IP address mismatch issues

Russell Beall beall at usc.edu
Thu May 23 15:18:35 EDT 2013


Thanks for the pointers.  I looked into this and I was surprised to find that the SP is using:
checkAddress="false" consistentAddress="true"

It looks also like they upgraded the SP to 2.5.1 but left in the old security configuration:
        <!-- Each policy defines a set of rules to use to secure messages. -->
        <SecurityPolicies>
                <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
                <Policy id="default" validate="false">
                        <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
                        <PolicyRule type="ClientCertAuth" errorFatal="true"/>
                        <PolicyRule type="XMLSigning" errorFatal="true"/>
                        <PolicyRule type="SimpleSigning" errorFatal="true"/>
                </Policy>
        </SecurityPolicies>

Perhaps just pulling in the security-policy.xml file will help with this?  (Don't really see anything in security-policy.xml that might help…)

Why would the IP address mismatch even be showing in the native log in this case?  Now this doesn't make sense…

Regards,
Russ.

On May 23, 2013, at 12:02 PM, "Wessel, Keith William" <kwessel at illinois.edu> wrote:

> Russ,
> 
> We ran into this with one of our campuses that's completely behind a firewall and using NAT. Their firewall was assigning an IP from the pool based on what server it was going to, so the IDP and SP, being separate servers, would see different addresses.
> 
> The SP V2.5 session docs:
> 
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
> 
> suggest that consistentAddress is just about as good as checkAddress in shibboleth2.xml but with the added benefit that it's less likely than checkAddress to block legitimate access.
> 
> I know that turning off checkAddress to solve this problem may seem like a less than ideal solution at first, but when you consider that checkAddress is doing exactly what it was designed to do, it makes sense, and consistentAddress does just as good of a job.
> 
> Keith
> 
> 
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Russell Beall
> Sent: Thursday, May 23, 2013 1:49 PM
> To: Shib Users
> Subject: IP address mismatch issues
> 
> With the upgrade to 2.5 we are seeing an increasing occurrence of IP address mismatch issues from users coming from certain networks.  It is starting to look like these networks are assigning one IP address when the user is accessing the shibboleth IdP and then another when the user is accessing the SP server.  This is not the simpler case where a loadbalancer was put in the way and it is blocking Client IP, but rather, two different IP addresses belonging to the networking provider are shown in the logs.
> 
> This causes session creation looping because the existing session continually gets rejected for Client IP mismatch.
> 
> Has anyone else started seeing this issue and possibly come across a solution?
> 
> Is this some kind of networking practice that is supposed to happen for certain networks?
> 
> I know I can disable the requirement at the SP, but I'd rather find a better solution than just breaking one of the locks.
> 
> Thanks,
> Russ.
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 




More information about the users mailing list