Diva Canto wrote: > Justin Clark-Casey wrote: >> Just so I'm clear, your new scheme proposes the following steps? >> 1) When a client enters a new region (whether by initial login, teleport or >> region crossing), the region server will >> ask the user server if the IP given by the client matches that which it has >> previously stored on the user login? >> > Almost yes. Technically, for region crossings the child agent is already > there. The authentication is done upon creation of the child agent > circuit data and creation of the client. NewUserConnection and > AddNewClient are called for child agents too. So the authentication does > not happen upon region crossing, it happens before, when the child agent > is established. >> 2) If these addresses match, then a further validation against spoofing is >> performed by pinging the client using the >> StartPingCheck. A client spoofing the address will not be able to reply. >> >> > > Yes. To be precise, the spoofer may "reply", that is, it may send a > CompletePingCheck packet to the server. But it will have to guess what > the seq number is. Flooding the server with all 128 possible values > won't help, because the server will be waiting for exactly the number it > sent out. If it sees that the client is sending other numbers, it will > be unhappy and will refuse to interact with that client.
I must admit, I'm surprised that the spoofer can receive the packet at all if it's being sent to the IP given (the spoofed one). But I shall bow to those with superior raw sockets knowledge than myself. -- justincc Justin Clark-Casey http://justincc.wordpress.com _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
