All Freenode connections originating from the #cloud-vps/#Toolforge network should be required to use [[https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer|SASL]] authentication. This would provide Freenode moderators with the ability to target individual bots which are misbehaving rather than having to fall back to IP range based blocking as is the worst case today.
Requiring authentication as a part of the process of connecting to Freenode can be seen as a similar protection as the currently enforced authentication for MediaWiki API write use from the Cloud VPS/Toolforge network.
The visibility into specific bots this would give to Freenode staff would also make it easier for IRC bot operators to comply with the directive from the [[https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use|Cloud Services Terms of Use]] to "Do not interfere with other users’ projects, by being respectful of system and network resources".
== Proposed implementation ==
[x] Write up a Phabricator task describing the problem and proposed solution
[] Set a reasonably long, but firm, deadline for enforcing [[https://freenode.net/kb/answer/sasl#sasl-access-only-ip-ranges|SASL auth-only access restrictions for our network addresses]]
[] Begin education campaign to convert bots to SASL authentication
** cloud-announce post
** wikitech documentation
** phabricator tasks for known bots
[] Work as a community to help get as many bots as possible updated before the deadline
[] Ask Freenode to implement the range restriction
== Rationale ==
{T151704} has been an ongoing concern for years. Various attempts have been made to provide Freenode with more visibility into the Cloud VPS/Toolforge environment, but these efforts have not led to perfect implementation.
Passing [[https://en.wikipedia.org/wiki/Ident_protocol|ident]] requests from Freenode servers through the Wikimedia Cloud [[https://en.wikipedia.org/wiki/Network_address_translation|NAT]] gateway and back to Cloud VPS instances has proved to be technically challenging. These challenges are even more pronounced for IRC bots running on the #toolforge Kubernetes cluster which introduces yet another layer of [[https://en.wikipedia.org/wiki/Software-defined_networking|software-defined networking]] as well as single process containers which would need some sort of proxy or "sidecar" container to actually process the ident request.
Following a recent [[https://en.wikipedia.org/wiki/IRCd#K-line|k-line]] event involving the shared `nat.openstack.eqiad1.wikimediacloud.org` NAT gateway, discussion turned to alternatives to ident answers to allow Freenode staff to more tightly target blocks against misbehaving and deliberately malicious IRC bots. Freenode staff were able to confirm that ident results would not have been sufficient to prevent the k-line action, but that having all connections behind our NAT gateway authenticated to NickServ would have allowed fine grained blocking.
== How to use SASL ==
* [[https://ircv3.net/specs/extensions/sasl-3.2|IRCv3.2 SASL Authentication]]
* Freenode provides [[https://freenode.net/kb/answer/sasl|help documentation on configuring SASL auth]] for many popular IRC clients.
* The [[https://github.com/bd808/python-ib3|IRC Bot Behavior Bundle (IB3)]] library adds SASL support to the popular [[https://pypi.org/project/irc/|irc python library]]
* TODO: add more SASL links (and move this bit to a wiki)