I have heard of IP cloaking, but never investigated it. Try a google search to see if anything comes up.

Intranet IP addresses can be duplicated across many locations, since they are not officially on the web.

[searchengineworld.com...]

It is a network unique identifier, if there would be 2 that were identical, the computer would not know to which one to send to. As a general rule, when assigning an IP, the system checks to see a duplicate does not exists on that network.

Hope that helps.

In a fundamental way, the ip address is part of the ip transmission protocol and is assigned to the physical address for the transmission of messages and cannot be spoofed.

At the next level, HTTP is the protocol that defines how packets of information are requested and responded to. The HTTP message protocol sits "on top of" the IP transmission protocol. The web is built on HTTP.

When you "go to a web page", you are actually sending an HTTP request from the IP address assigned to the machine your are on (essentially, it may be more complex if you are on a LAN or are otherwise using a firewall or proxy) to the IP address that hosts the web page. The web server hosting the web page receives an HTTP request which includes (in the header portion of the request) some information identifying you (the requestor). The most important information is your:

1. IP address
2. User Agent (usually assigned by your browser)
3. Referrer (the page you linked from)

I am guessing that spoofing the IP address in the HTTP request is what you are asking about. Is this a more exact restatement of your question?:

Can someone visit a web page and have that web page think the visitor has a different ip address than he really has?

The User Agent and Referrer are easy to spoof. Especially, the User Agent is spoofed all the time. For example, Email scrappers try to hide what they are after by making their User Agent look like a browser. Spoofing the User Agent is an underhanded, but common, practice akin, I believe, to calling somebody on the phone and lying about your identity.

Spoofing the IP address in the HTTP header, as far as I know, is impossible. It is akin to calling somebody on the phone and having your caller id show a different phone number than you are actually calling from.

txbakers: I concur with your statements. Except that, I think this is a different issue from "ip cloaking".

Cloaking is when a web server looks at what it knows about a visitor and issues a response specific to the visitor.

UA delivery is when the server makes the decision based on the user agent in the http header. (for example, if the useragent contains "googlebot" serve spider food, otherwise, serve human food). UA delivery is easy to de-cloak because the ua is easy to spoof. To continue the phone analogy, ua cloaking is like asking who is calling and if it is your girlfriend saying some things and if it is your mom saying other stuff. The vulnerability of ua cloaking comes because, if your mom identifys herself as your girlfriend, you will still talk to her about last night.

IP delivery is when the server makes the decision based on the ip address. Since the ip address cannot be spoofed, ip delivery is much more difficult to decloak. If you look at the caller id, you can tell that it is your mom calling.

Professional cloakers use all information available from the request header (ip address, user agent, and referrer) to determine what the response should be. We depend on the IP address as the only reliable piece of information about the visitor. However, IP delivery requires a lot of work to manage the lists of ip addresses known to be associated with the search engines, spiders and agents.

Spoofing the IP address in the HTTP header, as far as I know, is impossible.

I believe ip spoofing is done at the underlying internet protocol level.

Can someone visit a web page and have that web page think the visitor has a different ip address than he really has?

I believe the answer to that would have to be yes, it is possible. An attacker can take over the identity of some other host by forging ip packets. The targeted box will believe it is communicating with the original host. It will send its data back to that original hostīs ip address where they will be discarded at the tcp level. The attacker will never see the answer to his forged datagrams. Itīs a blind communication, so it might not be practical for surfing the web. But you can definitely get somebodyīs ip address to appear in the log files of a server that that person never visited.