socket security

Steve Holden sholden at holdenweb.com
Mon Apr 8 15:19:29 EDT 2002 

"Alastair Nicol" <calaban.madness at blueyonder.co.uk> wrote in message
news:40sr8.3765$rg3.345703 at news-binary.blueyonder.co.uk...
> Hi,
>   I've been enjoying the wonders of socket programming with Python. I have
> read a lot of information on the subject, but still have a few unanswered
> questions which is why, out of desperation, i'm asking here.
>
> 1) Can only hosts which can see the interface your program is bound to
> communicate with your program. In the "normal" case if you bind to
> 127.0.0.1 for example ONLY your machine can see that interface. Other
> machines cannot connect to it. Is this a safe / secure assumtion? (not
just
> for localhost)
>
Any address in the 127.0.0.0 to 127.255.255.255 space is by convention
reserved for the so-called "loopback" network. The transmit buffer filled by
the sending network layer is copied into a receive buffer and processed as
an incoming datagram by the receive portion of the stack. This means that
you can (for example) perform client/server tests on a single machine in the
absence of any network hardware at all.

By definition, therefore, any other machine trying to communicate with an
address on network 127 will see its own interfaces, not those of some remote
machine.

> 2) Also when a client connects to a socket the server gets the IP address
> of the client. Is this the "real" ip number? Ive heard you can spoof IP
> numbers so what hoops are needed to validate that the client is really
that
> client.
>
It's the IP address that your IP network layer found in the source address
field of the incoming datagram. This is normally the sender's IP address,
but of course on a DOS machine there's nothing to stop any user from putting
bigus packets out on the network, since there's no hardware protection. If
the sender has maliciously generated a datagram with some other host's IP
address as the source address there's nothing you can do to detect that.

If you need authentication then IPSec (or IPv6) contains features which
allow you to be fairly certain that IP address spoofing isn't taking place.

> openSSL is an option i would like to use, but for reasons to numerious to
> list here, i cant.
>
Never mind. Ideally, every network's external boundary router would filter
out IP datagrams that came from bogus addresses (i.e. those not inside
thenetwork), but alas we are a long way away from that desirable situation
as yet.

regards
 Steve

More information about the Python-list mailing list