nanog mailing list archives

Re: Suggestion for improved identD

From: Adrian Chadd <adrian () creative net au>
Date: Wed, 20 May 1998 10:57:24 +0800

Phil Howard writes:

There isn't necessarily just a single user on the other end of a PPP
connection.  Many things will break if the actual user and the user
that PPP intercepted identd asserts do not match.

Providing such information may be a violation of confidentiality if
it gives information about a person or that person's account, especially
if the person does not want to give it out.


Then do the hash thing that I suggested earlier.
(I'm not taking credit for the idea btw.. it wasn't mine.)

Because the PPP access device cannot know, unless it also tracks all the
traffic involved, what ports are in fact in use, it would have to give
the response for any port, even if not in use.  This means anyone can
get the ID only by knowing the IP.  This will be very VERY easy to abuse
by spammers trolling for addresses, under the notion that the ident data
generally would match the e-mail address for that domain.


Then do the hash thing.

I believe you misunderstand the purpose of identd.  It was intended to
supplement the IP address on a multi-user system to narrow the focus of
trust in cases where the system itself was trusted (not longer a valid
assumption these days).


The system might not be trusted.. but the NAS is.
Why bother with ident in any case if most of the dialup users can spoof
it? Far far too many applications still send off an ident request and log
it.

Why do you want this data?  And would you really want the correct userid
from a multi-user system or a masqueraded network of multiple machines
which the PPP device cannot know?


If you really needed this, then have the NAS configureable so:

* You can send a RADIUS/TACACS tag specifying "no ident spoofing"
* It doesn't spoof ident on IPS that aren't in the specified IP pools

That provides ident support for dialup clients, but passes through ident
requests for static clients.


You can't get the contact details directly from the hash, but you can use
it to deny access to services (eg sendmail, nntp, irc) that run ident
checks.


Adrian

Current thread:

Re: Suggestion for improved identD, (continued)
- Re: Suggestion for improved identD Troy Davis (May 19)
  - Re: Suggestion for improved identD Daniel Reed (May 19)
    - Re: Suggestion for improved identD Christopher Neill (May 20)
    - Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
    - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 20)
    - Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
  - Re: Suggestion for improved identD Studded (May 20)
- Re: Suggestion for improved identD Phil Howard (May 19)
  - Re: Suggestion for improved identD Ehud Gavron (May 19)
    - Re: Suggestion for improved identD Phil Howard (May 20)
  - Re: Suggestion for improved identD Adrian Chadd (May 19)
- Re: Suggestion for improved identD Adrian Chadd (May 19)
  - Re: Suggestion for improved identD Steve Sobol (May 22)
- Re: Suggestion for improved identD Edward S. Marshall (May 19)
- Re: Suggestion for improved identD Jon Lewis (May 20)
  - Re: Suggestion for improved identD Adrian Chadd (May 20)
    - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 21)
    - Re: Suggestion for improved identD Paul Mansfield (May 21)
    - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 21)
    - Re: Suggestion for improved identD Tom Perrine (May 22)
    - Re: Suggestion for improved identD Manar Hussain (May 22)

(Thread continues...)