CGI:IRC - Web Irc Command

cgiirc - Web Irc Command Not logged in	[Browse] [Contents] [Home] [Login] [Reports] [Search] [Ticket] [Timeline] [Wiki]
	[Attach] [Diff] [Edit] [History] [Text]

CGI:IRC's host spoofing now has a standard technique for sending the host and IP address of the user to the IRCD. Ideally all new IRCD implementations should use this method.

This method hopefully will apply to other methods of connecting to IRC that make use of any sort of proxy (not just web based clients, PROXYCLIENT would have been a better name in hindsight). For example web based IRC clients, SSL proxies or anything where a trusted host is effectively proxying an IRC connection.

Specification

Method

Before the client sends the PASS, USER or NICK commands it should send:

   WEBIRC password user hostname ip

Where each of the tokens in the above is replaced with the following:

password: Password that authenticates the WEBIRC command from this client.
user: User or client requesting spoof (cgiirc defaults to cgiirc).
hostname: Hostname of user.
ip: IP address either in IPv4 dotted quad notation (e.g. 192.0.0.2) or IPv6 notation (e.g. 1234:5678:9abc::def). IPv4-in-IPv6 addresses (e.g. ::ffff:192.0.0.2) should not be sent.

The password should be agreed previously with the IRC server that the client is connecting to. Normally this will be defined in the configuration file.

Expectations

Client expectations:

Perform any proxy resolution (TrustedProxies in CGI:IRC)
Check the reverse DNS and forward DNS match
Check the IP against suitable access controls (ipaccess, dnsbl in CGI:IRC)

Server expectations:

Check the connecting host and password
Set the host and IP address to the given address
Enforce bans (server-wide and channel) against the addresses given in the WEBIRC command

Security considerations

The server should limit the hosts from which a WEBIRC command is accepted from. Anyone with a valid password and host to connect from can spoof any hostname they desire, this is mostly by design. (It would be possible for the IRCD to check that the IP matches the hostname to stop spoofing of any host.) It is therefore possible to use this to bypass most kinds of ban. It is recommended the IRCD provides a method to find the original host and shows that WEBIRC is in use (to IRC operators at least) in order to provide a way to deal with abuse.

Programs that implement this protocol

Clients

CGI:IRC (by setting webirc_password)

Servers

¤Hybrid (m_webirc module)
¤Ratbox (¤m_webirc module)
¤Charybdis (m_webirc module)
¤Unreal (¤cgiirc block)
¤InspIRCd (¤m_cgiirc)

CVSTrac 1.2.1 - CGI:IRC