Validating IP and Region

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Validating IP and Region

Haravikk
(apologies if this ends up posting multiple times, I mistook the user-activation e-mail as confirmation I could post, instead of following the link first, then on my second attempt used the wrong damn e-mail address *facepalms*)


I'm currently looking at porting a set of web-services from Second Life for use with Open Simulator based grids, and my current challenge is validating that an llHTTPRequest() comes from the grid and region that it claims to. For Second Life requests all I had to do was a reverse DNS lookup on the sender's IP address, to see if it ends with agni.lindenlab.com or aditi.lindenlab.com depending upon the value for X-SecondLife-Shard, as this confirmed the server was valid, which means I can then reasonably trust the other headers.

For Open Simulator grids this obviously isn't possible. So what I'd like to be able to do is instead require that requests include a header with grid information, such as the grid's login URI (as obtained by the osGetGridLoginUri() function), and then somehow perform a call-back to the grid asking it to confirm if the sender's IP address is currently hosting the region that it claims the request is from.


To break it down a bit more:

1. A script in Haravikk's Region, hosted at 123.123.123.123 sends an llHTTPRequest() to my web-service with the following key headers:
X-SecondLife-Region: Haravikk's Region (1000,1000)
X-OpenSim-Region-UUID: 12345678-1234-1234-1234-123456789012
X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"
2. My web-service doesn't recognise the IP as a host for Haravikk's Region on my_grid, and so sends a call-back to my_grid asking whether the IP 123.123.123.123 is currently hosting a region named "Haravikk's Region".
3. If the grid confirms that it is, my web-service can store a note of this for some reasonable time to avoid repeated requests, and serves up content as normal, knowing that the request comes from the grid and region that it claims to (or at least, that the grid was willing to vouch for it).


What I would like to know is:
1. Is something like this currently possible? The only other way I could think to do this would be to write some kind of bot to try to connect to the region through the given grid but that would be incredibly heavy-weight, and I think would only work if the region was accessible via the hyper-grid (since I can't have specific login details for every potential grid).
2. If it isn't currently possible, what would it take to make it so? I'm a programmer myself so wouldn't mind working on adding this if I have to, but I have no familiarity with the code and am only really starting to get a grasp for the structure of Open Simulator, so I'm not sure what the best place to add such an externally facing service might be?
3. Is it worth looking into adding the X-OpenSim-Grid header as a standard feature either way? It's obviously pretty easy to generate yourself via script, but seems like it'd be a useful addition for Open Simulator llHTTPRequest() calls.


In case it helps, the idea with my web-service is that data will be stored with an awareness of which grid it belongs to; my purpose in validating the region with the grid is to make it harder for a request to be spoofed as coming from a given region/grid combo. While grids like osgrid obviously allow ad-hoc regions to connect and disconnect, I would at least be able to confirm that a region did exist, and osgrid was willing to vouch for that region's IP; if a grid doesn't provide confirmation, then I know that the request is being spoofed (or sending old details, or the grid doesn't want to play ball, but either way gives me reason to reject it).

I think this could help a lot for writing web services for use across grids.

Any help is greatly appreciated!
- Haravikk

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Haravikk

On 22 Jul 2017, at 08:54, Haravikk <[hidden email]> wrote:

(apologies if this ends up posting multiple times, I mistook the user-activation e-mail as confirmation I could post, instead of following the link first, then on my second attempt used the wrong damn e-mail address *facepalms*)


I'm currently looking at porting a set of web-services from Second Life for use with Open Simulator based grids, and my current challenge is validating that an llHTTPRequest() comes from the grid and region that it claims to. For Second Life requests all I had to do was a reverse DNS lookup on the sender's IP address, to see if it ends with agni.lindenlab.com or aditi.lindenlab.com depending upon the value for X-SecondLife-Shard, as this confirmed the server was valid, which means I can then reasonably trust the other headers.

For Open Simulator grids this obviously isn't possible. So what I'd like to be able to do is instead require that requests include a header with grid information, such as the grid's login URI (as obtained by the osGetGridLoginUri() function), and then somehow perform a call-back to the grid asking it to confirm if the sender's IP address is currently hosting the region that it claims the request is from.


