[17000] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Suggestion for improved identD

daemon@ATHENA.MIT.EDU (Phil Howard)
Tue May 19 22:53:04 1998

From: Phil Howard <phil@charon.ipal.net>
To: GAVRON@ACES.COM (Ehud Gavron)
Date: Tue, 19 May 1998 18:21:08 -0500 (CDT)
Cc: nanog@merit.edu
In-Reply-To: <01IX817JA4Y49PLSMX@ACES.COM> from "Ehud Gavron" at May 19, 98 03:36:43 pm

> Suggestion:	PPP access devices intercept identD requests
> 		and return the authenticated access string.
> 
> Reasoning:	Modern ``stacks'' used by end-users -- especially
> 		those on throwaway accounts, fake any identD response.
> 		This makes tracking those people tougher.
> 
> Methods:	1: identD v2, new port, intercepted by access devices
> 		   which support it.
> 
> 		2: modification to hosts requirement RFCs, making
> 		   access devices responsible for intercepting identD
> 		   requests to their PPP clients.
> 
> 		3: a security RFC ``suggesting'' 1 or 2
> 
> Thoughts appreciated, as are comments, flames, blames, and anything
> of some content.

There isn't necessarily just a single user on the other end of a PPP
connection.  Many things will break if the actual user and the user
that PPP intercepted identd asserts do not match.

Providing such information may be a violation of confidentiality if
it gives information about a person or that person's account, especially
if the person does not want to give it out.

Because the PPP access device cannot know, unless it also tracks all the
traffic involved, what ports are in fact in use, it would have to give
the response for any port, even if not in use.  This means anyone can
get the ID only by knowing the IP.  This will be very VERY easy to abuse
by spammers trolling for addresses, under the notion that the ident data
generally would match the e-mail address for that domain.

I believe you misunderstand the purpose of identd.  It was intended to
supplement the IP address on a multi-user system to narrow the focus of
trust in cases where the system itself was trusted (not longer a valid
assumption these days).

Why do you want this data?  And would you really want the correct userid
from a multi-user system or a masqueraded network of multiple machines
which the PPP device cannot know?

-- 
Phil Howard | suck4it5@no1where.net stop1763@spammer1.edu stop9it3@s6p5a7m9.com
  phil      | end6ads6@dumb3ads.net suck5it1@anyplace.org blow7me5@anyplace.com
      at    | end0it35@anywhere.com end2ads4@lame0ads.org stop4698@anyplace.com
  ipal      | stop0577@anywhere.edu no92ads1@s5p1a2m7.net a6b8c5d2@spam1mer.net
     dot    | w1x7y9z6@spam8mer.edu die0spam@lame2ads.com crash308@spammer0.org
  net       | end0ads7@dumbads6.org stop6it4@no05ads8.net no9way66@s8p7a9m6.net

home help back first fref pref prev next nref lref last post