handleConnectionRequest should not blindly believe theirAddress

Description

From casually reading the code, I'm worried about believing the received EndPointAddress in handleConnectionRequest.

In an environment where not all processes have the same credentials, this opens up the ability to spoof other processes.

If node A connects to node B and presents itself as node C, then this is a spoofing attempt.

(Not fixing this severely restricts the use-cases for CH).

Rather, I think what should be done is by default to screen the incoming EndPointAddress against Network.Socket.getPeerName and reject anything that does not match.

Bonus points for having a callback that can act as a "firewall" in case the transport is going through a NAT (in which case accepting the EndPointAddress is essential in getting bi-directional connectivity).

Environment

None

Assignee

Tim Watson

Reporter

Alexander Kjeldaas

Labels

None

External issue ID

None

OS

Linux

Priority

Minor
Configure