Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Sakkath]

All my servers on my UnrealIRCd3.2.5 network are linked with ziplinks and SSL.

Just to follow suit, I think it would be nice to have either or both of these features .

[SpaceDoG]

This has already been suggested and pretty much turned down. Please read http://forum.anope.org/viewthread.php?tid=543&page=1#pid2675

[Charles Kingsley]

Turned down being a way of putting it,  would rather say, explained why we wouldn't /need/ do it.

[Bsd]

Indeed SSL would be nice, and Ziplinks.  Maybe a module could be made instead of an intergrated feature.  SSL would be a big addition, module would be more probable I believe.

[Jobe]

There is absolutly no need for ssl or ziplinks between services and the IRCd because in most setups Anope connects locally.

If not install an IRCd on the same comp as Anope just to act as a gateway to the rest of the network.

[Bsd]

Well besides that services connection not being SSL will release any info in a non-encrypted manor.  But I would assume if you use a Services hub as I do, it will encrypt the info from services to the other user-based servers.  But again on the reverse, the services hub I would think would decrpt for services, which is where the vulnerability would lie.

[Charles Kingsley]

Assuming you connect locally to the hub (using loopback) then there is no network traffic, it is purely a software interface. The data is then encrypted from the hub to the other servers.

If you want to link on an interface other than loopback, you could try an ssh tunnel.

[djGrrr]

Although there is no need for it in most setups, some setups do go over a network (even if in the same building/datacenter).
Personally, i think SSL and Ziplink support are features that are really needed to make Anope complete; although they shouldn't exactly be a priority, it would be really great to see them in the future (2.0?)

[Sakkath]

Well I suppose it's not *needed,* but I have to create an extra listening port just for Anope.  Possibly have a compile time feature, or a module?

Don't assume everyone is going to run services locally, I do, but I still have to bind to an IP, I can't bind to 127.0.0.1 since it's a shell hosting box.

Don't assume everyone has permission to run an IRCd on their box where they run Anope.

This could still possibly leave someone on the same box to sniff my info?

Ziplinks would just speed stuff up since I have experienced lag with Anope, albeit it might make the load slightly higher.

How would I possibly run an ssh tunnel?

Also, how can I subscribe to topics automatically?  An email notification of replies would be lovely?

[Edited on 8-12-2006 by Sakkath]

[Dave Robson]

Originally posted by Sakkath
Don't assume everyone is going to run services locally, I do, but I still have to bind to an IP, I can't bind to 127.0.0.1 since it's a shell hosting box.

We dont, you can run services remotly if you want to.

Originally posted by Sakkath
Don't assume everyone has permission to run an IRCd on their box where they run Anope.

We dont, you can run services remotly if you want to.

Originally posted by Sakkath
This could still possibly leave someone on the same box to sniff my info?

If a local user has root permission (required by nix* for packet sniffing) SSL wont help you.

Originally posted by Sakkath
Ziplinks would just speed stuff up since I have experienced lag with Anope, albeit it might make the load slightly higher.

If its a local connection you will actaully increase lag and CPU time - i doubt this is something you want.  

Originally posted by Sakkath
How would I possibly run an ssh tunnel?

Read the ssh manual regarding tunneling/port forwarding.

[katsklaw]

I can't bind to 127.0.0.1 since it's a shell hosting box.

Yes, it *IS* possible. Your shell host has to set-up a 127.0.0.x IP for you as virtual interface. Please read: http://ircd.shellnode.org/~katsklaw/anope/tutorials/localhost.html for more information on it.

[Sakkath]

Originally posted by katsklaw

I can't bind to 127.0.0.1 since it's a shell hosting box.

Yes, it *IS* possible. Your shell host has to set-up a 127.0.0.x IP for you as virtual interface. Please read: http://ircd.shellnode.org/~katsklaw/anope/tutorials/localhost.html for more information on it.

I suppose that's true since it's a /24 subnet, right?

Well it's not up to me it's up to the sysadmin :-).

Yes Ziplinks would increase the load as I mentioned .

It still would be a handy compile time feat. or module if you are linking remotely :-).

[djGrrr]

Originally posted by Sakkath
I suppose that's true since it's a /24 subnet, right?

its a /8 subnet
127.*.*.* < any ip can be used there

[Edited on 10-12-2006 by djGrrr]

[katsklaw]

Well it's not up to me it's up to the sysadmin :-).

It's ALOT easier for you to *ask* your sysadmin to set up a virtual interface for a 127.x IP than it is for us to code in ssl/ziplinks. I know for a fact that it is because I just happen to own a hosting company and I give my users a virtual localhost so I know how easy it is and best of all it's free!!

The Anope Team feels ssl/zip is not worth the resources, thus it will not be added. If you want ssl/zip

1> use localhost and "piggy back" the ircd's ssl/zip
2> use stunnel

To be honest, ziplinks for 99.99% of the networks in existence is a waste to time and resources. IRC uses very little bandwidth to start with. Even some of the largest nets in the world only use about 300kbps sustained This is on a 40,000 user network, not the 10, 100, 1000 users that most nets have. 300kbps isn't even enough to saturate my cable modem upstream let alone a properly hosted machine in a data center. Most nets run at less than 5kbps .. absolutely NO reason to zip that!

You have a better chance of your shell account hacked than you have of having an irc server data stream sniffed by the wrong sort of person since sniffers require root access it can't be done locally accept by your system admin. IN the event that it IS you admin, you have bigger problems, not to mention that ssl won't help you at any rate. Unless you force ALL users AND alll servers to connect via ssl, then ssl is a moot point. Yes, services is a server and we have already told you how you can use ssl with services. I have NEVER seen an irc network in the thousands of nets I've visited that ONLY does ssl.

User passwords is the ONLY *real* reason to encrypt data and you have a better chance of all your users accidently exposing their passwords than you being subject to a sniffer. If you are paranoid about password theft:

1> use 100% s2s and 100% s2c connections, no plain text connections on any physical interface.
2> encrypt your users passwords in the db's
3> disable ns/cs sendpass/getpass (automaticly done if you enable #2 above)

[Sakkath]

Right then, I thought it was /24 didn't know it was /8, sorry.

Well I guess I could ask him I'm sure his other customers might find it useful as well, and I'm sure they can each have a lot more than one IP :-).

I guess maybe I shouldn't even enable ziplinks on any of the servers if it's that pointless, thanks :-).

[wshs]

It takes around 70 lines of code to add SSL to anything that uses only 1 connection, and most of those are just for aesthetic error handling. A few more are needed for things that use many connections, such as a hub. Hell, if I had a development system handy where I could test things, I'd make the patch. I find it funny that the line "If a local user has root permission, SSL wont help you" has been used. The same thing can be used to argue against encryption of passwords. Though, I do find it ironic that it takes so few lines to add SSL, which appears to be a ton of work, yet each of the password encryption modules exceeds 300 lines. Anyone want to offer me a development shell with SVN and OpenSSL installed?

[katsklaw]

The local root approach was used because it's true, other things that the same root user can do was omitted as they are off topic.

As far as a shell, svn and openssl goes, you can' use VMware server on your local machine and install everything you need to create your patch. You conveniently forgot to mention the undue overhead for using ssl that we mentioned. As stated before the Anope Team do not intend to add SSL/zip support to the Anope core. Stunnel works perfectly as well as "piggybacking" the uplinks ssl/zip connection since 99.99% of the time Anope's uplink is local to start with!

as always we *DO* invite, encourage and welcome feedback/patches from our users. However this horse is dead, please stop beating it.

Locked.