络。网络中设备间数据交互是通过IP协议进行，数据以IP封装其他计算根据协议才能解析数据。

An IP address, also referred to as an ‘IP’, makes digital devices detectable in a network. It is a crucial prerequisite so that electronic data packets can be delivered reliably. The devices communicate with one another, for example, over the internet. The IP address ensures that data from the sender reaches the correct recipient – for example, from a web browser to a web server or vice versa. An IP address can be assigned to both single and multiple devices at the same time. Likewise, a single device can have multiple IP addresses at the same time.

IP地址简称IP，数字设备以此作为身份标识，才能被其他设备发现和识别。IP地址是设备间交互数据的先决条件。IP地址保证数据的发送者发出的数据能正确到相应的接收者，反之也是如此。一个IP地址可分配多个设备，一个设备也可拥有多个IP。

However, in order to be able to understand exactly what a floating IP is, you first need to know the difference between dynamic and static IP addresses.

为了更好的弄明白什么是浮动IP，首先需要搞明静态IP和动态IP之间的区别。

Contents

Dynamic IP
Static IP
Floating IP – definition
How is a floating IP generated?
When are floating IPs used?
Failover and switchover
What advantages does a floating IP offer?

Dynamic IP

动态IP

When a computer connects to the internet, in most cases the Internet Service Provider (ISP) assigns a dynamic IP address to it. Dynamic IP addresses are the most cost-effective standard for users and providers. They are characterized by the fact that they are only assigned temporarily and change after a certain time, which is either fixed (e.g. for 24 hours), or is irregular. The user then receives a new dynamic IP address for their computer from the respective internet service provider and the previous address will then be signed to a different user.

当一个计算机接入到互联网，网络服务接入商会分配一个动态IP给这台计算机。动态IP对用户和接入商来说都是最经济的。动态IP是不固定的，过一段时间会变。过一段时间用户的电脑会收到一个新的IP地址，原来的IP地址有可以已经分配给了别的电脑。

Static IP

静态IP

A static IP, on the other hand, is a fixed address and is permanently assigned to a device. Static IP addresses are found mainly in the web server or e-mail server area, or wherever offers or website content must be accessible via a fixed URL , so that users or processes can (re)find them without any problems. Computers in a network or peripheral devices (such as printers) have fixed IPs, so that the individual devices within the network can easily communicate with one another.

从一个方面来说，静态IP是一个固定的IP地址，被永久的分配给一个设备。静态IP多用于Web服务器或者电子邮件服务器或者一个网站。这些网站通过一个固定的URL进行访问，用户可以通过URL找到IP地址。在一个网络中的计算机或者外围设备都有固定的IP，这样设备间才能很容易的交互数据。

So that users don’t have to remember complex numbers, it’s possible to assign a domain name to a static IP address e.g. www.example.org. The numerical IP, the ‘connection number’ of a device in the network, is therefore translated into a name that can easily be remembered. This is generally only reserved for static IPs. It doesn’t make much sense for dynamic IPs since the user changes so frequently.

给一个静态IP分配域名后，用户就不需要记住复杂的IP地址。使用域名IP地址被转成了容易记忆的名字。域名一般只用于静态IP，因动态IP频繁变动使用域名意义不大。

Floating IP – definition

浮动IP

A floating IP is usually a public, routable IP address that is not automatically assigned to an entity. Instead, a project owner assigns them to one or more entities temporarily. The respective entity has an automatically assigned, static IP for communication between instances in a private, non-routable network area, as well as via a manually assigned floating IP. This makes the entity’s services outside a cloud or network recognizable and therefore achievable.

一个浮动IP通常是一个公开的、可以路由到的IP地址，并且不会自动分配给实体设备。项目管理者临时分配动态IP到一个或者多个实体设备。这个实体设备有自动分配的静态IP用于内部网间设备的通讯。这个内部网使用私有地址，这些私有地址不能被路由到。通过浮动IP内网实体的服务才能被外网识别和访问。

In appropriately configured failover scenarios, an IP ‘floats’ to another active unit in the network so that it can take on the function of a dormant entity without a time delay, and can then answer incoming requests.

