Diva Canto wrote: > I already said this, but let me make it more clear: I don't think this > Authentication scheme is "the right one." I expect we'll throw it away > once we start having more control over the client side. This is a hack > to start covering up the security hole we have right now in OSGrid, the > Hypergrid, and other OpenSim-based open grids out there. Obviously, this > will be an optional module; walled-gardens don't need this [so much].
Actually, without (1) [a user server IP check by the region], isn't the current situation still a problem for closed grids? It's possible to make a region connection without any interaction/login with the user server if one knows what to do and has the right information. > > > Hurliman, John wrote: >>> -----Original Message----- >>> From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev- >>> boun...@lists.berlios.de] On Behalf Of Justin Clark-Casey >>> Sent: Wednesday, February 25, 2009 9:18 AM >>> To: opensim-dev@lists.berlios.de >>> Subject: Re: [Opensim-dev] User Authentication >>> >>> Diva Canto wrote: >>> >>>> Mike Mazur wrote: >>>> >>>>> Hi, >>>>> >>>>> On Tue, 24 Feb 2009 19:54:16 -0800 >>>>> Diva Canto <d...@metaverseink.com> wrote: >>>>> >>>>> >>>>> >>>>>> * Within a few days: write a simple [optional] >>>>>> UserAuthenticationModule along the lines of option a) that does the >>>>>> following: upon a NewUserConnection, regions will check with the >>>>>> incoming user's User server that the declared user exists and is >>>>>> logged into the system. >>>>>> >>>>>> >>>>> In a grid a region can be told (via a configuration option) which >>>>> >>> user >>> >>>>> server to check. What about HG regions? How does an HG region know >>>>> which user server to ping? Is this information supplied by the >>>>> connecting client? If so, what's to prevent a malicious client from >>>>> supplying a user server that will always reply favorably? >>>>> >>>>> >>>> The HG region sends that information along when the user moves away >>>> >>> from >>> >>>> the home UGAIM. The user carries along the collection of URLs of all >>>> >>> of >>> >>>> the servers it uses. It's ok if the given User Server @ foobar.com >>>> always says yes -- that's not the problem. The problem we need to >>>> >>> detect >>> >>>> is the user claiming to be from Intel.com or OSGrid.org, when, in >>>> >>> fact, >>> >>>> isn't. >>>> >>>> >>>>>> Furthermore, upon AddNewClient (which happens >>>>>> shortly after), regions will challenge the incoming client with 3 >>>>>> >>> UDP >>> >>>>>> Ping messages having random seq numbers, to which the incoming >>>>>> >>> client >>> >>>>>> must respond correctly >>>>>> >>>>>> >>>>> How does the client know the correct response? >>>>> >>>>> >>>> In fiddling with the client after talking to Teravus, I discovered a >>>> pair of response-reply packets that can be initiated from the server. >>>> They are StartPingCheck / CompletePingCheck. They take a byte as >>>> argument. The server sends StartPingCheck(33), the client responds >>>> >>> with >>> >>>> CompletePingCheck(33). Handy. >>>> >>> Just so I'm clear, your new scheme proposes the following steps? >>> >>> 1) When a client enters a new region (whether by initial login, >>> teleport or region crossing), the region server will >>> ask the user server if the IP given by the client matches that which it >>> has previously stored on the user login? >>> >>> 2) If these addresses match, then a further validation against spoofing >>> is performed by pinging the client using the >>> StartPingCheck. A client spoofing the address will not be able to >>> reply. >>> >>> -- >>> justincc >>> Justin Clark-Casey >>> http://justincc.wordpress.com >>> >> >> As long as we accept the tradeoff that some HyperGrid teleport situations >> will no longer work. At work here we have an internal grid, where I can >> access it using my IP address of 10.xxx.xxx.xxx. I also have a connection to >> the outside world, where my IP address is currently 134.xxx.xxx.xxx. At my >> previous job, we had a load balancing router that was hooked up to a T1 and >> two DSL lines. It was smart enough that it would maintain each of your IP >> (and usually) UDP sessions on a single line, but if you went to talk to a >> new server it would most likely put that connection on a new line. If IPv6 >> ever rolls out, this would prevent and HyperGridding between IPv4 and IPv6 >> worlds. >> >> I'm not saying +1 or -1 here, just that all of the implications of mixing IP >> layer internals into application layer decisions need to be taken into >> account. >> >> John >> _______________________________________________ >> Opensim-dev mailing list >> Opensim-dev@lists.berlios.de >> https://lists.berlios.de/mailman/listinfo/opensim-dev >> >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev -- justincc Justin Clark-Casey http://justincc.wordpress.com _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev