Prevent reply attacks by tracking token IP address
We would like to add a simple token reply protection mechanism to the Keystone service.
Keystone tokens are bearer tokens and are vulnerable to reply attacks.
To mitigate these type attacks usually a simple association of Keystone token and its owner IP address is helpful. Consecutive Keystone token validation events with different than originator IP address would be blocked, unless allowed by the token owner from its primary IP address.
To prevent token validation failures OpenStack cluster operator would define cluster networks (white list networks) for whose token validation won't take into account token originator IP address.
Additional benefit of extended token validation is improved visibility and traceability of Keystone validation events for OpenStack user as in the scope of work would be also dashboard page providing list of the most recent successful AuthN events and unsuccessful token validation events, together with token issuance details and unsuccessful token validation details.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Adam Heczko
- Direction:
- Needs approval
- Assignee:
- Adam Heczko
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Not started
- Milestone target:
- None
- Started by
- Completed by
- Lance Bragstad
Related branches
Related bugs
Sprints
Whiteboard
(lbragstad): This is an interesting idea and an alternative solution was discussed recently in IRC, but it used request signing with client x509 certificates to make sure both parties (client and server) validated requests and responses from each other.
I think it would be useful to propose this problem as a specification in the openstack/
[0] http://