To break it down a bit more:

1. A script in Haravikk's Region, hosted at 123.123.123.123 sends an llHTTPRequest() to my web-service with the following key headers:
X-SecondLife-Region: Haravikk's Region (1000,1000)
X-OpenSim-Region-UUID: 12345678-1234-1234-1234-123456789012
X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"
2. My web-service doesn't recognise the IP as a host for Haravikk's Region on my_grid, and so sends a call-back to my_grid asking whether the IP 123.123.123.123 is currently hosting a region named "Haravikk's Region".
3. If the grid confirms that it is, my web-service can store a note of this for some reasonable time to avoid repeated requests, and serves up content as normal, knowing that the request comes from the grid and region that it claims to (or at least, that the grid was willing to vouch for it).


What I would like to know is:
1. Is something like this currently possible? The only other way I could think to do this would be to write some kind of bot to try to connect to the region through the given grid but that would be incredibly heavy-weight, and I think would only work if the region was accessible via the hyper-grid (since I can't have specific login details for every potential grid).
2. If it isn't currently possible, what would it take to make it so? I'm a programmer myself so wouldn't mind working on adding this if I have to, but I have no familiarity with the code and am only really starting to get a grasp for the structure of Open Simulator, so I'm not sure what the best place to add such an externally facing service might be?
3. Is it worth looking into adding the X-OpenSim-Grid header as a standard feature either way? It's obviously pretty easy to generate yourself via script, but seems like it'd be a useful addition for Open Simulator llHTTPRequest() calls.


In case it helps, the idea with my web-service is that data will be stored with an awareness of which grid it belongs to; my purpose in validating the region with the grid is to make it harder for a request to be spoofed as coming from a given region/grid combo. While grids like osgrid obviously allow ad-hoc regions to connect and disconnect, I would at least be able to confirm that a region did exist, and osgrid was willing to vouch for that region's IP; if a grid doesn't provide confirmation, then I know that the request is being spoofed (or sending old details, or the grid doesn't want to play ball, but either way gives me reason to reject it).

I think this could help a lot for writing web services for use across grids.

Any help is greatly appreciated!
- Haravikk

Okay, so I just found that there's no way to retrieve a region's UUID in a script so you can ignore that part; though I had thought it would be a better way to identify a region (in case a region is renamed).

Though that does raise the separate question; would there be any harm in making a region's UUID available to scripts and/or sending it as a HTTP header? It just seems like it would be a good way to handle any region that is renamed, because as long as the GUID is kept the same then web-services (and grids) could recognise that it's the same region and treat it accordingly.
While I realise both name and UUID can be changed by anyone at any time, the potential for abuse is limited so long as a region remains connected, i.e- you could only spoof it when the region is down, and only if the grid performs no additional sanity checks.

Anyway, just wanted to note that at the most basic this proposal would be to query a grid for IP and region-name, UUID can be kept as a separate issue if necessary, though I think it would be the better way to do it.

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Haravikk
After digging around it's starting to look like the answer is a "no" to this capability at present (do feel free to correct me if that's wrong, pretty please!) so I'm thinking about what it would take to add it.

There are only really two key features needed to support it however:

Add an X-OpenSim-Grid header to llHTTPRequest()

The idea here is to add a new X-OpenSim-Grid header to all llHTTPRequest() calls, automatically containing the current grid's login URI, nickname and full name, in a format resembling the following:

X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"

Strictly speaking this isn't necessary, as it is already possible to fetch this information via OSSL calls, however including this useful header automatically would eliminate the need to enable and use OSSL functions just to send a properly grid-agnostic llHTTPRequest().

The question mark here is that the OSSL functions are currently set to a threat level of moderate, but I'm not sure why; none of this information should be sensitive, as either a login URI is valid or it isn't, i.e- it exists and is remotely accessible etc., otherwise it shouldn't matter if the destination server knows what the grid is called anymore than it knowing what a region is called is a security threat.

So to me this seems harmless, can anyone comment why it might not be?

The only"threat" I can think of is that a standalone grid's login URI would be its external IP address, however by sending an HTTP request it is already exposing that information anyway so it's not really a security risk.

Enable Querying of IP and Region Name

My thinking is that a new request would be supported on a grid's login URI (if possible); whereby, instead of logging in, the sender queries the grid about whether a given region name exists with a given IP address or not, with the server responding either true or false. There should be no viable risk of exploitation here as the call will only return true if the sender already knows both a valid IP address and region name; all it can therefore do is confirm that <region name> is currently provided by a server at <IP address>.

Adding this to the login URI seems like the simplest option, but it may not be the cleanest (is it polluting the login URI to have it handle other things like this?), however, with the login URI being the primary point of contact for a grid it seems like the most logical way to do it to me. If anyone has any other ideas where the query should be performed (and how the necessary info can be passed to a web-service) please let comment!

On 22 Jul 2017, at 11:48, Haravikk <[hidden email]> wrote:


On 22 Jul 2017, at 08:54, Haravikk <[hidden email]> wrote:

(apologies if this ends up posting multiple times, I mistook the user-activation e-mail as confirmation I could post, instead of following the link first, then on my second attempt used the wrong damn e-mail address *facepalms*)


I'm currently looking at porting a set of web-services from Second Life for use with Open Simulator based grids, and my current challenge is validating that an llHTTPRequest() comes from the grid and region that it claims to. For Second Life requests all I had to do was a reverse DNS lookup on the sender's IP address, to see if it ends with agni.lindenlab.com or aditi.lindenlab.com depending upon the value for X-SecondLife-Shard, as this confirmed the server was valid, which means I can then reasonably trust the other headers.

For Open Simulator grids this obviously isn't possible. So what I'd like to be able to do is instead require that requests include a header with grid information, such as the grid's login URI (as obtained by the osGetGridLoginUri() function), and then somehow perform a call-back to the grid asking it to confirm if the sender's IP address is currently hosting the region that it claims the request is from.


To break it down a bit more:

1. A script in Haravikk's Region, hosted at 123.123.123.123 sends an llHTTPRequest() to my web-service with the following key headers:
X-SecondLife-Region: Haravikk's Region (1000,1000)
X-OpenSim-Region-UUID: 12345678-1234-1234-1234-123456789012
X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"
2. My web-service doesn't recognise the IP as a host for Haravikk's Region on my_grid, and so sends a call-back to my_grid asking whether the IP 123.123.123.123 is currently hosting a region named "Haravikk's Region".
3. If the grid confirms that it is, my web-service can store a note of this for some reasonable time to avoid repeated requests, and serves up content as normal, knowing that the request comes from the grid and region that it claims to (or at least, that the grid was willing to vouch for it).


What I would like to know is:
1. Is something like this currently possible? The only other way I could think to do this would be to write some kind of bot to try to connect to the region through the given grid but that would be incredibly heavy-weight, and I think would only work if the region was accessible via the hyper-grid (since I can't have specific login details for every potential grid).
2. If it isn't currently possible, what would it take to make it so? I'm a programmer myself so wouldn't mind working on adding this if I have to, but I have no familiarity with the code and am only really starting to get a grasp for the structure of Open Simulator, so I'm not sure what the best place to add such an externally facing service might be?
3. Is it worth looking into adding the X-OpenSim-Grid header as a standard feature either way? It's obviously pretty easy to generate yourself via script, but seems like it'd be a useful addition for Open Simulator llHTTPRequest() calls.


In case it helps, the idea with my web-service is that data will be stored with an awareness of which grid it belongs to; my purpose in validating the region with the grid is to make it harder for a request to be spoofed as coming from a given region/grid combo. While grids like osgrid obviously allow ad-hoc regions to connect and disconnect, I would at least be able to confirm that a region did exist, and osgrid was willing to vouch for that region's IP; if a grid doesn't provide confirmation, then I know that the request is being spoofed (or sending old details, or the grid doesn't want to play ball, but either way gives me reason to reject it).

I think this could help a lot for writing web services for use across grids.

Any help is greatly appreciated!
- Haravikk

Okay, so I just found that there's no way to retrieve a region's UUID in a script so you can ignore that part; though I had thought it would be a better way to identify a region (in case a region is renamed).

Though that does raise the separate question; would there be any harm in making a region's UUID available to scripts and/or sending it as a HTTP header? It just seems like it would be a good way to handle any region that is renamed, because as long as the GUID is kept the same then web-services (and grids) could recognise that it's the same region and treat it accordingly.
While I realise both name and UUID can be changed by anyone at any time, the potential for abuse is limited so long as a region remains connected, i.e- you could only spoof it when the region is down, and only if the grid performs no additional sanity checks.

Anyway, just wanted to note that at the most basic this proposal would be to query a grid for IP and region-name, UUID can be kept as a separate issue if necessary, though I think it would be the better way to do it.
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev


_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Cinder Roxley
On July 23, 2017 at 2:27:34 PM, Haravikk ([hidden email]) wrote:
After digging around it's starting to look like the answer is a "no" to this capability at present (do feel free to correct me if that's wrong, pretty please!) so I'm thinking about what it would take to add it.

There are only really two key features needed to support it however:

Add an X-OpenSim-Grid header to llHTTPRequest()

The idea here is to add a new X-OpenSim-Grid header to all llHTTPRequest() calls, automatically containing the current grid's login URI, nickname and full name, in a format resembling the following:

X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"

x-grid-info:// makes a better resource identifier for grids: https://alchemy.atlassian.net/wiki/pages/viewpage.action?pageId=28737538 The nick and the name can be easily pulled from get_grid_info/

Enable Querying of IP and Region Name

My thinking is that a new request would be supported on a grid's login URI (if possible); whereby, instead of logging in, the sender queries the grid about whether a given region name exists with a given IP address or not, with the server responding either true or false. There should be no viable risk of exploitation here as the call will only return true if the sender already knows both a valid IP address and region name; all it can therefore do is confirm that <region name> is currently provided by a server at <IP address>.

You can already POST to the grid service to get this information, although the grid service isn’t always exposed publicly: http://opensimulator.org/wiki/GridService 

Adding this to the login URI seems like the simplest option, but it may not be the cleanest (is it polluting the login URI to have it handle other things like this?), however, with the login URI being the primary point of contact for a grid it seems like the most logical way to do it to me. If anyone has any other ideas where the query should be performed (and how the necessary info can be passed to a web-service) please let comment!

Please don’t pollute the endpoint. While it may be convenient, the login service may not even have access to the grid service and it doesn’t belong there. The services are tangled up enough as it is. I would think the Gatekeeper service would be more appropriate, but don’t quote me on that.

Okay, so I just found that there's no way to retrieve a region's UUID in a script so you can ignore that part; though I had thought it would be a better way to identify a region (in case a region is renamed).

Also, bear in mind having one, two, five, or one hundred regions with the same name on the same ip address is perfectly valid in OpenSim.

Though that does raise the separate question; would there be any harm in making a region's UUID available to scripts and/or sending it as a HTTP header? It just seems like it would be a good way to handle any region that is renamed, because as long as the GUID is kept the same then web-services (and grids) could recognise that it's the same region and treat it accordingly.

Changing a region’s UUID is as easy as changing its name, and just as easy to spoof in most cases.


_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

David Saunders-2
Hey, 

  I have a few grid based apps that are designed to work across grids. Since I ran into several issues involving differences with in the grid.
   1> IP's can be dynamic. I ran int o a few grids where the region IP;s would change from time to time.  Setting a callback on each grid was out of the question. No all grid expose there grid service to the wilds of the internet.  And getting a grid operator to run a web script for you is very hard task. 
  2> Not all grid run the same script engines or landscape. Meaning, not all features available to use like groups.

  So what I did was set up a register script. This script has an hash/password and creates an access key, registers the object with your external service. This is also where I  register the URI for the http server if available. And we pass back a token to use for the next 48 hours or reset to use on any further transactions.  Why ~48 Hours? Well this is when the URL seams to expire and need to be refresh.   

 I practice, I have a grid hash and a user hash I use. The Grid hash is for identifying the grid where it being sourced at, and the user hash is the one that get assigned to the creator/owner of the scripts running.  This is still not perfect, you could spoof some items. 

  Problem with open sim the scripts are readable to who ever has the permissions too  And they come easy, unless the grid imposing this level of security and limit it to only the fewest to use,  all can be open to everyone.  

  So what I suggestion is not a solution to linking ip to region UUID but to set up a username/password for your apps :)

   What you can do is, set up an external web script that access the region database file pole to see if the ip/region name is valid.   

david
 

On Sun, Jul 23, 2017 at 3:56 PM, Cinder Roxley <[hidden email]> wrote:
On July 23, 2017 at 2:27:34 PM, Haravikk ([hidden email]) wrote:
After digging around it's starting to look like the answer is a "no" to this capability at present (do feel free to correct me if that's wrong, pretty please!) so I'm thinking about what it would take to add it.