在一个配置好浮点IP的切换场景是，IP地址飘到网络中的另一台设备。新设备无延迟的接替当掉的设备，并对外提供服务。

How is a floating IP generated?

浮点IP是如何产生的？

Users obtain floating IPs for their projects from different pools that the system administrator configures and provides as server resources. As soon as a user receives a floating IP, they become the ‘owner’. They can assign it to an entity, remove it, and then assign it to another at any time. Even if an entity is terminated, the user does not ‘lose’ the associated floating IP. It remains as a resource and can still be assigned to another entity when needed.

用户从系统管理员配置的资源池中为他们的项目获取IP地址。一旦用户获取一个浮动IP，就拥有了这个IP。他可以分配这个IP到一个计算实体，或者在任一时间移除分配给其他设备。就算设备关机，用户还拥有他属于他的浮动IP。浮动IP就像一种资源，当需要时可以分配给其他设备。

A major reason for using several parallel floating IP pools is that each pool can be operated by another internet service provider or can also be assigned by other external networks. This ensures that the connectivity or availability is maintainable even if an internet service provider should fail due to a malfunction.

使用多个平行的浮动IP主要是为了防止当其中的一个不可能用时使用其他地址以保证服务的正常可用。

When are floating IPs used?

什么时候会用浮动IP

Maximum availability is one of the key factors in every production environment. In the communication network, however, a single error can cause applications to fail. Developers do sleep better knowing that their applications are designed to withstand any conceivable error scenarios. The goal is to provide a highly available piece of infrastructure with minimal downtime.

最大的可用性是浮动IP在生产环境中使用的一个关键因素。在网络中，单个错误可能会导致应用的不可用。如果系统能成功应对任何可以想到的应用场景，开发人员就可以安枕无忧。浮动IP的目标就最小当机下提供高可用的基础设施。

A floating IP can serve as a flexible load balancing address, helping to balance peak loads by distributing incoming network traffic to different network nodes. Network nodes are devices which connect two (or more) transmission paths of a telecommunication network. As with a computer that distributes workflows across multiple processors, load balancing also handles large amounts of simultaneous requests or more complex calculations by splitting the load across multiple parallel systems.

浮动IP可以用于灵活的负载均衡地址，用于高峰时的负载均衡，分流访问流量到不同的网络节点。网络节点是连接到两个或者多个通讯网络。就像一台电脑分配工作流到不同的处理器，负载均衡大量并发的请求或者复杂的计算分配到并行系统中。

Failover and switchover

故障恢复和地址切换

If a primary load balancer or a central application server in a cluster fails on one side, a floating IP can be immediately assigned a redundant application server or a secondary load balancer in a correspondingly configured system. The IP ‘floats’ to the active unit, which immediately carries out the desired processes. An unplanned change between network services is referred to as ‘failover’. This kind of protection is especially recommended for critical applications.

如果一个主要的负载均衡器或者集群中一个主要的业务服务器当掉，浮动IP立即被分配到冗余的应用器或者备用的负载均衡器，这些都需要提前配置好。当浮动IP飘到一个活动单元，活动单元立即承担相应的业务。故障恢复指的是非计划的网络服务切换。这种特别的保护推荐用于关键应用。

A planned change from a primary to a secondary system is referred to as a ‘switchover’. The targeted transmission of services is not triggered by errors, but is usually controlled by a system administrator. A classic reason for a switchover is, for example, routine maintenance of the primary or secondary systems where a parallel instance temporarily takes over its function.

一个有计划的从主切换到从，通常被称为切换。切换不是由故障或者错误引起，而是系统管理员操作完成。切换的典型应用场景时，当对一个系统时行例常的维护时，由另一服务接替他的功能。

What advantages does a floating IP offer?

浮动IP优点

One of the main advantages of floating IPs is their flexibility – the free and needs-oriented assignability. Floating IPs are therefore suitable for use in both failover and switchover environments – for example, for performing upgrades of applications or entire sites with minimal downtime. While an upgrade is applied to one entity, another one takes on the traffic. Once the upgrade has been successfully completed, the traffic is redirected to the updated unit.

