Suggestion for improved identD

• Previous message (by thread): Suggestion for improved identD
• Next message (by thread): Suggestion for improved identD
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Suggestion:	PPP access devices intercept identD requests
> 		and return the authenticated access string.
> 
> Reasoning:	Modern ``stacks'' used by end-users -- especially
> 		those on throwaway accounts, fake any identD response.
> 		This makes tracking those people tougher.
> 
> Methods:	1: identD v2, new port, intercepted by access devices
> 		   which support it.
> 
> 		2: modification to hosts requirement RFCs, making
> 		   access devices responsible for intercepting identD
> 		   requests to their PPP clients.
> 
> 		3: a security RFC ``suggesting'' 1 or 2
> 
> Thoughts appreciated, as are comments, flames, blames, and anything
> of some content.

There isn't necessarily just a single user on the other end of a PPP
connection.  Many things will break if the actual user and the user
that PPP intercepted identd asserts do not match.

Providing such information may be a violation of confidentiality if
it gives information about a person or that person's account, especially
if the person does not want to give it out.

Because the PPP access device cannot know, unless it also tracks all the
traffic involved, what ports are in fact in use, it would have to give
the response for any port, even if not in use.  This means anyone can
get the ID only by knowing the IP.  This will be very VERY easy to abuse
by spammers trolling for addresses, under the notion that the ident data
generally would match the e-mail address for that domain.

I believe you misunderstand the purpose of identd.  It was intended to
supplement the IP address on a multi-user system to narrow the focus of
trust in cases where the system itself was trusted (not longer a valid
assumption these days).

Why do you want this data?  And would you really want the correct userid
from a multi-user system or a masqueraded network of multiple machines
which the PPP device cannot know?

-- 
Phil Howard | suck4it5 at no1where.net stop1763 at spammer1.edu stop9it3 at s6p5a7m9.com
  phil      | end6ads6 at dumb3ads.net suck5it1 at anyplace.org blow7me5 at anyplace.com
      at    | end0it35 at anywhere.com end2ads4 at lame0ads.org stop4698 at anyplace.com
  ipal      | stop0577 at anywhere.edu no92ads1 at s5p1a2m7.net a6b8c5d2 at spam1mer.net
     dot    | w1x7y9z6 at spam8mer.edu die0spam at lame2ads.com crash308 at spammer0.org
  net       | end0ads7 at dumbads6.org stop6it4 at no05ads8.net no9way66 at s8p7a9m6.net

• Previous message (by thread): Suggestion for improved identD
• Next message (by thread): Suggestion for improved identD
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]