[Opensim-dev] User Authentication

Wed Feb 25 17:51:26 UTC 2009

>-----Original Message-----
>From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-
>bounces at lists.berlios.de] On Behalf Of Justin Clark-Casey
>Sent: Wednesday, February 25, 2009 9:18 AM
>To: opensim-dev at lists.berlios.de
>Subject: Re: [Opensim-dev] User Authentication
>
>Diva Canto wrote:
>>   Mike Mazur wrote:
>>> Hi,
>>>
>>> On Tue, 24 Feb 2009 19:54:16 -0800
>>> Diva Canto <diva at metaverseink.com> wrote:
>>>
>>>
>>>> * Within a few days: write a simple [optional]
>>>> UserAuthenticationModule along the lines of option a) that does the
>>>> following: upon a NewUserConnection, regions will check with the
>>>> incoming user's User server that the declared user exists and is
>>>> logged into the system.
>>>>
>>>
>>> In a grid a region can be told (via a configuration option) which
>user
>>> server to check. What about HG regions? How does an HG region know
>>> which user server to ping? Is this information supplied by the
>>> connecting client? If so, what's to prevent a malicious client from
>>> supplying a user server that will always reply favorably?
>>>
>> The HG region sends that information along when the user moves away
>from
>> the home UGAIM. The user carries along the collection of URLs of all
>of
>> the servers it uses. It's ok if the given User Server @ foobar.com
>> always says yes -- that's not the problem. The problem we need to
>detect
>> is the user claiming to be from Intel.com or OSGrid.org, when, in
>fact,
>> isn't.
>>
>>>> Furthermore, upon AddNewClient (which happens
>>>> shortly after), regions will challenge the incoming client with 3
>UDP
>>>> Ping messages having random seq numbers, to which the incoming
>client
>>>> must respond correctly
>>>>
>>>
>>> How does the client know the correct response?
>>>
>> In fiddling with the client after talking to Teravus, I discovered a
>> pair of response-reply packets that can be initiated from the server.
>> They are StartPingCheck / CompletePingCheck. They take a byte as
>> argument. The server sends StartPingCheck(33), the client responds
>with
>> CompletePingCheck(33). Handy.
>
>Just so I'm clear, your new scheme proposes the following steps?
>
>1)  When a client enters a new region (whether by initial login,
>teleport or region crossing), the region server will
>ask the user server if the IP given by the client matches that which it
>has previously stored on the user login?
>
>2)  If these addresses match, then a further validation against spoofing
>is performed by pinging the client using the
>StartPingCheck.  A client spoofing the address will not be able to
>reply.
>
>--
>justincc
>Justin Clark-Casey
>http://justincc.wordpress.com

As long as we accept the tradeoff that some HyperGrid teleport situations will no longer work. At work here we have an internal grid, where I can access it using my IP address of 10.xxx.xxx.xxx. I also have a connection to the outside world, where my IP address is currently 134.xxx.xxx.xxx. At my previous job, we had a load balancing router that was hooked up to a T1 and two DSL lines. It was smart enough that it would maintain each of your IP (and usually) UDP sessions on a single line, but if you went to talk to a new server it would most likely put that connection on a new line. If IPv6 ever rolls out, this would prevent and HyperGridding between IPv4 and IPv6 worlds.

I'm not saying +1 or -1 here, just that all of the implications of mixing IP layer internals into application layer decisions need to be taken into account.

John