nanog mailing list archives

Re: Suggestion for improved identD

From: Brett Frankenberger <brettf () netcom com>
Date: Fri, 22 May 1998 13:27:14 -0500 (CDT)

:: Tom Perrine writes ::


I've been following the "need a better IDENT" thread for a bit, and
have some questions and suggestions.

Let's see if we can *really* define what it is we really want, and
figure out if IDENT or "son of IDENT" is really the answer.


My two cents:  IDENT is fundamentally bad for this application for
several reasons, a few of which I will enumerate:
  -- It requires devices in the middle to intercept packets and
masquerade as another device, for the purpose of answering IDENT
requests. I philosophically find this unacceptable.  Some may disagree,
but enough will probably agree to prevent this from ever getting to
100% deployment.   Packets from my IP address should be from me, and
packets to my IP address should get to me.
 -- It provides no way of knowing the source of the information.  That
is, if I IDENT you, I might be getting an easily faked response from
your PC or a not-so-easily-faked response from some device at your ISP. 
I have no way of knowing which is which.
 -- IDENT was indended to provide port level information -- that is,
what user does Machine X think it using Port Y on Machine X.  We have
to give this up if we go with forged IDENT responses.  It would be
better to leave this in place, and implement a new means of getting the
new information that we now want, which is: Who does the owner of IP
address A.B.C.D think is currently using that address.  (Port-level
information is, of course, useless on a multi-user machine ... but the
"Server End" of a connection has no way of knowing if the client-end is
multi-user or single-user.)

ISTM that a much better way to accomplish this would be TXT records
(or, if we want to make this more complicated, some new RR type)
associated with the IN-ADDR.ARPA domain.  Using dynamic updates and
very small TTL, the ISP can change these as the address is assigned to
a new user.  This lets you reasonably get the IP Address Owner's
opinion of who has that IP address, without giving up anything we
already have, and without creating any ambiguity as to the source of
the information -- IDENT comes from whoever owns the machine,
IN-ADDR.ARPA comes from whoever has the IP Address Space.

          - