Justin Clark-Casey wrote:
Just so I'm clear, your new scheme proposes the following steps?
1) When a client enters a new region (whether by initial login, teleport or region crossing), the region server will
ask the user server if the IP given by the client matches that which it has previously stored on the user login?
Almost yes. Technically, for region crossings the child agent is already
there. The authentication is done upon creation of the child agent
circuit data and creation of the client. NewUserConnection and
AddNewClient are called for child agents too. So the authentication does
not happen upon region crossing, it happens before, when the child agent
is established.
2) If these addresses match, then a further validation against spoofing is performed by pinging the client using the
StartPingCheck. A client spoofing the address will not be able to reply.
Yes. To be precise, the spoofer may "reply", that is, it may send a
CompletePingCheck packet to the server. But it will have to guess what
the seq number is. Flooding the server with all 128 possible values
won't help, because the server will be waiting for exactly the number it
sent out. If it sees that the client is sending other numbers, it will
be unhappy and will refuse to interact with that client.
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