There are only really two key features needed to support it however:

Add an X-OpenSim-Grid header to llHTTPRequest()

The idea here is to add a new X-OpenSim-Grid header to all llHTTPRequest() calls, automatically containing the current grid's login URI, nickname and full name, in a format resembling the following:

X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"

x-grid-info:// makes a better resource identifier for grids: https://alchemy.atlassian.net/wiki/pages/viewpage.action?pageId=28737538 The nick and the name can be easily pulled from get_grid_info/

Enable Querying of IP and Region Name

My thinking is that a new request would be supported on a grid's login URI (if possible); whereby, instead of logging in, the sender queries the grid about whether a given region name exists with a given IP address or not, with the server responding either true or false. There should be no viable risk of exploitation here as the call will only return true if the sender already knows both a valid IP address and region name; all it can therefore do is confirm that <region name> is currently provided by a server at <IP address>.

You can already POST to the grid service to get this information, although the grid service isn’t always exposed publicly: http://opensimulator.org/wiki/GridService 

Adding this to the login URI seems like the simplest option, but it may not be the cleanest (is it polluting the login URI to have it handle other things like this?), however, with the login URI being the primary point of contact for a grid it seems like the most logical way to do it to me. If anyone has any other ideas where the query should be performed (and how the necessary info can be passed to a web-service) please let comment!

Please don’t pollute the endpoint. While it may be convenient, the login service may not even have access to the grid service and it doesn’t belong there. The services are tangled up enough as it is. I would think the Gatekeeper service would be more appropriate, but don’t quote me on that.

Okay, so I just found that there's no way to retrieve a region's UUID in a script so you can ignore that part; though I had thought it would be a better way to identify a region (in case a region is renamed).

Also, bear in mind having one, two, five, or one hundred regions with the same name on the same ip address is perfectly valid in OpenSim.

Though that does raise the separate question; would there be any harm in making a region's UUID available to scripts and/or sending it as a HTTP header? It just seems like it would be a good way to handle any region that is renamed, because as long as the GUID is kept the same then web-services (and grids) could recognise that it's the same region and treat it accordingly.

Changing a region’s UUID is as easy as changing its name, and just as easy to spoof in most cases.


_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev



_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Haravikk
In reply to this post by Cinder Roxley

On 23 Jul 2017, at 20:56, Cinder Roxley <[hidden email]> wrote:

On July 23, 2017 at 2:27:34 PM, Haravikk ([hidden email]) wrote:
After digging around it's starting to look like the answer is a "no" to this capability at present (do feel free to correct me if that's wrong, pretty please!) so I'm thinking about what it would take to add it.

There are only really two key features needed to support it however:

Add an X-OpenSim-Grid header to llHTTPRequest()

The idea here is to add a new X-OpenSim-Grid header to all llHTTPRequest() calls, automatically containing the current grid's login URI, nickname and full name, in a format resembling the following:

X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid; name="My Grid"

x-grid-info:// makes a better resource identifier for grids: https://alchemy.atlassian.net/wiki/pages/viewpage.action?pageId=28737538 The nick and the name can be easily pulled from get_grid_info/

Hmm, that does look like a good URI scheme; are you suggesting then that an X-OpenSim-GridInfo header would be more appropriate, providing a URI in that form? That does seem like a good alternative!

Enable Querying of IP and Region Name

My thinking is that a new request would be supported on a grid's login URI (if possible); whereby, instead of logging in, the sender queries the grid about whether a given region name exists with a given IP address or not, with the server responding either true or false. There should be no viable risk of exploitation here as the call will only return true if the sender already knows both a valid IP address and region name; all it can therefore do is confirm that <region name> is currently provided by a server at <IP address>.

You can already POST to the grid service to get this information, although the grid service isn’t always exposed publicly: http://opensimulator.org/wiki/GridService 

That same page says that the GridService should only be LAN accessible, so it seems like some external service for validation would still be more appropriate?

