[Opensim-dev] User Authentication
Justin Clark-Casey
jjustincc at googlemail.com
Wed Feb 25 18:16:38 UTC 2009
Diva Canto wrote:
> Justin Clark-Casey wrote:
>> Just so I'm clear, your new scheme proposes the following steps?
>> 1) When a client enters a new region (whether by initial login, teleport or region crossing), the region server will
>> ask the user server if the IP given by the client matches that which it has previously stored on the user login?
>>
> Almost yes. Technically, for region crossings the child agent is already
> there. The authentication is done upon creation of the child agent
> circuit data and creation of the client. NewUserConnection and
> AddNewClient are called for child agents too. So the authentication does
> not happen upon region crossing, it happens before, when the child agent
> is established.
>> 2) If these addresses match, then a further validation against spoofing is performed by pinging the client using the
>> StartPingCheck. A client spoofing the address will not be able to reply.
>>
>>
>
> Yes. To be precise, the spoofer may "reply", that is, it may send a
> CompletePingCheck packet to the server. But it will have to guess what
> the seq number is. Flooding the server with all 128 possible values
> won't help, because the server will be waiting for exactly the number it
> sent out. If it sees that the client is sending other numbers, it will
> be unhappy and will refuse to interact with that client.
I must admit, I'm surprised that the spoofer can receive the packet at all if it's being sent to the IP given (the
spoofed one). But I shall bow to those with superior raw sockets knowledge than myself.
--
justincc
Justin Clark-Casey
http://justincc.wordpress.com
More information about the Opensim-dev
mailing list