[17001] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Suggestion for improved identD

daemon@ATHENA.MIT.EDU (Adrian Chadd)
Tue May 19 22:59:30 1998

To: Ehud Gavron <GAVRON@ACES.COM>
Cc: nanog@merit.edu
In-reply-to: Your message of "Tue, 19 May 1998 15:36:43 MST."
             <01IX817JA4Y49PLSMX@ACES.COM> 
Date: Wed, 20 May 1998 10:41:38 +0800
From: Adrian Chadd <adrian@creative.net.au>

Ehud Gavron writes:
>Suggestion:	PPP access devices intercept identD requests
>		and return the authenticated access string.
>
>Reasoning:	Modern ``stacks'' used by end-users -- especially
>		those on throwaway accounts, fake any identD response.
>		This makes tracking those people tougher.
>
>Methods:	1: identD v2, new port, intercepted by access devices
>		   which support it.
>
>		2: modification to hosts requirement RFCs, making
>		   access devices responsible for intercepting identD
>		   requests to their PPP clients.
>
>		3: a security RFC ``suggesting'' 1 or 2
>
>Thoughts appreciated, as are comments, flames, blames, and anything
>of some content.

I've done this for a couple of internet providers in Western Australia.
Either by using transparent proxying under Linux (one used a Linux term
server..), or a route-map to a *nix box on a Cisco.

There are a few privacy issues too - if you want to see who is online,
you just send out ident requests to all dialup lines, and the 'real' idents
are returned. One Perth ISP fixed this by using a hash of the username.
That fixes IRC bans (so they can just ban *!*hash@*isp.com.au ) .. and if
someone wants to track a user down, they ring the ISP and hand over the
hash.


Adrian

home help back first fref pref prev next nref lref last post