[Opensim-dev] User Authentication

[Justin Clark-Casey]

Diva Canto wrote:
> Justin Clark-Casey wrote:
>> Just so I'm clear, your new scheme proposes the following steps?
>> 1)  When a client enters a new region (whether by initial login, teleport or region crossing), the region server will 
>> ask the user server if the IP given by the client matches that which it has previously stored on the user login?
>>   
> Almost yes. Technically, for region crossings the child agent is already 
> there. The authentication is done upon creation of the child agent 
> circuit data and creation of the client. NewUserConnection and 
> AddNewClient are called for child agents too. So the authentication does 
> not happen upon region crossing, it happens before, when the child agent 
> is established.
>> 2)  If these addresses match, then a further validation against spoofing is performed by pinging the client using the 
>> StartPingCheck.  A client spoofing the address will not be able to reply.
>>
>>   
> 
> Yes. To be precise, the spoofer may "reply", that is, it may send a 
> CompletePingCheck packet to the server. But it will have to guess what 
> the seq number is. Flooding the server with all 128 possible values 
> won't help, because the server will be waiting for exactly the number it 
> sent out. If it sees that the client is sending other numbers, it will 
> be unhappy and will refuse to interact with that client.

I must admit, I'm surprised that the spoofer can receive the packet at all if it's being sent to the IP given (the 
spoofed one).  But I shall bow to those with superior raw sockets knowledge than myself.

--
justincc
Justin Clark-Casey
http://justincc.wordpress.com