[MUD-Dev] Re: strong encryption for authentication

J C Lawrence claw at 2wire.com
Fri Jul 13 19:36:08 CEST 2001


On Thu, 12 Jul 2001 14:13:44 +1000 
Kevin Littlejohn <darius at bofh.net.au> wrote:

>   1) the IP number making the request is the IP number of the >
>   browser.  Obviously false in the case of proxied comms, and some
>   > people don't get the option to switch proxies off -
>   transparent > proxying is common down here where bandwidth is
>   expensive.

AOL is notable in this regard as all their web browsing users come
out thru one of several banks of proxies which are dynamically load
balanced.  The result, from a web server's or web site's load
balancer's perspective attempting to maintain web farm node affinity
mappings for each browsing user is that two requests from the same
user are quite likely (and fairly commonly willing) come from
different proxies and thus have different IP addresses.  

Its this fact alone, AOL being the 800lb gorilla, that forced most
of the load balancers to moving to setting a cookie on the client
browser to attempt to maintain the web farm node affinity mappings.

>   2) the IP number making the request will remain the same through
>   > the life of the "session" - this gets nifty.  My request is >
>   handled by a proxy that has multiple upstream proxies it can
>   pass a request off to. Often, mid-stream, it'll change parent
>   proxy, because one or the other is loaded down.  So if you've
>   issued a cookie to 192.168.54.1, you'll find a request with that
>   cookie coming from 192.168.54.9, but it's still the same session
>   and is a legitimate request from the same browser - just passed
>   through different proxies.

Bingo.

> Sorry to rant about something that's likely not even a problem for
> your specific setup, but I've had to complain to various off-shore
> sites about this stuff far too often - you risk making life really
> difficult for entire countries, like .au or half of europe, simply
> because they do their best to reduce bandwidth use.

Or AOL for that matter -- not that they have much of a user base.

> Um.  It's _possible_ that even port 443 traffic is being
> transparently proxied...

Yup.  Done that.  Transparent content cacheing at ISP edges is
becoming quite popular (usually various forms of squid-like hacks
running HTCP, Carp, et al).  It can make for interesting assumption
breakages about IP source addresses.

--
J C Lawrence                               ("`-''-/").___..--''"`-._         
---------(*)                                 `6_ 6  )   `-.  (     ).`-.__.`)
claw at kanga.nu                               (_Y_.)'  ._   )  `._ `. ``-..-'  
http://www.kanga.nu/~claw/                _..`--'_..-_/  /--'_.' ,'         
I never claimed I was human             (il),-''  (li),'  ((!.-'           
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev



More information about the mud-dev-archive mailing list