Hello, helpers community! Over the past couple years, the ircd and SRA coding teams have been working on adding support for user hostmasking. It's a big change for DALnet, affecting many different pieces of code (bahamut, services, stats), how we handle bans, how we handle logging, etc. It's at the point now where we feel our systems are ready for a production deployment. We're going to do this as a staged roll out, meaning only a couple small servers will have user hostmasking enabled to start. All users on all servers will be able to see the hostmasks that are in use, but only users on the enabled servers will be able to set/remove hostmasking to start. If all goes well, we'll continue enabling hostmasking on more and more servers until all servers are enabled. We expect the full roll out to take about 2 weeks, give or take. We've done an extensive amount of testing on the test net, but there is still a possibility that a bug may crop up somewhere. Please email coders@dal.net for any ircd/bahamut bugs you encounter and sra@dal.net for any services/stats bugs you encounter. == How does it work? == When a user connects to a hostmask enabled server, they will automatically be set usermode +H, which shows their masked hostname. For example, a user that connects with host 10-23-23-116.server.myisp.net would be visible to other users as bdc7-7c7a-9179-7486-6846.server.myisp.net. A user who connects with IP address 10.20.17.4 would be visible to other users as f0c6-d3de-b094-6eeb-5c7.20.10.ip. We are using a hashing algorithm, so the same host or IP will always be masked to the same result even if the user reconnects. The masked hostname is not changeable by users and users cannot request a specific hostmask. When +H is on, the masked hostname will show in /whois, in channel joins/parts, and any other place a hostname is shown in ircd or services. /who will show whichever host is currently in use; if the user is +H, it'll show the masked host, otherwise it'll show the real host. The user has the option to set usermode -H to show their real hostname or IP. In order to set or remove the H usermode, the user must not be in any channels. This is keep client-side channel lists in sync. There is a limit of 2 usermode H changes in 5 minutes as a flood mitigation measure. == What about ban evasion? == Any ircd or services feature that supports an address mask (access lists, bans, exempt lists, invite lists, HOP/VOP/AOP/SOP masks, AKILLs, etc.) will accept either the real hostname, the masked hostname, or the real IP and will apply no matter if the user is +H or -H. For example, I could ban the above user with *!*@10*.server.myisp.net or *!*@10.23.* and the ban would still be effective even if the user is masked. Our systems will check the address mask against the real hostname, the masked hostname, and the real IP. We've included the above information in a FAQ that is available to all users at: https://www.dal.net/kb/view.php?kb=450 If users have any questions that aren't answered in the FAQ, please refer them to #operhelp. Happy testing and masking! -- Ryan Smith <xpsycho@dal.net> Server Administrator (foxtrot/sakura) and SRA Lead The DALnet IRC Network PGP Fingerprint: 8A27 3349 2B43 D378 6349 8674 F13A D7BA C90E D44E