[17139] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Suggestion for improved identD

daemon@ATHENA.MIT.EDU (Sean Donelan)
Fri May 22 16:34:24 1998

Date: Fri, 22 May 1998 15:22:37 -0500
From: Sean Donelan <SEAN@SDG.DRA.COM>
To: nanog@merit.edu

>The question here is 'trust'. Why bother using ident in ANY code anymore
>if it can't be trusted? Yet it still is. So move the trust demarcation point
>to where the user has no control over it. Remember, if its a static IP or
>network client, you don't proxy ident requests - since the static IP is the
>demarcation point of trust. They can change their ident, but no matter what,
>their IP or network still stays the same.

The problem is 'indemnification.'  If you want to authenticate or postively
identify the origin of a connection, well I suspect you already know the
answer.

I'm not going to promise just because you received a packet allegdly from
my network, that it originated on my network.  And there is no demarcation
point in the network, outside the portion you directly control, you positively
know the user has no control over.
-- 
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
  Affiliation given for identification not representation

home help back first fref pref prev next nref lref last post