On Tue, Oct 13, 2009 at 9:46 PM, Vin King <vin.king@gmail.com> wrote:

> If the user is masked, how do you ban their ISP?
If I can make some suggestions: an implementation can address the
matter of banning by isp,  using piecewise hashing;  don't just hash
the entire address in one go, include multiple discrete hashes of
different pices in the mask,  so that  banning  certain segments of
the hostname still works  (when possible).

Some additional tools may be useful to deal with masking.
Even the best efforts cannot make masking have zero effect on
management of large channels.      Large channels with persistent
evaders may have troubles; one of the tradeoffs of masking,  is
channel ban management is harder.

Additional channel management tools may be warranted, alongside
masking, to help put operators back in control over their channel
memberships.

I suggest a channel mode should be provided to block all masked users
joining, as a last resort, to offer an option for channels that really
need it  (the user has to weigh how much they trust the chanops),   a
channel mode such as "+H"   Users that attempt to join receive some
message like "masked users aren't allowed,   and need either to be
invited or use some special command, eg      cf.  /raw  join #channel
show-my-info
To reveal true mask only to chanops of such channel as a one-time
event while joining only  (shown in the  ":nick!user@host"  prefix of
their JOIN message).

Alternatively...   just    block-all masked users,  they have to
unmask prior to join, and  reset it back  (if they want to stay masked
in general), but that's risky..

Another possibility would be to give channels detailed ban control,
such as opting to ban a masked pattern,  eg an entire ISP but only
_while they are masked_.
(so the chanops can pick whether their ban applies  always, or _only_ when
the subject is currently masked)

Eg.
   /mode #channel +b  $m:<user mask here>
where the leading $m,  or something  similar is  a special case to
inform banlist processing that  this  entry only matches a user
currently masked.

I refer to such constructs as "ban rules",  or  "ban types".
they simply allow special-purpose bans to share the same list as normal bans.

in any case..
have a ban for say  $m:*!*@*.HASH(ISP).COM.hostmask
mean ban the entire ISP,  but _only_  when  users apply masking.
It forces them to unmask and join if they wish to participate, then the
chanops can set a more exacting ban based on real address, if the
person turns out to be the bad seed at that particular isp.

More risky:  provide a command that allows any chanop to see the
'masked version'  of any  real hostname,   so they can detect if an
unmasked user is the same  (as a previously seen masked user),    by
simply asking what the real hostname would mask to.

Masking IP addresses  that do not resolve,  and actually providing
security  is a much harder problem than masking hostnames.   Consider
that there are only 2^32  IPv4 IP addresses.. for masking to be
secure, it should be impossible for an attacker to simply run through
all  4  billion addresses  and determine the mask values.
Given that the attacker is armed with IRCD source code.


For hostnames you can mask piecewise,  eg   split the tokens and
heuristically hash certain ones:
    Host =  X.Y.Z.W.aol.com
and mask this to
    Mask =  HASH("X.Y").HASH("Z.W").HASH("AOL" ).COM.HMSK

It's not in all cases necessary to hash all tokens,  but there's a
danger an unexpected hostname token may contain the user's full IP, if
the heuristics are not carefully written to handle such cases.  an
example would be

 blahblah.blah4.city.state.172-16-0-1.blah6-3.someisp.com

For IP addresses (non-resolved IRC users)...   it's  best  if  they
take a format so that mIRC users banning will do the right thing, eg
/ban nick 3.,  so banning   *!*@*.something.ipmask        bans a  /16,
 or approximates banning an IP when using  /ban,   just as if  banning
the leftmost part of a hostname.

          Host = 1.2.3.4
          Mask =  Hash("4").Hash("3").Hash("2.1").IMSK

So doing a /ban  nick 3       bans  *!*@*.Hash("2.1").IPMASK,

Well... this is a problem...     just compute  256 values, and the
attacker can decipher every IP.

           Mask =  Hash("4.3.2.1") . Hash ("4.3") .  Hash("3.2") .
Hash ("2.1") . Hash("2")

 Well,  that's a little better...    but still too easy to break, an
attacker can just
make a table of all 256 * 256   hash values.
 To   mask an IPv4   address  (unfortunately),  necessary to either
 truncate  [destroy information] or use encryption,  to stop such
brute force methods.

 Encryption means choosing a shared secret key  known only to the
operational servers participating in the production IRC network.
There is a need for permanency of the key (so masks never change),
need to be stored in a config file,  and  agreement of the key,  in
that  two servers with different masking keys  can't be linking.

And accidental compromise of the key would be a serious matter,
making encrypted mask data insecure.



Hostname  piecewise masking doesn't do a good job at hiding common
domains, however.  I think it's generally good enough --  "Your ISP is
AOL"  doesn't reveal much.

If really worried about it,  you could salt the mask, and again use
encryption, use a symmetric cipher to encrypt it in a way that only
the servers have the static key to decrypt it  (for ban enforcement).

Compute  a  "salt"  for the mask,  based  on the entire mask,
and encrypt the SLD of the domain name using a secret key known to the
network.   Servers reading a banmask will need to know how to decrypt
it  (hence a major reason not to use this)

   Salt =  Hash2("X.Y.Z.AOL.COM")
take
Mask =  Hash("X.Y.Z.AOL").ENCRYPT(SALT+HASH(SALT+"AOL",SomeSecretKey)).COM.HMSK



--
-J
_______________________________________________
DALnet-src mailing list
DALnet-src@lists.dal.net
https://lists.dal.net/mailman/listinfo/dalnet-src