SP and mixed IPv6/IPv4 addresses

Ian Young ian at iay.org.uk
Tue Aug 12 05:07:01 EDT 2014


On 11 Aug 2014, at 21:24, Tom Poage <tfpoage at ucdavis.edu> wrote:

> Institution uses both IPv6 and IPv4. Internal client (multiple
> interfaces) authenticates against IdP via IPv6, but external
> communication (to remote SP) is via IPv4. Triggers checkAddress error.
> Not quite the proxy scenario in the error message.

Not quite, but it's essentially the same scenario as the client-and-IdP-behind-NAT one that we started running into a few years back. The assumption that an entity's IP address is singular and the same for all observers has never been a good one.

I recall this as being the reason that check address and check *consistent* address were broken out as separate checks in the SP. Of course with mobile devices the assumption that an entity's IP address is always the same for a given observer is also unsafe, although I don't think we've seen many problems stemming from that.

> Certainly, checkAddress can be set false, but I also wonder whether
> we'll start to see this kind of error more often as the world continues
> to adopt IPv6.

I'm not sure if I accept Scott's view that IPv6 is doomed, but note that IPv6 and NAT both introduce the same result, so whichever way it goes it looks to me as if checkAddress is going to be less and less something you want to enable at an SP.

	-- Ian



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140812/18a4d450/attachment.bin 


More information about the users mailing list