[hybi] Web Socket IP Authentication

[Hector Santos <hsantos@isdg.net>]

Dave Cridland wrote:
> On Thu Sep  2 08:03:53 2010, Hector Santos wrote:
>> For example, one way to authenticate the WS client is to use IP such 
>> as it done with POP3-B4-SMTP methods where a POP3 host records an IP 
>> for another SMTP host to open a time window for SMTP IP-based allow 
>> relay.
> 
> That's been long discredited in email circles, and is generally not 
> supported, in favour of SMTP AUTH (and preferably a dedicated submission 
> service on 587 with SASL and TLS).
> 
> The reason it's been discredited is actually because it's in a general 
> class of error referred to as "Time of check to time of use".
> 
> Dave.

Sure, hut I've long been within the email circles and I do not ever 
recall any outright conclusion.

But I do agree with your last statement.  Nonetheless, it is still an 
option in many integrated mail software and whether people have turned 
it off - don't be surprise if many have not because one of the primary 
reasons for it was that it reduced technical support cost - lesser 
need to help/setup the layman users.

ESMTP AUTH is not a required standard and RFC 4409 (only 4 years old) 
was not widely supported. But when the shift did begin with ISPs 
requiring ESMTP AUTH for their users, some immediately fell back to 
allowing IP authorization because of the huge tech support burden it 
created.  I specifically recall this exact situation with my home 
Bellsouth account when they issued a deadline notification to all 
users to begin switching to software using ESMTP AUTH.  After the 
deadline, I would say it was maybe less than a week when a 2nd 
notification indicating it was no longer a requirement and still isn't 
today - although I always had it personally setup for ESMTP AUTH.

Now of course, the ISP doesn't need to use POP4-B4-SMTP because the 
ISP user is already "IP authenticated" on their network and SMTP Relay 
is allowed.

Another subtle point regarding the SUBMISSION protocol that has it 
began to show a problem for the growing home or soho market with nats 
and 2nd, 3rd MUAs on LAN or wireless machines.

Some SMTP clients residing on a LAN or wireless machine sending mail 
will use a EHLO [IP-LITERAL] where the ip is private.  This will fail 
RFC 4409 tight EHLO validation requirement for implementations that 
will check the ip literal against the connecting IP which would be the 
NAT public IP.

I reported this issue to the Thunderbird people which now has a config 
option to set the HELLO string used.  Klensin and Gellens were also 
informed of this growing issue.  My recommendation was to add 
semantics to suggest skipping any EHLO IP-literal verification since 
AUTH was already a session requirement, not an option under PORT 587 
connections.

In any case, the point was that IP authentication *can* be a valid 
server side consideration for secondary web sockets connections.

When the HTTP session authenticates the user with HTTP/COOKIE auth, 
the binding to the IP is set and this can be used for any pending 
web-socket clients on the same IP.  Whether a TTL is required, I don't 
know if its necessary or not since IMV, there is a greater 
predictability and timeline of events with the HTTP session and WS 
session than it was with POP3 and SMTP.

Thanks

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com