nanog mailing list archives

Re: Suggestion for improved identD

From: Phil Howard <phil () charon ipal net>
Date: Tue, 19 May 1998 18:21:08 -0500 (CDT)

Suggestion:   PPP access devices intercept identD requests
              and return the authenticated access string.

Reasoning:    Modern ``stacks'' used by end-users -- especially
              those on throwaway accounts, fake any identD response.
              This makes tracking those people tougher.

Methods:      1: identD v2, new port, intercepted by access devices
                 which support it.

              2: modification to hosts requirement RFCs, making
                 access devices responsible for intercepting identD
                 requests to their PPP clients.

              3: a security RFC ``suggesting'' 1 or 2

Thoughts appreciated, as are comments, flames, blames, and anything
of some content.


There isn't necessarily just a single user on the other end of a PPP
connection.  Many things will break if the actual user and the user
that PPP intercepted identd asserts do not match.

Providing such information may be a violation of confidentiality if
it gives information about a person or that person's account, especially
if the person does not want to give it out.

Because the PPP access device cannot know, unless it also tracks all the
traffic involved, what ports are in fact in use, it would have to give
the response for any port, even if not in use.  This means anyone can
get the ID only by knowing the IP.  This will be very VERY easy to abuse
by spammers trolling for addresses, under the notion that the ident data
generally would match the e-mail address for that domain.

I believe you misunderstand the purpose of identd.  It was intended to
supplement the IP address on a multi-user system to narrow the focus of
trust in cases where the system itself was trusted (not longer a valid
assumption these days).

Why do you want this data?  And would you really want the correct userid
from a multi-user system or a masqueraded network of multiple machines
which the PPP device cannot know?

-- 
Phil Howard | suck4it5 () no1where net stop1763 () spammer1 edu stop9it3 () s6p5a7m9 com
  phil      | end6ads6 () dumb3ads net suck5it1 () anyplace org blow7me5 () anyplace com
      at    | end0it35 () anywhere com end2ads4 () lame0ads org stop4698 () anyplace com
  ipal      | stop0577 () anywhere edu no92ads1 () s5p1a2m7 net a6b8c5d2 () spam1mer net
     dot    | w1x7y9z6 () spam8mer edu die0spam () lame2ads com crash308 () spammer0 org
  net       | end0ads7 () dumbads6 org stop6it4 () no05ads8 net no9way66 () s8p7a9m6 net

Current thread:

Suggestion for improved identD Ehud Gavron (May 19)
- Re: Suggestion for improved identD Daniel Reed (May 19)
- Re: Suggestion for improved identD Troy Davis (May 19)
  - Re: Suggestion for improved identD Daniel Reed (May 19)
    - Re: Suggestion for improved identD Christopher Neill (May 20)
    - Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
    - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 20)
    - Re: Suggestion for improved identD Dalvenjah FoxFire (May 20)
  - Re: Suggestion for improved identD Studded (May 20)
- Re: Suggestion for improved identD Phil Howard (May 19)
  - Re: Suggestion for improved identD Ehud Gavron (May 19)
    - Re: Suggestion for improved identD Phil Howard (May 20)
  - Re: Suggestion for improved identD Adrian Chadd (May 19)
- Re: Suggestion for improved identD Adrian Chadd (May 19)
  - Re: Suggestion for improved identD Steve Sobol (May 22)
- Re: Suggestion for improved identD Edward S. Marshall (May 19)
- Re: Suggestion for improved identD Jon Lewis (May 20)
  - Re: Suggestion for improved identD Adrian Chadd (May 20)
    - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 21)
    - Re: Suggestion for improved identD Paul Mansfield (May 21)

(Thread continues...)