[Opensim-dev] Interop

diva at metaverseink.com diva at metaverseink.com
Thu Sep 2 01:48:29 UTC 2010 

[Changing the subject; long email full of technical and historical 
details; should perhaps cross-list to vwrap, but the chair there doesn't 
like cross-postings, understandably; I don't know how to solve that, so 
goes here only for now...]

OGP was a nice demo, and certainly had a lot of impact because it 
pointed towards what people wanted. It was incomplete, and the agent 
domain part was never made available for people to use on their own 
grids. But those weren't the only problems, they weren't even the major 
problems... The only reason why that demo worked at all was because 
OpenSim, at the time, was a _complete_security_hole_! :D

Basically, if you had a modified client that would make a certain remote 
call into any OpenSim out there, it would create an agent on the sim, 
without asking any questions. In other words, you could enter any grid 
bypassing credential checks altogether. That's how logins and TPs worked 
when I started playing with OpenSim. A couple of people noticed this at 
some point or another, and sent us private bug reports. I'm saying this 
now, because this affects very old versions of OpenSim that probably no 
one is running anymore -- I hope!

The very first version of HG1.0 exploited the same vulnerability. Later, 
I added a session check across the board, which would at least verify 
that there was some sort of authority on the sending side, and that such 
authority would confirm the existence of that session. I'm not sure 
people were still using OGP at this point, but OGP would have stopped 
working with this session check, because I didn't have access to the 
agent domain code in order to add this check to it.

The Hypergrid progressed empirically by me identifying all these 
security holes and, basically, fix them. The holes were the path to the 
solutions -- I didn't have to make anything up!

I think the people who did OGP had conscience of how broken that 
SL/OpenSim demo was, and knew it needed a whole lot more. Documents out 
there explain what they were thinking about (e.g. 
http://wiki.secondlife.com/wiki/Structural_Design).

There are many similarities between what they were thinking and HG1.5. 
What that extended protocol is missing is the authentication between the 
multiple parties involved: what they call the Region domain (similar to 
the Gatekeeper), what they call the Agent domain (similar to the user 
agent service), the region itself, and the viewer. *And authentication 
is the critical piece for making this secure.*

Since they didn't seem to have any solution for the multi-party 
authentication problem, that led to the initial idea that interop could 
never be true S4S, but would have to have some sort of real-world 
authority that would establish and enforce the rules of engagement in a 
federation of VWs -- that would make the nasty problem of authentication 
go away with the addition of lawyers!

Melanie and I figured out how to make the multi-party authentication 
work. It's basically a series of data flows and verifications that rely 
100% on the basic Internet architecture -- DNS and TCP/IP addresses -- 
and on the social organization that we can expect on top of this 
architecture. Nothing fancy, really, just back to the basics. And it 
works. This is not the only way to solve the multi-party authentication 
problem, but it's probably the simplest.

HG1.5 is fairly secure, there's only a couple of obscure corner cases. 
It's more complicated and unsafe than it needs to be, if we had a client 
that would cooperate and do the right things. The LL client is a major 
fixed-point in this, it restricts a lot what we can do.

But I've started to like the LL client like it is. Call it Stockholm 
syndrome! :D
There's an interesting thing about the LL architecture: the client talks 
only to the server(s) that it connects to, and not to the resource 
servers directly. We hate this, of course. But this is how web browsers 
work too -- or at least how they are forced to work by web servers. When 
you get a page from a site, the resources you are allowed to get via the 
dynamic connections are only from that site, and not others (the origin 
restriction). So if someone would ever do a Web-browser-based rendering 
engine (something I would love to see!) we would be dealing with 
essentially the same situation that we are dealing now. Think about it!


Justin Clark-Casey wrote:
> On 01/09/10 14:56, Mike Dickson wrote:
>>
>> More on OGP below.
>>> Like Diva, I also think that good standards very often only come out
>>> of working implementations. Hence, though I've
>>> been following the VWRAP lists (and OGP before that) I haven't been
>>> participating since there's been a lot of
>>> hard-to-follow discussion without much real-world consequence. And as
>>> a working developer I don't have the luxury of
>>> sitting on my tush and contemplating the Platonic world of future
>>> standards all day ;) (joking).
>> This is really the issue that has always bothered me. There's been an
>> assertion that working code was more important than "standards". Truth
>> is, standards are hard work, its more fun to hack code. And there *was*
>> an existing implementation. LL and IBM demonstrated some limited cross
>> grid functionality (hence the OGP work). And asserting politics was an
>> issue is just lame. Linden Labs put forward a *working* system as a
>> starting point along with some jointly developed code demonstrating
>> limited interoperability. The code was even available to the OpenSim
>> team. So if there was a "political agenda" it was on both sides. LL
>> wanting to preserve some compatibility with their existing system (but
>> willing to consider changes) and on the HyperGrid side a desire to
>> explore and research ideas.
>>
>> What still remains is the hard work of creating a standard that defines
>> interoperability. It would be great to see that progress, along with the
>> code.
> 
> I certainly agree that standards are hard work, which is why creating 
> them without reference to any working examples seems an almost 
> impossible task to me.  But that's just my own opinion which is not 
> burdened by decades of experience :)
> 
> I also have to echo what Dahlia said earlier.  OGP was extremely 
> limited, afaik being nothing beyond transporting an avatar name to a 
> 'default' avatar on another grid.  There was no other identity or 
> appearance preservation, let alone access to inventory - all extremely 
> tough problems to address in any scalable or secure manner.
> 
> Dahlia's phrase "OpenSim community" rather than "OpenSim team" 
> illuminates very well the structures in play here.  In terms of the core 
> group, I wouldn't say that we were a team as such but more a community 
> of people with a reasonably common set of interests who agree to abide 
> by certain norms and a few rules.  There was never really an "OpenSim 
> team" to respond to OGP proposals.  Rather, some people were interested 
> in it and implemented the required bits and pieces and other people were 
> ambivalent or more interested in alternative architectures.
>

More information about the Opensim-dev mailing list