Adding this to the login URI seems like the simplest option, but it may not be the cleanest (is it polluting the login URI to have it handle other things like this?), however, with the login URI being the primary point of contact for a grid it seems like the most logical way to do it to me. If anyone has any other ideas where the query should be performed (and how the necessary info can be passed to a web-service) please let comment!

Please don’t pollute the endpoint. While it may be convenient, the login service may not even have access to the grid service and it doesn’t belong there. The services are tangled up enough as it is. I would think the Gatekeeper service would be more appropriate, but don’t quote me on that.

Actually on the issue of grid-info, perhaps something of that nature makes sense? If I've understood correctly, grid-info is retrieved simply by send a GET /get_grid_info request to the grid's domain and port. Is GridInfo its own service? Perhaps something in a similar vein to that makes sense, except for validating IP and region?

Okay, so I just found that there's no way to retrieve a region's UUID in a script so you can ignore that part; though I had thought it would be a better way to identify a region (in case a region is renamed).

Also, bear in mind having one, two, five, or one hundred regions with the same name on the same ip address is perfectly valid in OpenSim.

This shouldn't be an issue; I just need to know if I'm receiving a request from an IP hosting a region name that it claims to, basically the intent is a basic sanity check that a request has come from the grid and region it claims to. As long as the grid is happy to verify that the IP is hosting the region I got a request from, then that should be perfectly fine.

Though that does raise the separate question; would there be any harm in making a region's UUID available to scripts and/or sending it as a HTTP header? It just seems like it would be a good way to handle any region that is renamed, because as long as the GUID is kept the same then web-services (and grids) could recognise that it's the same region and treat it accordingly.

Changing a region’s UUID is as easy as changing its name, and just as easy to spoof in most cases.

True. I'm also now leaning away from using the UUID as it seems like keeping it private between simulators and grids is the best thing to do, as it provides a way for grids to limit theft of region names; I don't know if any do this, but if a region is down a grid could put a hold on its name using its GUID, to prevent a malicious simulator from stealing that region name (since it'd have to know the region's UUID as well).

So using that information for any other purpose would reduce security, so that's a nope on that one!

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Haravikk
In reply to this post by David Saunders-2

> On 24 Jul 2017, at 08:33, David Saunders <[hidden email]> wrote:
>
>    1> IP's can be dynamic. I ran int o a few grids where the region IP;s would change from time to time.  Setting a callback on each grid was out of the question. No all grid expose there grid service to the wilds of the internet.  And getting a grid operator to run a web script for you is very hard task.

This is actually my purpose in creating this thread; to discuss making this a standard capability in future so that it's easier to validate whether a request came from where it claims to. IPs being dynamic isn't an issue; it just means that each time the IP changes you need to perform the check again for the new IP, results can still be cached so long as they're only retained for some reasonable period (e.g- 24 hours).

>   So what I did was set up a register script. This script has an hash/password and creates an access key, registers the object with your external service. This is also where I  register the URI for the http server if available. And we pass back a token to use for the next 48 hours or reset to use on any further transactions.  Why ~48 Hours? Well this is when the URL seams to expire and need to be refresh.
>
> I practice, I have a grid hash and a user hash I use. The Grid hash is for identifying the grid where it being sourced at, and the user hash is the one that get assigned to the creator/owner of the scripts running.  This is still not perfect, you could spoof some items.

That's a good practice, and what I intend to do for more sensitive web-services, but it means you're implicitly trusting how the user uses their login information. For example, say they use those details with an object, then move that object to another grid, would your service be able to tell the difference between the two?

With a validation callback my service could provide basic confirmation that two objects using the same credentials, in identically named regions, in fact exist on two different grids, and thus treat them differently, block one of them etc. This is what I currently do with Second Life so that I can treat objects differently if they've been copied to the aditi test grid, to avoid data they generate from polluting results for the main grid; for example, if I'm using a web-service to provide visitor tracking, I can avoid seeing results for both agni and aditi being mixed together.

>    What you can do is, set up an external web script that access the region database file pole to see if the ip/region name is valid.

