Suggestion for improved identD
Brett Frankenberger
brettf at netcom.com
Fri May 22 18:27:14 UTC 1998
:: Tom Perrine writes ::
>
> I've been following the "need a better IDENT" thread for a bit, and
> have some questions and suggestions.
>
> Let's see if we can *really* define what it is we really want, and
> figure out if IDENT or "son of IDENT" is really the answer.
My two cents: IDENT is fundamentally bad for this application for
several reasons, a few of which I will enumerate:
-- It requires devices in the middle to intercept packets and
masquerade as another device, for the purpose of answering IDENT
requests. I philosophically find this unacceptable. Some may disagree,
but enough will probably agree to prevent this from ever getting to
100% deployment. Packets from my IP address should be from me, and
packets to my IP address should get to me.
-- It provides no way of knowing the source of the information. That
is, if I IDENT you, I might be getting an easily faked response from
your PC or a not-so-easily-faked response from some device at your ISP.
I have no way of knowing which is which.
-- IDENT was indended to provide port level information -- that is,
what user does Machine X think it using Port Y on Machine X. We have
to give this up if we go with forged IDENT responses. It would be
better to leave this in place, and implement a new means of getting the
new information that we now want, which is: Who does the owner of IP
address A.B.C.D think is currently using that address. (Port-level
information is, of course, useless on a multi-user machine ... but the
"Server End" of a connection has no way of knowing if the client-end is
multi-user or single-user.)
ISTM that a much better way to accomplish this would be TXT records
(or, if we want to make this more complicated, some new RR type)
associated with the IN-ADDR.ARPA domain. Using dynamic updates and
very small TTL, the ISP can change these as the address is assigned to
a new user. This lets you reasonably get the IP Address Owner's
opinion of who has that IP address, without giving up anything we
already have, and without creating any ambiguity as to the source of
the information -- IDENT comes from whoever owns the machine,
IN-ADDR.ARPA comes from whoever has the IP Address Space.
- Brett (brettf at netcom.com)
------------------------------------------------------------------------------
... Coming soon to a | Brett Frankenberger
.sig near you ... a Humorous Quote ... | brettf at netcom.com
More information about the NANOG
mailing list