[hybi] Web Socket IP Authentication
Hector Santos <hsantos@isdg.net> Thu, 02 September 2010 21:29 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77FF23A68A3 for <hybi@core3.amsl.com>; Thu, 2 Sep 2010 14:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.171
X-Spam-Level:
X-Spam-Status: No, score=-4.171 tagged_above=-999 required=5 tests=[AWL=-1.572, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukfm7iQKegrN for <hybi@core3.amsl.com>; Thu, 2 Sep 2010 14:29:52 -0700 (PDT)
Received: from mail.winserver.com (listserv.winserver.com [208.247.131.9]) by core3.amsl.com (Postfix) with ESMTP id B8C3F3A688C for <hybi@ietf.org>; Thu, 2 Sep 2010 14:29:51 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Thu, 02 Sep 2010 17:30:34 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 3081061921; Thu, 02 Sep 2010 17:30:32 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Thu, 02 Sep 2010 17:28:24 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3669149688; Thu, 02 Sep 2010 17:28:23 -0400
Message-ID: <4C80175C.4090109@isdg.net>
Date: Thu, 02 Sep 2010 17:30:04 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Dave Cridland <dave@cridland.net>
References: <20100901224502.0519B3A687C@core3.amsl.com> <AANLkTikP1CF22fL0rBniXmrxEoBAbTNfzP9kyiNA4nbb@mail.gmail.com> <AANLkTi=_1m36ThFZTH_aGE_Unz0KTeexJq_74UGr2j+u@mail.gmail.com> <B68E5323-E259-4D27-BB32-ED86961209FC@gbiv.com> <20100902051929.GD10275@1wt.eu> <4C7F3F21.3000200@isdg.net> <20100902061613.GK10275@1wt.eu> <4C7F4C59.4010502@isdg.net> <2348.1283459737.696752@puncture>
In-Reply-To: <2348.1283459737.696752@puncture>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Server-Initiated HTTP <hybi@ietf.org>
Subject: [hybi] Web Socket IP Authentication
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 21:29:53 -0000
Dave Cridland wrote: > On Thu Sep 2 08:03:53 2010, Hector Santos wrote: >> For example, one way to authenticate the WS client is to use IP such >> as it done with POP3-B4-SMTP methods where a POP3 host records an IP >> for another SMTP host to open a time window for SMTP IP-based allow >> relay. > > That's been long discredited in email circles, and is generally not > supported, in favour of SMTP AUTH (and preferably a dedicated submission > service on 587 with SASL and TLS). > > The reason it's been discredited is actually because it's in a general > class of error referred to as "Time of check to time of use". > > Dave. Sure, hut I've long been within the email circles and I do not ever recall any outright conclusion. But I do agree with your last statement. Nonetheless, it is still an option in many integrated mail software and whether people have turned it off - don't be surprise if many have not because one of the primary reasons for it was that it reduced technical support cost - lesser need to help/setup the layman users. ESMTP AUTH is not a required standard and RFC 4409 (only 4 years old) was not widely supported. But when the shift did begin with ISPs requiring ESMTP AUTH for their users, some immediately fell back to allowing IP authorization because of the huge tech support burden it created. I specifically recall this exact situation with my home Bellsouth account when they issued a deadline notification to all users to begin switching to software using ESMTP AUTH. After the deadline, I would say it was maybe less than a week when a 2nd notification indicating it was no longer a requirement and still isn't today - although I always had it personally setup for ESMTP AUTH. Now of course, the ISP doesn't need to use POP4-B4-SMTP because the ISP user is already "IP authenticated" on their network and SMTP Relay is allowed. Another subtle point regarding the SUBMISSION protocol that has it began to show a problem for the growing home or soho market with nats and 2nd, 3rd MUAs on LAN or wireless machines. Some SMTP clients residing on a LAN or wireless machine sending mail will use a EHLO [IP-LITERAL] where the ip is private. This will fail RFC 4409 tight EHLO validation requirement for implementations that will check the ip literal against the connecting IP which would be the NAT public IP. I reported this issue to the Thunderbird people which now has a config option to set the HELLO string used. Klensin and Gellens were also informed of this growing issue. My recommendation was to add semantics to suggest skipping any EHLO IP-literal verification since AUTH was already a session requirement, not an option under PORT 587 connections. In any case, the point was that IP authentication *can* be a valid server side consideration for secondary web sockets connections. When the HTTP session authenticates the user with HTTP/COOKIE auth, the binding to the IP is set and this can be used for any pending web-socket clients on the same IP. Whether a TTL is required, I don't know if its necessary or not since IMV, there is a greater predictability and timeline of events with the HTTP session and WS session than it was with POP3 and SMTP. Thanks -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Adam Barth
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- [hybi] I-D Action:draft-ietf-hybi-thewebsocketpro… Internet-Drafts
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Greg Wilkins
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Greg Wilkins
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Adam Barth
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Joe Hildebrand
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Adam Barth
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Greg Wilkins
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Greg Wilkins
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Roy T. Fielding
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Gabriel Montenegro
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Takeshi Yoshino
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Joe Hildebrand
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Hector Santos
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Hector Santos
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Simon Pieters
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Alexey Melnikov
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… James Graham
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Julian Reschke
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Olli Pettay
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Gabriel Montenegro
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Olli Pettay
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Julian Reschke
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Scott Ferguson
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] Versioning is a anti-pattern Daniel Stenberg
- Re: [hybi] Versioning is a anti-pattern Tim Bray
- Re: [hybi] Versioning is a anti-pattern John Tamplin
- Re: [hybi] Versioning is a anti-pattern Dave Cridland
- Re: [hybi] Versioning is a anti-pattern Hector Santos
- [hybi] List of (mostly) editorial changes for dra… Patrick McManus
- Re: [hybi] List of (mostly) editorial changes for… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Dave Cridland
- Re: [hybi] List of (mostly) editorial changes for… Patrick McManus
- [hybi] Web Socket IP Authentication Hector Santos
- Re: [hybi] Versioning is a anti-pattern David Orchard
- Re: [hybi] Versioning is a anti-pattern Greg Wilkins
- Re: [hybi] Versioning is a anti-pattern James Graham
- Re: [hybi] Versioning is a anti-pattern John Tamplin
- Re: [hybi] Versioning is a anti-pattern Julian Reschke
- Re: [hybi] Web Socket IP Authentication Dave Cridland
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Simon Pieters
- Re: [hybi] Web Socket IP Authentication Hector Santos
- Re: [hybi] Versioning is a anti-pattern Patrick McManus
- Re: [hybi] Versioning is a anti-pattern John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] Versioning is a anti-pattern Scott Ferguson
- Re: [hybi] Versioning is a anti-pattern John Tamplin
- Re: [hybi] Versioning is a anti-pattern Scott Ferguson
- Re: [hybi] Versioning is a anti-pattern John Tamplin
- Re: [hybi] Versioning is a anti-pattern Adam Barth
- Re: [hybi] Versioning is a anti-pattern Martin J. Dürst
- Re: [hybi] Versioning is a anti-pattern David Orchard
- Re: [hybi] Versioning is a anti-pattern Willy Tarreau
- Re: [hybi] Versioning is a anti-pattern Julian Reschke
- Re: [hybi] Versioning is a anti-pattern Adam Barth
- Re: [hybi] Versioning is a anti-pattern Greg Wilkins
- Re: [hybi] List of (mostly) editorial changes for… Greg Wilkins
- Re: [hybi] List of (mostly) editorial changes for… Patrick McManus
- Re: [hybi] List of (mostly) editorial changes for… Greg Wilkins
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Simon Pieters
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Brian McKelvey
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Brian
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Simon Pieters
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Anne van Kesteren
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… John Tamplin
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… S Moonesamy
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Greg Wilkins
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Willy Tarreau
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Anne van Kesteren
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Simon Pieters
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Simon Pieters
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… S Moonesamy
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… Simon Pieters
- Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocke… S Moonesamy
- Re: [hybi] Versioning is a anti-pattern Julian Reschke