If I understand correctly this is essentially what I'm proposing; the ability to ask a grid if a region exists with the IP address you received a request from. I just need to figure out the best place to put the API call, and what any security implications are, what restrictions might be needed etc., and I can go ahead and start looking into a patch to provide this capability.
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Melanie-2
In reply to this post by Haravikk
Hi,

there is no point in trying to do that because the grid services are
so varied in scope and can be behind reverse proxies, etc. IP has
not been a security factor for a long time, since today many
different services, not all from the same provider, share an IP.
Your best approach is therefore to create HTTPS connections and do
authentication within this secure wrapper using anything from a
simple password to a full PKI setup, depending on the security level
required.

- Melanie

On 22/07/2017 08:54, Haravikk wrote:

> (apologies if this ends up posting multiple times, I mistook the
> user-activation e-mail as confirmation I could post, instead of
> following the link first, then on my second attempt used the wrong
> damn e-mail address *facepalms*)
>
>
> I'm currently looking at porting a set of web-services from Second
> Life for use with Open Simulator based grids, and my current
> challenge is validating that an llHTTPRequest() comes from the
> grid and region that it claims to. For Second Life requests all I
> had to do was a reverse DNS lookup on the sender's IP address, to
> see if it ends with agni.lindenlab.com
> <http://agni.lindenlab.com> or aditi.lindenlab.com
> <http://aditi.lindenlab.com> depending upon the value for
> X-SecondLife-Shard, as this confirmed the server was valid, which
> means I can then reasonably trust the other headers.
>
> For Open Simulator grids this obviously isn't possible. So what
> I'd like to be able to do is instead require that requests include
> a header with grid information, such as the grid's login URI (as
> obtained by the osGetGridLoginUri() function), and then somehow
> perform a call-back to the grid asking it to confirm if the
> sender's IP address is currently hosting the region that it claims
> the request is from.
>
>
> To break it down a bit more:
>
> 1. A script in Haravikk's Region, hosted at 123.123.123.123 sends
> an llHTTPRequest() to my web-service with the following key headers:
>
>     X-SecondLife-Region: Haravikk's Region (1000,1000)
>     X-OpenSim-Region-UUID: 12345678-1234-1234-1234-123456789012
>     X-OpenSim-Grid: http://mygrid.com/login; nick_name=my_grid;
>     name="My Grid"
>
> 2. My web-service doesn't recognise the IP as a host for
> Haravikk's Region on my_grid, and so sends a call-back to my_grid
> asking whether the IP 123.123.123.123 is currently hosting a
> region named "Haravikk's Region".
> 3. If the grid confirms that it is, my web-service can store a
> note of this for some reasonable time to avoid repeated requests,
> and serves up content as normal, knowing that the request comes
> from the grid and region that it claims to (or at least, that the
> grid was willing to vouch for it).
>
>
> What I would like to know is:
> 1. Is something like this currently possible? The only other way I
> could think to do this would be to write some kind of bot to try
> to connect to the region through the given grid but that would be
> incredibly heavy-weight, and I think would only work if the region
> was accessible via the hyper-grid (since I can't have specific
> login details for every potential grid).
> 2. If it isn't currently possible, what would it take to make it
> so? I'm a programmer myself so wouldn't mind working on adding
> this if I have to, but I have no familiarity with the code and am
> only really starting to get a grasp for the structure of Open
> Simulator, so I'm not sure what the best place to add such an
> externally facing service might be?
> 3. Is it worth looking into adding the X-OpenSim-Grid header as a
> standard feature either way? It's obviously pretty easy to
> generate yourself via script, but seems like it'd be a useful
> addition for Open Simulator llHTTPRequest() calls.
>
>
> In case it helps, the idea with my web-service is that data will
> be stored with an awareness of which grid it belongs to; my
> purpose in validating the region with the grid is to make it
> harder for a request to be spoofed as coming from a given
> region/grid combo. While grids like osgrid obviously allow ad-hoc
> regions to connect and disconnect, I would at least be able to
> confirm that a region *did* exist, and osgrid was willing to vouch
> for that region's IP; if a grid doesn't provide confirmation, then
> I know that the request is being spoofed (or sending old details,
> or the grid doesn't want to play ball, but either way gives me
> reason to reject it).
>
> I think this could help a lot for writing web services for use
> across grids.
>
> Any help is greatly appreciated!
> - Haravikk
>
>
> _______________________________________________
> Opensim-dev mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev


_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Haravikk

On 24 Jul 2017, at 13:57, Melanie Thielker <[hidden email]> wrote:

Hi,

there is no point in trying to do that because the grid services are
so varied in scope and can be behind reverse proxies, etc.

