Shibboleth Developers

[Lukas Haemmerle <>]

> I think you mean true, not false. I assume so anyway.

Yes, sorry for the confusion :)


> I don't really know
> anything about v6 other than rudimentary stuff, so I don't know what the bug
> is or how to fix it. I gather it's something like having to convert the
> address formats back and forth and allowing that kind of comparison to
> succeed.

> In practice, it's not clear who can afford to leave it on anyway. It's less
> common, I'd say.

I don't know exactly how many SPs have enabled address checking in
SWITCHaai but we've already had some cases where people ran into
problems because of proxies/VPN stuff in combination with address
checking. Use of IPv6 also falls into this category.

>>Provided that ipv6 is spreading more and more, are there any plans to
>>make the Shibboleth SP completely ipv6 aware and is that 
>>possible at all?
>
> I have no idea since I don't know what the exact problem is. It's not
> something I can test either.

Let me try to explain the situation :) As I said, IPv6 problems only
occur if:
- The user has an ipv4 AND and ipv6 address
- The user's web browser uses ipv6 address to connect (if other host
supports ipv6)
- SP has only an ipv4 address, the IdP has ipv4 AND ipv6 addres or the
other way around
- the checkAddress setting is set to true

What then happens is (User = User's web browser):
1. Users connects to SP using ipv4 ip
2. SP redirects to IdP (or WAYF and then to IdP, but WAYF can be ignored
in this situation)
3. User connects to IdP using ipv6 ip
4. User authenticates at IdP and gets handle. Handle contains ipv6 IP in
element "SubjectLocality"
5. User gets redirected to SP
6. User connects to SP using ipv4 ip
7. SP checks handle and throws an error because the ipv6 IP in the
handle is not the same as the ipv4 IP that was used to connect to the SP

There wouldn't be a problem if SP or IdP somehow could figure out what
ipv4 and an ipv6 IP the user has. Unfortunately this is probably not
easy or not possible at all. The only way I know may work is to do a
reverse dns lookup to the the hostname of the user and then do a dns
lookup for ipv4 or ipv6...

So, I would say the only option is to disable the address checking in
that situation.

Cheers
Lukas

-- 
-------  SWITCH - The Swiss Education & Research Network  ------
Lukas Haemmerle          NetServices       http://www.switch.ch/
SWITCH,  Neumuehlequai 6, P.O. Box,  CH-8021 Zurich, Switzerland

 Tel: +41 44 268 15 64  Fax: +41 44 253 98 98