Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

IP Addresses

Grim Lupis
Dark Wolf
Join date: 11 Jul 2003
Posts: 762
09-14-2004 09:07
Since some of the servers are moving to another facility, I need to know what the new IP address range is going to be. Especially if the mail server(s) will be moving to new IP addresses.

I have an RL server that receives mail for Email-RPC processing, but it's locked down so that it only accepts incoming mail from LL's IP addresses.

So, what's the new range?
_____________________
Grim

"God only made a few perfect heads, the rest of them he put hair on." -- Unknown
Ace Cassidy
Resident Bohemian
Join date: 5 Apr 2004
Posts: 1,228
09-14-2004 09:28
Hmmmm... bad design, Grim.

You shouldn't design in any hard-coded IP addresses if you can reference by DNS name, and since SMTP is a relay protocol, you can't even be sure that the source IP is going to be SL's mailserver.

I understand the desire to filter incoming mail, but your approach is prone to problems, such as you are experiencing now.

- Ace
_____________________
"Free your mind, and your ass will follow" - George Clinton
Siobhan Taylor
Nemesis
Join date: 13 Aug 2003
Posts: 5,476
09-14-2004 09:50
Ace,

DNSs can be hijacked. Rejecting a packet from a seemingly incorrect server is better than accepting one from a server that seems correct, but isn't... Well, maybe not one, but a few at least...
_____________________
http://siobhantaylor.wordpress.com/
Grim Lupis
Dark Wolf
Join date: 11 Jul 2003
Posts: 762
09-14-2004 11:22
Like Sio said...

I have all access to that SMTP server blocked by default (packet filtering) and only allow connections from specific IP addresses/ranges. To anyone except LL, it looks as though it's a dead IP.

This is largely to cut down my overhead by preventing me from having to do relay/client validation. I just prevent the initial connection.
_____________________
Grim

"God only made a few perfect heads, the rest of them he put hair on." -- Unknown
Jack Digeridoo
machinimaniac
Join date: 29 Jul 2003
Posts: 1,170
09-14-2004 11:32
From: someone
Originally posted by Siobhan Taylor

DNSs can be hijacked.


And IP's can be spoofed.
_____________________
If you'll excuse me, it's, it's time to make the world safe for democracy.
Ace Cassidy
Resident Bohemian
Join date: 5 Apr 2004
Posts: 1,228
09-14-2004 11:53
From: someone
Originally posted by Grim Lupis
This is largely to cut down my overhead by preventing me from having to do relay/client validation. I just prevent the initial connection.


I understand your motivations. All I'm trying to point out is that relying on hard-wired IP addresses is prone to problems like you're dealing with now, and is something I always try to avoid.

"Quick and simple" sometimes results in "difficult to manage".

- Ace
_____________________
"Free your mind, and your ass will follow" - George Clinton
Siobhan Taylor
Nemesis
Join date: 13 Aug 2003
Posts: 5,476
09-14-2004 13:04
From: someone
Originally posted by Jack Digeridoo
And IP's can be spoofed.


Indeed they can, Jack, but it's impossible to defend against *everything*, you just do the best you can.
_____________________
http://siobhantaylor.wordpress.com/
Strife Onizuka
Moonchild
Join date: 3 Mar 2004
Posts: 5,887
09-14-2004 15:13
just a thought; couldn't you make it so all email that is coming from a non known linden IP gets processed to see if it's from a linden server and added to the known linden ip range? It would be a big hastle but it would mean you would never need to update again.
_____________________
Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey
Mark Linden
Funky Linden Monkey
Join date: 20 Nov 2002
Posts: 179
09-14-2004 21:56
Our IP address ranges are not changing. However, the IP address of the Second Life outbound email can change to be any IP within our range, and indeed has changed at least once in the last two weeks (due to hardware failures).

If you want to be paranoid, that's fine with me, but I'd allow anything from our ranges (66.150.244.0/23 and 69.25.104.0/23) if you want to make sure that your stuff won't break in the future.
Grim Lupis
Dark Wolf
Join date: 11 Jul 2003
Posts: 762
09-28-2004 13:18
Thanks, Mark. I do allow the entire range of LL addresses, just nothing else.

Ace, you can't set packet filtering up on any system I've ever seen by domain name. It's always by IP address or range. Sure, you can type in a domain name when you set up, but it doesn't do a PTR lookup on every connection. It just uses the name during setup to find the IP address.

Strife, I don't think there's a documented mechanism for manipulating security policies on Win2k3 programmatically. And, since the packet filtering system rides higher in the ISO model than any software I would write, if the IP address wasn't already authorized, my software would never know about the connection, anyway.
_____________________
Grim

"God only made a few perfect heads, the rest of them he put hair on." -- Unknown