nanog mailing list archives
Re: Suggestion for improved identD
From: Phil Howard <phil () charon ipal net>
Date: Tue, 19 May 1998 18:21:08 -0500 (CDT)
Suggestion: PPP access devices intercept identD requests and return the authenticated access string. Reasoning: Modern ``stacks'' used by end-users -- especially those on throwaway accounts, fake any identD response. This makes tracking those people tougher. Methods: 1: identD v2, new port, intercepted by access devices which support it. 2: modification to hosts requirement RFCs, making access devices responsible for intercepting identD requests to their PPP clients. 3: a security RFC ``suggesting'' 1 or 2 Thoughts appreciated, as are comments, flames, blames, and anything of some content.
There isn't necessarily just a single user on the other end of a PPP connection. Many things will break if the actual user and the user that PPP intercepted identd asserts do not match. Providing such information may be a violation of confidentiality if it gives information about a person or that person's account, especially if the person does not want to give it out. Because the PPP access device cannot know, unless it also tracks all the traffic involved, what ports are in fact in use, it would have to give the response for any port, even if not in use. This means anyone can get the ID only by knowing the IP. This will be very VERY easy to abuse by spammers trolling for addresses, under the notion that the ident data generally would match the e-mail address for that domain. I believe you misunderstand the purpose of identd. It was intended to supplement the IP address on a multi-user system to narrow the focus of trust in cases where the system itself was trusted (not longer a valid assumption these days). Why do you want this data? And would you really want the correct userid from a multi-user system or a masqueraded network of multiple machines which the PPP device cannot know? -- Phil Howard | suck4it5 () no1where net stop1763 () spammer1 edu stop9it3 () s6p5a7m9 com phil | end6ads6 () dumb3ads net suck5it1 () anyplace org blow7me5 () anyplace com at | end0it35 () anywhere com end2ads4 () lame0ads org stop4698 () anyplace com ipal | stop0577 () anywhere edu no92ads1 () s5p1a2m7 net a6b8c5d2 () spam1mer net dot | w1x7y9z6 () spam8mer edu die0spam () lame2ads com crash308 () spammer0 org net | end0ads7 () dumbads6 org stop6it4 () no05ads8 net no9way66 () s8p7a9m6 net
Current thread:
- Suggestion for improved identD Ehud Gavron (May 19)
- Re: Suggestion for improved identD Daniel Reed (May 19)
- Re: Suggestion for improved identD Troy Davis (May 19)
- Re: Suggestion for improved identD Daniel Reed (May 19)
- Re: Suggestion for improved identD Christopher Neill (May 20)
- Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
- Message not available
- Re: Suggestion for improved identD Jay R. Ashworth (May 20)
- Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
- Re: Suggestion for improved identD Daniel Reed (May 19)
- Re: Suggestion for improved identD Ehud Gavron (May 19)
- Re: Suggestion for improved identD Phil Howard (May 20)
- Re: Suggestion for improved identD Adrian Chadd (May 19)
- Re: Suggestion for improved identD Steve Sobol (May 22)
- Re: Suggestion for improved identD Adrian Chadd (May 20)
- Message not available
- Re: Suggestion for improved identD Jay R. Ashworth (May 21)
- Re: Suggestion for improved identD Paul Mansfield (May 21)