浮动IP的主要优点是灵活，自由的根据需要分配。浮动IP即适用于故障恢复又适用于服务切换。比如对某个应用或者整个站点的升级，并能保证对业务有最小的影响。当对一个应用升级时，另一个应用分配输入流量。一旦升级完成，流量会被重新导入到升级节点。

Another advantage: even if several or even many different entities are concealed behind a service being offered, the floating IP appears on the surface to users (who make use of the service) rather than the server’s IP that offers the respective service.

另一个优点是：浮动IP对外提供统一的IP，而不是实际对外提供服务的IP地址。

=============================
ARP欺骗（英语：ARP spoofing）

又称ARP毒化（ARP poisoning，网上上多译为ARP病毒）或ARP攻击，是针对以太网地址解析协议（ARP）的一种攻击技术。此种攻击可让攻击者获取局域网上的数据包甚至可篡改数据包，且可让网上上特定计算机或所有计算机无法正常连线。最早探讨ARP欺骗的文章是由Yuri Volobuev所写的《ARP与ICMP转向游戏》（ARP and ICMP redirection games）。

原理：

ARP欺骗的运作原理是由攻击者发送假的ARP数据包到网上，尤其是送到网关上。其目的是要让送至特定的IP地址的流量被错误送到攻击者所取代的地方。因此攻击者可将这些流量另行转送到真正的网关（被动式数据包嗅探，passive sniffing）或是篡改后再转送（中间人攻击，man-in-the-middle attack）。攻击者亦可将ARP数据包导到不存在的 MAC地址以达到阻断服务攻击的效果，例如netcut软件。【环境搭建资料、工具包、全套视频…等籽料】点此聆取
例如某一的IP地址是192.168.0.254，其MAC地址为00-11-22-33-44-55，网上上的计算机内ARP表会有这一笔ARP记录。攻击者发动攻击时，会大量发出已将192.168.0.254的MAC地址篡改为00-55-44-33-22-11的ARP数据包。那么网上上的计算机若将此伪造的ARP写入自身的ARP表后，计算机若要透过网上网关连到其他计算机时，数据包将被导到00-55-44-33-22-11这个MAC地址，因此攻击者可从此MAC地址截收到数据包，可篡改后再送回真正的网关，或是什么也不做，让网上无法连线。
简单案例分析：这里用一个最简单的案例来说明ARP欺骗的核心步骤。假设在一个LAN里，只有三台主机A、B、C，且C是攻击者。

攻击者聆听局域网上的MAC地址。它只要收到两台主机洪泛的ARP Request，就可以进行欺骗活动。
主机A、B都洪泛了ARP Request.攻击者现在有了两台主机的IP、MAC地址，开始攻击。
攻击者发送一个ARP Reply给主机B，把此包protocol header里的sender IP设为A的IP地址，sender mac设为攻击者自己的MAC地址。
主机B收到ARP Reply后，更新它的ARP表，把主机A的MAC地址（IP_A, MAC_A）改为（IP_A, MAC_C）。
当主机B要发送数据包给主机A时，它根据ARP表来封装数据包的Link报头，把目的MAC地址设为MAC_C，而非MAC_A。
当交换机收到B发送给A的数据包时，根据此包的目的MAC地址（MAC_C）而把数据包转发给攻击者C。
攻击者收到数据包后，可以把它存起来后再发送给A，达到偷听效果。攻击者也可以篡改数据后才发送数据包给A，造成伤害。

防制方法

最理想的防制方法是网上内的每台计算机的ARP一律改用静态的方式，不过这在大型的网上是不可行的，因为需要经常更新每台计算机的ARP表。
另外一种方法，例如DHCP snooping，网上设备可借由DHCP保留网上上各计算机的MAC地址，在伪造的ARP数据包发出时即可侦测到。此方式已在一些厂牌的网上设备产品所支持。
有一些软件可监听网上上的ARP回应，若侦测出有不正常变动时可发送邮箱通知管理者。例如UNIX平台的Arpwatch以及Windows上的XArp v2或一些网上设备的Dynamic ARP inspection功能。