Personally, I don&#39;t think DALnet needs masking. I see plenty of room for abuse, and inability to properly ban things, especially if each server is independently hashing a hostmask. <br><br>BUT, if we WERE to mask, I&#39;d go with a static hash of the address shared among servers. Connecting server hashes it, passes it as the hostmask to all other servers. Helps prevent abuse. Nick based masks hold plenty of room for abuse.<br>
<br><DEFANGED_div class="gmail_quote">On Tue, Oct 13, 2009 at 7:50 PM, Kobi Shmueli <DEFANGED_span dir="ltr">&lt;<a href="mailto:kobi@dal.net">kobi@dal.net</a>&gt;</DEFANGED_span> wrote:<br><blockquote class="gmail_quote" DEFANGED_style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi all,<br>
<br>
I think it&#39;s about time to discuss host-masking for users again.<br>
<br>
There are (at least) two types of host-masking we could add:<br>
1) hash based masks (statically mask part of the IP/host, i.e. <a href="http://dalnet-19309.example.com" target="_blank">dalnet-19309.example.com</a>)<br>
2) nick based masks (i.e. registered-nick.dalnet.user or whatever)<br>
<br>
The second method will let users evade bans more easily so I&#39;m going to focus on the first method.<br>
<br>
My implementation suggestion:<br>
Each server will store both the user&#39;s real host and a hashed version of it. The hash for each IP/host will always be static and even if a user disconnects and re-connects, they will get the same hashed IP/host.<br>
By default, users will get a umode (i.e. +H) that will show the hashed version wherever their real host have been used until now (/whois, /who, joins, parts, etc).<br>
At any time, a user will be able to umode -H themselves and use their real host instead of the masked one.<br>
Bans will work both against the real host and the hashed host so if a user will get banned by his masked host, they won&#39;t be able to join a channel even if they umode -H themsleves.<br>
IRC Operators will be able to see any users&#39; real IP/host, ofcourse.<br>
<br>
IMO, we shouldn&#39;t pass the masked host with the NICK command between servers and just let each server hash it on their own.<br>
As for the actual encryption, I would let a module do the actual hashing of the masked host (we&#39;ll provide a sample module). The module will be able to support (at least) two encryption types so we will be able to be change the type we&#39;re using on the fly by services after all servers have upgraded their module (in the case we&#39;ll ever want to change it).<br>

<br>
Let the discussion begin!<br>
<br>
-Kobi. <br>
_______________________________________________<br>
DALnet-src mailing list<br>
<a href="mailto:DALnet-src@lists.dal.net" target="_blank">DALnet-src@lists.dal.net</a><br>
<a href="https://lists.dal.net/mailman/listinfo/dalnet-src" target="_blank">https://lists.dal.net/mailman/listinfo/dalnet-src</a><br>
</blockquote></DEFANGED_div><br>