Suggestion for improved identD

Dalvenjah FoxFire dalvenjah at dal.net
Wed May 20 15:26:28 UTC 1998


On Wed, May 20, 1998 at 12:25:48AM -0400, Christopher Neill put this into my mailbox:

> There are valid reasons for a mail to be sent claiming to be sent from
> an address it wasnt actually sent from (this is why there is sendmail
> -f). Identd, on the other hand, is wholly worthless. I can't believe
> people actually trust it (ie, in wrappers), as it is so trivially
> forged.
> 
> I think the "proxy ident" idea is the most silly thing I've heard in
> ages. Come up with a rotating key-based way to authenticate clients
> and we can talk turkey..

I hate to break it to you, but not everyone runs Win95 or a Niftee NT
Box where people can forge ident to be whatever they please. Some of us
actually run REAL multiuser operating systems where the ident can be trusted.

In these cases, the ident value is often the only method we've got for
tracking down a particular user. Otherwise, someone who spams, or otherwise
abuses someone's services could be any one of a hundred users.

When it's properly set up by clueful people and can be trusted, ident is
good for exactly one thing: identification.

While ident may not need to return a string useful to you or I, it is useful
to the ISP in that this string can be used to reliably identify a user (or,
most likely, an abuser). In addition, if the *same* string is returned each
time ident is queried for a particular user, this can be used in a hosts.deny
or other ban. If JoeSpammer at pm65.yourisp.com decides to try and bring down
my mail servers by spamming my users with Make Money Fast, I can add
JoeSpammer@*.yourisp.com to hosts.deny, and my friend Fred at yourisp.com
can still send me e-mail. Same goes for IRC.

I don't want to hear any BS about how 'ident is unreliable' and 'ident
can't be trusted'. If it's been properly set up such that the ISP controls
what is returned rather than the user, or if the protocol is properly
redesigned to guarantee this, it *WILL* be trustworthy. And a particular
ISP can't be trusted to run a proper ident, then they get their entire
network blocked.

Right now, if someone from earthlink.net or aol.com or uu.net starts
abusing my services, I'm pretty much screwed. Do I let the idiot keep
doing it, and hope that the abuse desk gets around to my complaint in
the next week? Or do I ban the entire domain and hope to god that the
number of e-mails asking what happened is under ten thousand this time?
Some way of determining that the user connecting now from
ip5.tnt11.max5.dallas.uu.net is the same person who came on collecting
passwords from ip2.tnt5.max3.sanantonio.uu.net would be REALLY nice.

Note, ident doesn't have to be 100% reliable and trustworthy all of a
sudden. Nobody should ever use it for authentication. But it sure would
be nice if it (or something like it) could be trusted to determine, to
both sides, that UserA who's connecting at 4 PM is the same UserA who
connected at 10 AM. That's all it needs to do.

-dalvenjah
-- 
 Dalvenjah FoxFire (aka Sven Nielsen) "Never mess with a dragon, for you are
 Founder, the DALnet IRC Network       crunchy, and taste good with ketchup."
 
 e-mail: dalvenjah at dal.net             WWW: http://www.dal.net/~dalvenjah/
 whois: SN90                           Try DALnet! http://www.dal.net/



More information about the NANOG mailing list