nanog mailing list archives
Re: Suggestion for improved identD
From: Adrian Chadd <adrian () creative net au>
Date: Wed, 20 May 1998 10:57:24 +0800
Phil Howard writes:
There isn't necessarily just a single user on the other end of a PPP connection. Many things will break if the actual user and the user that PPP intercepted identd asserts do not match. Providing such information may be a violation of confidentiality if it gives information about a person or that person's account, especially if the person does not want to give it out.
Then do the hash thing that I suggested earlier. (I'm not taking credit for the idea btw.. it wasn't mine.)
Because the PPP access device cannot know, unless it also tracks all the traffic involved, what ports are in fact in use, it would have to give the response for any port, even if not in use. This means anyone can get the ID only by knowing the IP. This will be very VERY easy to abuse by spammers trolling for addresses, under the notion that the ident data generally would match the e-mail address for that domain.
Then do the hash thing.
I believe you misunderstand the purpose of identd. It was intended to supplement the IP address on a multi-user system to narrow the focus of trust in cases where the system itself was trusted (not longer a valid assumption these days).
The system might not be trusted.. but the NAS is. Why bother with ident in any case if most of the dialup users can spoof it? Far far too many applications still send off an ident request and log it.
Why do you want this data? And would you really want the correct userid from a multi-user system or a masqueraded network of multiple machines which the PPP device cannot know?
If you really needed this, then have the NAS configureable so: * You can send a RADIUS/TACACS tag specifying "no ident spoofing" * It doesn't spoof ident on IPS that aren't in the specified IP pools That provides ident support for dialup clients, but passes through ident requests for static clients. You can't get the contact details directly from the hash, but you can use it to deny access to services (eg sendmail, nntp, irc) that run ident checks. Adrian
Current thread:
- Re: Suggestion for improved identD, (continued)
- Re: Suggestion for improved identD Troy Davis (May 19)
- Re: Suggestion for improved identD Daniel Reed (May 19)
- Re: Suggestion for improved identD Christopher Neill (May 20)
- Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
- Message not available
- Re: Suggestion for improved identD Jay R. Ashworth (May 20)
- Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
- Re: Suggestion for improved identD Daniel Reed (May 19)
- Re: Suggestion for improved identD Troy Davis (May 19)
- Re: Suggestion for improved identD Ehud Gavron (May 19)
- Re: Suggestion for improved identD Phil Howard (May 20)
- Re: Suggestion for improved identD Adrian Chadd (May 19)
- Re: Suggestion for improved identD Steve Sobol (May 22)
- Re: Suggestion for improved identD Adrian Chadd (May 20)
- Message not available
- Re: Suggestion for improved identD Jay R. Ashworth (May 21)
- Re: Suggestion for improved identD Paul Mansfield (May 21)
- Message not available
- Re: Suggestion for improved identD Jay R. Ashworth (May 21)