Reverse proxies shouldn't be a problem; if a grid is behind one it should still receive the request for IP/region confirmation as normal (just as you can login etc. as normal). If the web-service is behind one then usually they will still be passed Forward-For and related headers from which it can get the source IP (apache and nginx can do this automatically so you don't have to do it in your app-code).

If a simulator is proxied in such a way that the source IP that the web-service sees doesn't match what the grid is willing to verify, then that's precisely the kind of suspicious case I'd like to be able to detect. For my own web-services this alone won't be enough to block access, but will cause the requests to be handled as "untrusted", either requiring some authentication, or limiting what can be done.

IP has not been a security factor for a long time, since today many
different services, not all from the same provider, share an IP.

My intent isn't to use it as absolute security; just to get some assurance that a request is actually coming from where it says it does.

Your best approach is therefore to create HTTPS connections and do
authentication within this secure wrapper using anything from a
simple password to a full PKI setup, depending on the security level
required.

For anything sensitive I absolutely still intend to use session keys to keep track of authenticated devices, but I'd still like to be able to validate that information being sent in the request is true. It's not an either/or, the capability for both can absolutely exist.

The question IMO isn't whether a callback would work, as it absolutely should, the question is how best to implement it.

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Validating IP and Region

Haravikk
So now that I have access to the wiki (thanks Melanie!) I've had a go at putting this idea into a more formal proposal, which I'm interested in getting feedback on:
http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification

Please note, it's reliant on there being easier ways to pass the grid address to an external service; I've put this as a separate proposal which I'll have a separate discussion for.

With regards to this specific proposal, I'm looking for feedback on the proposed protocol for verifying a region once you know a grid, region and IP you'd like to verify.
In particular, as I noted in alternatives considered, I'm curious about people's thoughts on whether it's worth having verification as it's own specific request, or if it'd be better to do something more general purpose, such as some kind of external region data request (not to be confused with the existing, internal one that shouldn't really be made remotely accessible), e.g- a kind of get_region_info request that would include, among other things, the IP, which a web-service could then compare.

Having a specific get_region_info style request would be useful for a whole variety of reasons, but would allow scraping of region info from outside of a grid, which may or may not be desirable; I don't think there's any real security concern, but I'm not sure yet. This is compared to the verify request as proposed, which can only report whether a region and IP combination is valid for a given grid, at a particular moment in time; i.e- you'd need to know a valid region/IP combo before you can get anything useful, and at most all you can really do is keep that combo and periodically test it to see if the region is still available, which shouldn't really be an issue (as bots can already do this).

> On 24 Jul 2017, at 17:51, Haravikk <[hidden email]> wrote:
>
>> On 24 Jul 2017, at 13:57, Melanie Thielker <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> Hi,
>>
>> there is no point in trying to do that because the grid services are
>> so varied in scope and can be behind reverse proxies, etc.
>
> Reverse proxies shouldn't be a problem; if a grid is behind one it should still receive the request for IP/region confirmation as normal (just as you can login etc. as normal). If the web-service is behind one then usually they will still be passed Forward-For and related headers from which it can get the source IP (apache and nginx can do this automatically so you don't have to do it in your app-code).
>
> If a simulator is proxied in such a way that the source IP that the web-service sees doesn't match what the grid is willing to verify, then that's precisely the kind of suspicious case I'd like to be able to detect. For my own web-services this alone won't be enough to block access, but will cause the requests to be handled as "untrusted", either requiring some authentication, or limiting what can be done.
>
>> IP has not been a security factor for a long time, since today many
>> different services, not all from the same provider, share an IP.
>
> My intent isn't to use it as absolute security; just to get some assurance that a request is actually coming from where it says it does.
>
>> Your best approach is therefore to create HTTPS connections and do
>> authentication within this secure wrapper using anything from a
>> simple password to a full PKI setup, depending on the security level
>> required.
>
> For anything sensitive I absolutely still intend to use session keys to keep track of authenticated devices, but I'd still like to be able to validate that information being sent in the request is true. It's not an either/or, the capability for both can absolutely exist.
>
> The question IMO isn't whether a callback would work, as it absolutely should, the question is how best to implement it.
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Loading...