socket security

Grant Edwards grante at visi.com
Fri Apr 5 20:31:40 EST 2002


In article <40sr8.3765$rg3.345703 at news-binary.blueyonder.co.uk>, Alastair Nicol wrote:

> I've been enjoying the wonders of socket programming with Python. 

Way more fun than C, eh?

> 1) Can only hosts which can see the interface your program is
>    bound to communicate with your program? In the "normal"
>    case if you bind to 127.0.0.1 for example ONLY your machine
>    can see that interface. Other machines cannot connect to
>    it. Is this a safe / secure assumtion? (not just for
>    localhost)

Well, yes.  It's sort of a tautology.  There is no way to "see"
an IP interface other than to communicate with it.

> 2) Also when a client connects to a socket the server gets the
>    IP address of the client. Is this the "real" ip number?

Sometimes.  For some values of "real".

>    Ive heard you can spoof IP numbers so what hoops are needed
>    to validate that the client is really that client.

If the other "end" of the connection is behind a
router/firewall that does NAT (network address translation),
then the IP address you see is that of the firewall, not of the
machine to which you are ultimately talking.  Often there are
more than one NAT translation going on (e.g. when I log into
my home machine from my office there's one NAT translation in
the firewall at the office, and one in my DSL modem/router).

In general the IP address is "real" in that it's the IP address
to which you send packets.  It may or may not be useful in
identifying the machine at the other end.

If somebody really does "spoof" an IP address (uses an IP
address which doesn't really route frames back to them), then
the connection can never be completed.  Spoofed IP addresses
are often used for low-level attacks.

> openSSL is an option i would like to use, but for reasons to
> numerious to list here, i cant.

OK.

-- 
Grant Edwards                   grante             Yow!  over in west
                                  at               Philadelphia a puppy is
                               visi.com            vomiting...



More information about the Python-list mailing list