[wp-hackers] Re: IP address verification for trackbacks

Kimmo Suominen kimmo at global-wire.fi
Tue Aug 19 05:33:06 GMT 2008


On Mon, Aug 18, 2008 at 11:17:10AM -0500, Otto wrote:
> On Mon, Aug 18, 2008 at 11:08 AM, Kimmo Suominen <kimmo at global-wire.fi> wrote:
> > But sure, if you want to code your plugins so that they don't account
> > for sites using secondary IP addresses, you can certainly choose to
> > do so.
> 
> My point is that there is no legitimate reason to make sites that use
> multiple addresses for the specific case of trackbacks. In other
> words, if your website is going to contact me, and the IP I'm getting
> that from doesn't match your site's actual IP, then there's no reason
> for me to assume that you are legitimate.

It is a common and normal practise to have more than one IP address on
a host.

Even if I had SNI deployed, I'd still not use the primary IP address on
a host for HTTP and HTTPS traffic.  Using secondary IP addresses makes
it easier to move services from one host to another, while still being
able to access the host itself as before the move.  If you move the only
IP address on a host with the services, you need to assign a new IP
address for the host, update DNS, SSH keys, etc.

Assigning secondary IP addresses for services also avoids the need to
update DNS for the service and wait for the change to propagate, making
the move much easier to schedule and implement.

Should a host fail, it is easier to restore services to another host
using secondary IP addresses, while maintaining the ability to repair
the failed host over the network through its primary IP address.

Secondary IP addresses are mandatory for high availability setups,
where a secondary IP address is shared between multiple hosts but
only activated on one of them (e.g. VRRP and CARP).

If a host implements IPv6 privacy, it will have several IP addresses
at the same time.  The default policy for outbound connections is to
use the most recently acquired privacy address, not the primary IP
address of the host.

> The specific problem you're speaking of (SSL not working with name
> based virtual hosting) is a solved one. You *can* use SSL with name
> based hosting. The SNI extension to TLS was invented specifically to
> solve the problem. Why not use it?

I gave reasons, but you chose not to quote them.

The point is not that you cannot use a single IP address for even SSL
hosts, but that it is a common practise to use multiple IP addresses on
a host, and HTTPS is a very common (but not the only) reason to do so.

> Also, the main nginx package does support TLS SNI. No "private
> packages" required. See here: http://nginx.net/

Not the Debian package for their latest release (etch, 4.0).

However, I see that backports has added nginx 0.5.35 for etch, so that
could be an option now.

Best regards,
+ Kimmo
-- 
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>



More information about the wp-hackers mailing list