shibboleth-dev - Re: IPv6 support
Subject: Shibboleth Developers
List archive
- From: Lukas Haemmerle <>
- To:
- Subject: Re: IPv6 support
- Date: Fri, 02 Feb 2007 13:00:17 +0100
- Organization: SWITCH - The Swiss Education and Research Network
Josh Howlett wrote:
> I'm interested in determining the level of support for IPv6 in
> Shibboleth. I understand that there is IPv4-specific code for validating
> assertions and cookies. Is there much else?
We had a look at that sometime last year. The only issue we encountered
had to do with the checkAddress="true" setting. If this setting was
enabled, you could run into problems when the user used and IPv6 IP to
authenticate at the IdP and an IPv4 IP to access the SP host or vice
versa. In these cases, the IP address in the assertion of course doesn't
match the IP address seen at the SP, which results in an error.
What you have to do to prevent that is to configure the SP with
checkAddress="false" but leave consistentAddress="true" (is default).
This will slightly decrease the security but you won't have problems
with IPv6, Proxies, NAT and so on anymore.
Cheers
Lukas
--
------- SWITCH - The Swiss Education & Research Network ------
Lukas Haemmerle Security http://www.switch.ch/
SWITCH, Neumuehlequai 6, P.O. Box, CH-8021 Zurich, Switzerland
Tel: +41 44 268 15 64 Fax: +41 44 253 98 98
- IPv6 support, Josh Howlett, 02/01/2007
- RE: IPv6 support, Scott Cantor, 02/01/2007
- Re: IPv6 support, Lukas Haemmerle, 02/02/2007
- RE: IPv6 support, Scott Cantor, 02/02/2007
- Re: IPv6 support, Lukas Haemmerle, 02/02/2007
- RE: IPv6 support, Scott Cantor, 02/02/2007
Archive powered by MHonArc 2.6.16.