Problem with client ip address changing

Cantor, Scott cantor.2 at osu.edu
Wed Nov 14 10:16:38 EST 2012


On 11/14/12 10:04 AM, "Viitanen Viljo" <viljo.v.viitanen at jyu.fi> wrote:
>
>Unfortunately I'm unable to reproduce the problem on my own - I can't get
>the error show in the log when change my ip address manually. (so, I
>really DO wonder what's going on here. Obviously the ip address check
>isn't very effective even though it is there!).

Obviously it is, since when it happens, the SP is not receiving data.
That's a good thing if there's a security violation of some kind, even if
it's not happening the way it should be.

But I'm wondering now how you know that this has anything to do with the
address changing. That's why I want to see the log in a bug report.

> Also I can't just turn on the debug log in production and just wish
>someone with the problem shows up.

Attaching whatever you have will be a start. I want to see if it lines up
with something I've been looking into. If not, then I doubt I can do much
about it, but I want to at least track the issue.

>I think in the modern world requiring client ip address not to change is
>broken behavior.

I completely disagree, but if you want to disable the check, I believe you
can. I think you lose any real security doing so, but that's your call to
make.

>Some statistics: during September this year we got 1241 of these errors
>in the process log. October 1403. This month until yesterday (13th), 1520
>. So it's not just some isolated cases here. We're a mid-sized university
>in Finland with ~15000 students, I wonder how bad the problem is with
>bigger installations.

I do 300,000+ logins a day, and I certainly have no such issue of that
magnitude. If your networks really exhibit that much address churn, then
you probably would need to disable the check. But I think relying on
cookies at that point is pretty questionable.

>If we accept that requiring the ip address not to change is ok (I don't),
>then the SP's have no idea on why the idp did not issue any attributes,
>and obviously they can't be helpful to the user. The idp however does
>know the user's ip address changed and it could warn the user about why
>it's not letting the user login.

That isn't the point I'm making. I agree that in some cases errors can be
handled at a different spot, but being helpful to the user is irrelevant
since nothing you tell the user will help no matter what the error is. The
point is that an application cannot just fall over when it doesn't get
attributes. There are a dozen reasons why that might happen.

-- Scott




More information about the users mailing list