You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "David Allsopp (Created) (JIRA)" <ji...@apache.org> on 2011/11/07 11:55:51 UTC
[jira] [Created] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Determine IP address of Message sender from the socket, rather than trusting the sender
---------------------------------------------------------------------------------------
Key: CASSANDRA-3462
URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
Project: Cassandra
Issue Type: Sub-task
Components: Core
Affects Versions: 1.0.1
Environment: All.
Reporter: David Allsopp
A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Posted by "David Allsopp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Allsopp updated CASSANDRA-3462:
-------------------------------------
Attachment: Cassandra-3462-v2.patch
Patch v2 adds a static flag to enable unit tests to disable the IP validation.
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Affects Versions: 1.0.1
> Environment: All.
> Reporter: David Allsopp
> Labels: authentication, security
> Attachments: Cassandra-3462-v2.patch, Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Posted by "David Allsopp (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Allsopp updated CASSANDRA-3462:
-------------------------------------
Attachment: Cassandra-3462.patch
This small patch corrects the Header if the IP addresses don't match. Unfortunately it breaks org.apache.cassandra.service.RemoveTest, which creates a ring of nodes with fake IP addresses (127.0.0.2 etc), so not really sure how to proceed...
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Affects Versions: 1.0.1
> Environment: All.
> Reporter: David Allsopp
> Labels: authentication, security
> Attachments: Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Posted by "David Allsopp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13145600#comment-13145600 ]
David Allsopp commented on CASSANDRA-3462:
------------------------------------------
The patch above logs a warning and 'repairs' the incorrect IP - but should we actually just drop any messages with incorrect IPs on the assumption that they come from a hostile (or badly broken) node?
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Affects Versions: 1.0.1
> Environment: All.
> Reporter: David Allsopp
> Labels: authentication, security
> Attachments: Cassandra-3462-v2.patch, Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Posted by "David Allsopp (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Allsopp resolved CASSANDRA-3462.
--------------------------------------
Resolution: Not A Problem
Assignee: (was: David Allsopp)
Closed to reflect the status of the parent issue (CASSANDRA-2274).
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Environment: All.
> Reporter: David Allsopp
> Labels: authentication, security
> Fix For: 1.0.3
>
> Attachments: Cassandra-3462-v2.patch, Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Posted by "David Allsopp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13146243#comment-13146243 ]
David Allsopp commented on CASSANDRA-3462:
------------------------------------------
Ah, yes :-). Given that the parent issue has been closed there's probably no point pursuing this.
Validating forwarded messages end-to-end is possible using a 'chain of trust' where each forwarding node vouches for the originator, but it seems the inter-node encryption achieves the same goal and more!
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Environment: All.
> Reporter: David Allsopp
> Assignee: David Allsopp
> Labels: authentication, security
> Fix For: 1.0.3
>
> Attachments: Cassandra-3462-v2.patch, Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (CASSANDRA-3462) Determine IP address
of Message sender from the socket, rather than trusting the sender
Posted by "David Allsopp (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13145513#comment-13145513 ]
David Allsopp edited comment on CASSANDRA-3462 at 11/7/11 3:54 PM:
-------------------------------------------------------------------
This small patch corrects the Header if the IP addresses don't match. Unfortunately it breaks org.apache.cassandra.service.RemoveTest, which creates a ring of nodes with fake IP addresses (127.0.0.2 etc), so not really sure how to proceed... Probably need a static flag that the tests can unset to bypass the IP check, which seems a little ugly.
was (Author: dallsopp):
This small patch corrects the Header if the IP addresses don't match. Unfortunately it breaks org.apache.cassandra.service.RemoveTest, which creates a ring of nodes with fake IP addresses (127.0.0.2 etc), so not really sure how to proceed...
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Affects Versions: 1.0.1
> Environment: All.
> Reporter: David Allsopp
> Labels: authentication, security
> Attachments: Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Posted by "Jonathan Ellis (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-3462:
--------------------------------------
Reviewer: brandon.williams
Affects Version/s: (was: 1.0.1)
Fix Version/s: 1.0.3
Assignee: David Allsopp
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Environment: All.
> Reporter: David Allsopp
> Assignee: David Allsopp
> Labels: authentication, security
> Fix For: 1.0.3
>
> Attachments: Cassandra-3462-v2.patch, Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3462) Determine IP address of Message
sender from the socket, rather than trusting the sender
Posted by "Jonathan Ellis (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13145740#comment-13145740 ]
Jonathan Ellis commented on CASSANDRA-3462:
-------------------------------------------
A worthy attempt, but it would break multi-DC replication. See the additional comments I've added to Header.java
> Determine IP address of Message sender from the socket, rather than trusting the sender
> ---------------------------------------------------------------------------------------
>
> Key: CASSANDRA-3462
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3462
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Environment: All.
> Reporter: David Allsopp
> Assignee: David Allsopp
> Labels: authentication, security
> Fix For: 1.0.3
>
> Attachments: Cassandra-3462-v2.patch, Cassandra-3462.patch
>
>
> A prerequisite for preventing malicious nodes from joining a cluster (parent issue https://issues.apache.org/jira/browse/CASSANDRA-2274) is that we can determine the IP of the sender (setting aside the fact that this may be spoofed by a determined attacker).
> Currently we deserialize the "from" IP address from the incoming message header, using Header.deserialize() and CompactEndpointSerializationHelper.deserialize() i.e. we trust the sender to supply a true IP address.
> We could stop storing the IP address in the message Header at all (saving a small amount of space) and set the 'true' sender IP upon receipt of the message, in org.apache.cassandra.net.IncomingTcpConnection, using socket.getInetAddress().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira