[Opensim-dev] Validating IP and Region

David Saunders abitar.com at gmail.com
Mon Jul 24 07:33:03 UTC 2017 

Hey,

  I have a few grid based apps that are designed to work across grids.
Since I ran into several issues involving differences with in the grid.
   1> IP's can be dynamic. I ran int o a few grids where the region IP;s
would change from time to time.  Setting a callback on each grid was out of
the question. No all grid expose there grid service to the wilds of the
internet.  And getting a grid operator to run a web script for you is very
hard task.
  2> Not all grid run the same script engines or landscape. Meaning, not
all features available to use like groups.

  So what I did was set up a register script. This script has an
hash/password and creates an access key, registers the object with your
external service. This is also where I  register the URI for the http
server if available. And we pass back a token to use for the next 48 hours
or reset to use on any further transactions.  Why ~48 Hours? Well this is
when the URL seams to expire and need to be refresh.

 I practice, I have a grid hash and a user hash I use. The Grid hash is for
identifying the grid where it being sourced at, and the user hash is the
one that get assigned to the creator/owner of the scripts running.  This is
still not perfect, you could spoof some items.

  Problem with open sim the scripts are readable to who ever has the
permissions too  And they come easy, unless the grid imposing this level of
security and limit it to only the fewest to use,  all can be open to
everyone.

  So what I suggestion is not a solution to linking ip to region UUID but
to set up a username/password for your apps :)

   What you can do is, set up an external web script that access the region
database file pole to see if the ip/region name is valid.

david


On Sun, Jul 23, 2017 at 3:56 PM, Cinder Roxley <cinder at alchemyviewer.org>
wrote:

> On July 23, 2017 at 2:27:34 PM, Haravikk (opensim at haravikk.me) wrote:
>
> After digging around it's starting to look like the answer is a "no" to
> this capability at present (do feel free to correct me if that's wrong,
> pretty please!) so I'm thinking about what it would take to add it.
>
> There are only really two key features needed to support it however:
>
> *Add an X-OpenSim-Grid header to llHTTPRequest()*
>
> The idea here is to add a new X-OpenSim-Grid header to all llHTTPRequest()
> calls, automatically containing the current grid's login URI, nickname and
> full name, in a format resembling the following:
>
> X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"
>
>
> x-grid-info:// makes a better resource identifier for grids:
> https://alchemy.atlassian.net/wiki/pages/viewpage.action?pageId=28737538 The
> nick and the name can be easily pulled from get_grid_info/
>
> *Enable Querying of IP and Region Name*
>
> My thinking is that a new request would be supported on a grid's login URI
> (if possible); whereby, instead of logging in, the sender queries the grid
> about whether a given region name exists with a given IP address or not,
> with the server responding either true or false. There should be no viable
> risk of exploitation here as the call will only return true if the sender
> already knows both a valid IP address and region name; all it can therefore
> do is confirm that <region name> is currently provided by a server at <IP
> address>.
>
>
> You can already POST to the grid service to get this information, although
> the grid service isn’t always exposed publicly:
> http://opensimulator.org/wiki/GridService
>
> Adding this to the login URI seems like the simplest option, but it may
> not be the cleanest (is it polluting the login URI to have it handle other
> things like this?), however, with the login URI being the primary point of
> contact for a grid it seems like the most logical way to do it to me. If
> anyone has any other ideas where the query should be performed (and how the
> necessary info can be passed to a web-service) please let comment!
>
> Please don’t pollute the endpoint. While it may be convenient, the login
> service may not even have access to the grid service and it doesn’t belong
> there. The services are tangled up enough as it is. I would think the
> Gatekeeper service would be more appropriate, but don’t quote me on that.
>
> Okay, so I just found that there's no way to retrieve a region's UUID in a
> script so you can ignore that part; though I had thought it would be a
> better way to identify a region (in case a region is renamed).
>
>
> Also, bear in mind having one, two, five, or one hundred regions with the
> same name on the same ip address is perfectly valid in OpenSim.
>
> Though that does raise the separate question; would there be any harm in
> making a region's UUID available to scripts and/or sending it as a HTTP
> header? It just seems like it would be a good way to handle any region that
> is renamed, because as long as the GUID is kept the same then web-services
> (and grids) could recognise that it's the same region and treat it
> accordingly.
>
>
> Changing a region’s UUID is as easy as changing its name, and just as easy
> to spoof in most cases.
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20170724/faf1e154/attachment.html>

More information about the Opensim-dev mailing list