Hello, helpers community!
Over the past couple years, the ircd and SRA coding teams have been
working on adding support for user hostmasking. It's a big change for
DALnet, affecting many different pieces of code (bahamut, services,
stats), how we handle bans, how we handle logging, etc.
It's at the point now where we feel our systems are ready for a
production deployment. We're going to do this as a staged roll out,
meaning only a couple small servers will have user hostmasking enabled
to start. All users on all servers will be able to see the hostmasks
that are in use, but only users on the enabled servers will be able to
set/remove hostmasking to start.
If all goes well, we'll continue enabling hostmasking on more and more
servers until all servers are enabled. We expect the full roll out to
take about 2 weeks, give or take.
We've done an extensive amount of testing on the test net, but there is
still a possibility that a bug may crop up somewhere. Please email
coders(a)dal.net for any ircd/bahamut bugs you encounter and sra(a)dal.net
for any services/stats bugs you encounter.
== How does it work? ==
When a user connects to a hostmask enabled server, they will
automatically be set usermode +H, which shows their masked hostname.
For example, a user that connects with host
10-23-23-116.server.myisp.net would be visible to other users as
bdc7-7c7a-9179-7486-6846.server.myisp.net. A user who connects with IP
address 10.20.17.4 would be visible to other users as
f0c6-d3de-b094-6eeb-5c7.20.10.ip.
We are using a hashing algorithm, so the same host or IP will always be
masked to the same result even if the user reconnects. The masked
hostname is not changeable by users and users cannot request a specific
hostmask.
When +H is on, the masked hostname will show in /whois, in channel
joins/parts, and any other place a hostname is shown in ircd or
services.
/who will show whichever host is currently in use; if the user is +H,
it'll show the masked host, otherwise it'll show the real host.
The user has the option to set usermode -H to show their real hostname
or IP. In order to set or remove the H usermode, the user must not be
in any channels. This is keep client-side channel lists in sync. There
is a limit of 2 usermode H changes in 5 minutes as a flood mitigation
measure.
== What about ban evasion? ==
Any ircd or services feature that supports an address mask (access
lists, bans, exempt lists, invite lists, HOP/VOP/AOP/SOP masks, AKILLs,
etc.) will accept either the real hostname, the masked hostname, or the
real IP and will apply no matter if the user is +H or -H.
For example, I could ban the above user with *!*(a)10*.server.myisp.net or
*!*(a)10.23.* and the ban would still be effective even if the user is
masked. Our systems will check the address mask against the real
hostname, the masked hostname, and the real IP.
We've included the above information in a FAQ that is available to all
users at: https://www.dal.net/kb/view.php?kb=450
If users have any questions that aren't answered in the FAQ, please
refer them to #operhelp.
Happy testing and masking!
--
Ryan Smith <xpsycho(a)dal.net>
Server Administrator (foxtrot/sakura) and SRA Lead
The DALnet IRC Network
PGP Fingerprint: 8A27 3349 2B43 D378 6349 8674 F13A D7BA C90E D44E
