[Opensim-dev] Validating IP and Region

Melanie Thielker melanie at t-data.com
Mon Jul 24 12:57:24 UTC 2017 

Hi,

there is no point in trying to do that because the grid services are
so varied in scope and can be behind reverse proxies, etc. IP has
not been a security factor for a long time, since today many
different services, not all from the same provider, share an IP.
Your best approach is therefore to create HTTPS connections and do
authentication within this secure wrapper using anything from a
simple password to a full PKI setup, depending on the security level
required.

- Melanie

On 22/07/2017 08:54, Haravikk wrote:
> (apologies if this ends up posting multiple times, I mistook the
> user-activation e-mail as confirmation I could post, instead of
> following the link first, then on my second attempt used the wrong
> damn e-mail address *facepalms*)
>
>
> I'm currently looking at porting a set of web-services from Second
> Life for use with Open Simulator based grids, and my current
> challenge is validating that an llHTTPRequest() comes from the
> grid and region that it claims to. For Second Life requests all I
> had to do was a reverse DNS lookup on the sender's IP address, to
> see if it ends with agni.lindenlab.com
> <http://agni.lindenlab.com> or aditi.lindenlab.com
> <http://aditi.lindenlab.com> depending upon the value for
> X-SecondLife-Shard, as this confirmed the server was valid, which
> means I can then reasonably trust the other headers.
>
> For Open Simulator grids this obviously isn't possible. So what
> I'd like to be able to do is instead require that requests include
> a header with grid information, such as the grid's login URI (as
> obtained by the osGetGridLoginUri() function), and then somehow
> perform a call-back to the grid asking it to confirm if the
> sender's IP address is currently hosting the region that it claims
> the request is from.
>
>
> To break it down a bit more:
>
> 1. A script in Haravikk's Region, hosted at 123.123.123.123 sends
> an llHTTPRequest() to my web-service with the following key headers:
>
>     X-SecondLife-Region: Haravikk's Region (1000,1000)
>     X-OpenSim-Region-UUID: 12345678-1234-1234-1234-123456789012
>     X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid;
>     name="My Grid"
>
> 2. My web-service doesn't recognise the IP as a host for
> Haravikk's Region on my_grid, and so sends a call-back to my_grid
> asking whether the IP 123.123.123.123 is currently hosting a
> region named "Haravikk's Region".
> 3. If the grid confirms that it is, my web-service can store a
> note of this for some reasonable time to avoid repeated requests,
> and serves up content as normal, knowing that the request comes
> from the grid and region that it claims to (or at least, that the
> grid was willing to vouch for it).
>
>
> What I would like to know is:
> 1. Is something like this currently possible? The only other way I
> could think to do this would be to write some kind of bot to try
> to connect to the region through the given grid but that would be
> incredibly heavy-weight, and I think would only work if the region
> was accessible via the hyper-grid (since I can't have specific
> login details for every potential grid).
> 2. If it isn't currently possible, what would it take to make it
> so? I'm a programmer myself so wouldn't mind working on adding
> this if I have to, but I have no familiarity with the code and am
> only really starting to get a grasp for the structure of Open
> Simulator, so I'm not sure what the best place to add such an
> externally facing service might be?
> 3. Is it worth looking into adding the X-OpenSim-Grid header as a
> standard feature either way? It's obviously pretty easy to
> generate yourself via script, but seems like it'd be a useful
> addition for Open Simulator llHTTPRequest() calls.
>
>
> In case it helps, the idea with my web-service is that data will
> be stored with an awareness of which grid it belongs to; my
> purpose in validating the region with the grid is to make it
> harder for a request to be spoofed as coming from a given
> region/grid combo. While grids like osgrid obviously allow ad-hoc
> regions to connect and disconnect, I would at least be able to
> confirm that a region *did* exist, and osgrid was willing to vouch
> for that region's IP; if a grid doesn't provide confirmation, then
> I know that the request is being spoofed (or sending old details,
> or the grid doesn't want to play ball, but either way gives me
> reason to reject it).
>
> I think this could help a lot for writing web services for use
> across grids.
>
> Any help is greatly appreciated!
> - Haravikk
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev

More information about the Opensim-dev mailing list