[184157] in North American Network Operators' Group
Re: Question re session hijacking in dual stack environments w/MacOS
daemon@ATHENA.MIT.EDU (John Schimmel)
Mon Sep 28 16:14:01 2015
X-Original-To: nanog@nanog.org
From: John Schimmel <johns@a10networks.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Sun, 27 Sep 2015 12:24:17 +0000
Errors-To: nanog-bounces@nanog.org
--B_3526183451_14365819
Content-type: text/plain;
charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
I can=B9t speak to every case, but I ran into a similar issue with our WAF
product, so I can explain what was happening there.
Most Web application firewalls have cross-site request forgery protection.
When a form is downloaded, the firewall inserts a hidden field or cookie
that contains the IP address of the request. When the form is submitted,
the firewall then verifies that the post is sent from the same address. If
the client does a get via IPv6, and the form contains a form action for a
URL that is better reached via IPv4 then the firewall sees the post coming
from a different IP address and refuses the request.
This is nothing specifically to do with MacOS, it is true of any multi-home=
d
system. The options are either to rewrite the client to guarantee that the
address in a post always matches the corresponding get; to maintain
different URLs on the server such that requests from IPv6 clients always
return action URLs that will go to an IPv6 hostname, and vice-versa for
IPv4; or to disable CSRF protection.
Later,
John
> From: David Hubbard <dhubbard@dino.hostasaurus.com>
>
> Hey all, as we've slowly deployed IPv6 to our end users, it has begun to
> cause some issues for those on Mac's specifically. Apple apparently has
> an algorithm at some point in the network stack to decide whether IPv4
> or IPv6 is, perhaps, 'better' or 'faster' at any given point in time
> during an ongoing session. This allows a computer talking to a dual
> stack remote website to flip flop between v4 and v6 as activity is
> conducted.
>
> Websites that require some type of authentication that is handled via
> session cookies have been booting our users out randomly with "your ip
> address has changed" type message. This occurs when their Mac decides
> to switch between protocols because the site views it as a session
> hijacking attempt when Joe User with session ID xyz switches from
> 192.0.2.10 to 2001:db8::1:1:a or vice versa.
>
> Has anyone run into this? Our users on other platforms don't seem to
> have this issue; linux and MS desktops seem to just use v6 if it's
> available and v4 if not.
>
> Thanks,
>
> David
--B_3526183451_14365819
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIRzAYJKoZIhvcNAQcCoIIRvTCCEbkCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B
BwGggg+BMIIFcDCCBFigAwIBAgIQBS03iGg+MZDeIwMdiXmNIzANBgkqhkiG9w0BAQsFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln
aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTUw
NzA4MDAwMDAwWhcNMTYwNzA4MTIwMDAwWjCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRswGQYDVQQKExJBMTAgTmV0d29ya3MsIElu
Yy4xFjAUBgNVBAMTDUpvaG4gU2NoaW1tZWwxJDAiBgkqhkiG9w0BCQEWFWpvaG5zQGExMG5l
dHdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKi3rjzh3JMN/NyG
9jOVygM8WRUV/1u/I7L5sP6s21VBY4XQPoRC2T69VPSpDCSHdDUYh0nfQj0DcfnoA7pyBWvA
vvUQ1OLu6FmLtSlt/mZdK2WEBzcig1vEI/PDHvg5ePMJCuq14lDruNVSYWu5VBEJcygVepOy
lozo2AmutO9DDcyFCk96NALl30729rPn4W4cZfQlMqFxKsXT9PCz8F85IUGVv8m3tsIgZ+qY
+6mkeQ2BvDXDqI5lz2J81rcZ5ecyV2hb0xxK3tLR1C6g8d6TqQT7CUZaLNuzta9Hwvr8tCpm
oslV4tFXspABvkaOBGKgslM4kA7KzQvBOp4xfmMCAwEAAaOCAe4wggHqMB8GA1UdIwQYMBaA
FOcCI4AAT9jXvJQL2T90OUkyPIp5MB0GA1UdDgQWBBRIwh6t45TSOVkAF15KIyuPv+KXhjAM
BgNVHRMBAf8EAjAAMCAGA1UdEQQZMBeBFWpvaG5zQGExMG5ldHdvcmtzLmNvbTAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYK
YIZIAYb9bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MIGIBgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
U0hBMkFzc3VyZWRJRENBLWcxLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENBLWcxLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYB
BQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG
9w0BAQsFAAOCAQEATQl60OqqbKWHYJwjZ3Y2YxE6Yp459ekUoIX4NqjmuYF5r6fXrUMZxg2W
Q7NRdmUGsmENe6+7w6NeC12j+8HZlN30yhHtaTNG7zaeFgZU2P6cqaSBGQSsQ9Bgs7b7p6My
Vzy1DnH858eAR3N4c9CJS7m8kjN/P3mvT9XmsStUfrPxIZyUOr996hhvzA63pPvgaWJmyNQh
b8VYZv2vDsR50JdvxeGF21LZxXtV7I/wBNdj/4zf1fJEQZOxswhlppCxX0c2K9aAxyRS9Ex9
+A1VmSUK48hUZqtQId4xXKWfQvTJDrBBOKeP+LljktjpaA4IiYvMIlrv7p2es27sLU001DCC
Bk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcNAQELBQAwZTELMAkGA1UE
BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNv
bTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEzMTEwNTEyMDAw
MFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IElu
YzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBB
c3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A
J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr
+Lp+yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQ
elAfJUXo8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK
3OnZ9ZEXjsYhrTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uC
ig1xGOSm4IksG/OyczzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/
BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9j
cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0
dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYD
VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgB
hv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCC
AWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABD
AGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBl
AHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABDAFAALwBD
AFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBn
AHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABp
AHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQBy
AGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP2Ne8
lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN
AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrg
YhmZpgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg
4/mgVgxIEM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmw
XZG0k4f5lpaBVUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1Y
EhEybr1DDE0023vGQtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIwggO3
MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
JDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa
Fw0zMTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx
GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQg
SUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfz
t2D5cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq
9g+YMjZ2zN7dPKii72r7IfJSYd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OM
M9nYLxj+KA+zp4PWw25EwGE1lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJ
fDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwO
sLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGG
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1Ud
IwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUAA4IBAQCiDrzf4u3w
43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwSTFjk0z2DSUVYlzVpGqhH6lbG
easS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJs13rsgkq6ybteL59Pyvz
tyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2
BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdh
AbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMYICDzCCAgsCAQEweTBlMQswCQYD
VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
Y29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0ECEAUtN4hoPjGQ3iMD
HYl5jSMwDQYJYIZIAWUDBAIBBQCgaTAvBgkqhkiG9w0BCQQxIgQgPqoDYmVEv0mvR9jgPtuO
GJh7he5oSjHIFdruK6sIAB0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTUwOTI3MTIyNDExWjANBgkqhkiG9w0BAQEFAASCAQAlyQIZgkiuN4cxr+rLm+dX
8jkbxR4RBzfzlrBTU1dhxRlsN8N1uEfUTUWMzUM+caPf2MuAGqgUqf9k3VC3bnAP+lLu2aFF
XQEuFTB7+RZOKRF6l8moqqWgCdu58AB/G0JcsjfXmrHtTpr8FTm4B8qbi3LHlCmyNHqitStx
bhqWVjK3E2SkNbJ8pXgbqUXMdhOjH5dangBxRZQZIkjfguJldfFbFof3IwVBa+rwSKZs0q6Y
9JjTBxFUffEozmsDa6HECrW40tnfu1pvpH5NwPet7tKh1siF9R0tpLg8WoaXpIbeLB9J57NN
8ok4Fq5mDvZ/WjFvNxmL/KDkUTKT06dh
--B_3526183451_14365819--
