SASL: Unique IP addresses

[patrick-irc]

After SASL authentication a user should get a unique IP address.

The IP address should at least work for

• ban, exemption, invitation, reop
• TKLINE
• Y-Line limit

and be shown in:

• stats L <nick>
• extended-join
• WHOX

The L-message will change from

L <userId> :<cloaked-hostname>

to

L <userId> <IP address> :<cloaked-hostname>

Rules for SASL providers:

• SASL Services must assign one unique and static IP address to a user.
• If there are different SASL providers, they must use different IP ranges.

Questions:
Should the ircd accept allow only IP addresses in a defined range from SASL services? E.g. fd00::/8

[kofany]

@patrick-irc: Just a suggestion regarding IRCnet and internal IPs per user. As you know, SASL on IRCnet can be decentralized, so you might consider assigning a different local sub-prefix for each IRCnet server (or SASL provider). This way, IPs would look something like fd80:SERVER_OR_SASL_PROVIDER_PREFIX:USER_ACCOUNT_ID. Structuring it like this prepares you for various scenarios, whether you’re using a single or multiple SASL providers, and everything will appear neat and organized. It will also improve readability for both users and operators.

Additionally, assigning local IPs to users with SASL can bring extra benefits. For example, such an address could potentially encode other useful information for operators in hexadecimal format. This demonstrates that the address can serve multiple purposes beyond simple identification.

[patrick-irc]

Yes, there is a lot of space in fd00::/8. One provider could use fd00::, the next fd01:: or like you suggested.

No, I don't want to encode any information in the IP address. But with the IPv6 address (and the SID/UID) the SASLservice knows who it is dealing with - if we should ever need such features after connect.

[patrick-irc]

We have decided to generate a subnet with the help of https://www.unique-local-ipv6.com/

fdf0:584f:e66b::/48 will be used for cloaks and the ircd will also check if SASLService sends an IP address within this range. Providers should use a /64.

sasl.ircnet.com will use fdf0:584f:e66b:1::/64