Suggestion for improved identD
Sean Donelan
SEAN at SDG.DRA.COM
Fri May 22 20:22:37 UTC 1998
>The question here is 'trust'. Why bother using ident in ANY code anymore
>if it can't be trusted? Yet it still is. So move the trust demarcation point
>to where the user has no control over it. Remember, if its a static IP or
>network client, you don't proxy ident requests - since the static IP is the
>demarcation point of trust. They can change their ident, but no matter what,
>their IP or network still stays the same.
The problem is 'indemnification.' If you want to authenticate or postively
identify the origin of a connection, well I suspect you already know the
answer.
I'm not going to promise just because you received a packet allegdly from
my network, that it originated on my network. And there is no demarcation
point in the network, outside the portion you directly control, you positively
know the user has no control over.
--
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
Affiliation given for identification not representation
More information about the NANOG
mailing list