[Opensim-dev] Validating IP and Region

[Haravikk]

So now that I have access to the wiki (thanks Melanie!) I've had a go at putting this idea into a more formal proposal, which I'm interested in getting feedback on:
http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification

Please note, it's reliant on there being easier ways to pass the grid address to an external service; I've put this as a separate proposal which I'll have a separate discussion for.

With regards to this specific proposal, I'm looking for feedback on the proposed protocol for verifying a region once you know a grid, region and IP you'd like to verify.
In particular, as I noted in alternatives considered, I'm curious about people's thoughts on whether it's worth having verification as it's own specific request, or if it'd be better to do something more general purpose, such as some kind of external region data request (not to be confused with the existing, internal one that shouldn't really be made remotely accessible), e.g- a kind of get_region_info request that would include, among other things, the IP, which a web-service could then compare.

Having a specific get_region_info style request would be useful for a whole variety of reasons, but would allow scraping of region info from outside of a grid, which may or may not be desirable; I don't think there's any real security concern, but I'm not sure yet. This is compared to the verify request as proposed, which can only report whether a region and IP combination is valid for a given grid, at a particular moment in time; i.e- you'd need to know a valid region/IP combo before you can get anything useful, and at most all you can really do is keep that combo and periodically test it to see if the region is still available, which shouldn't really be an issue (as bots can already do this).

> On 24 Jul 2017, at 17:51, Haravikk <opensim at haravikk.me> wrote:
> 
>> On 24 Jul 2017, at 13:57, Melanie Thielker <melanie at t-data.com <mailto:melanie at t-data.com>> wrote:
>> 
>> Hi,
>> 
>> there is no point in trying to do that because the grid services are
>> so varied in scope and can be behind reverse proxies, etc.
> 
> Reverse proxies shouldn't be a problem; if a grid is behind one it should still receive the request for IP/region confirmation as normal (just as you can login etc. as normal). If the web-service is behind one then usually they will still be passed Forward-For and related headers from which it can get the source IP (apache and nginx can do this automatically so you don't have to do it in your app-code).
> 
> If a simulator is proxied in such a way that the source IP that the web-service sees doesn't match what the grid is willing to verify, then that's precisely the kind of suspicious case I'd like to be able to detect. For my own web-services this alone won't be enough to block access, but will cause the requests to be handled as "untrusted", either requiring some authentication, or limiting what can be done.
> 
>> IP has not been a security factor for a long time, since today many
>> different services, not all from the same provider, share an IP.
> 
> My intent isn't to use it as absolute security; just to get some assurance that a request is actually coming from where it says it does.
> 
>> Your best approach is therefore to create HTTPS connections and do
>> authentication within this secure wrapper using anything from a
>> simple password to a full PKI setup, depending on the security level
>> required.
> 
> For anything sensitive I absolutely still intend to use session keys to keep track of authenticated devices, but I'd still like to be able to validate that information being sent in the request is true. It's not an either/or, the capability for both can absolutely exist.
> 
> The question IMO isn't whether a callback would work, as it absolutely should, the question is how best to implement it.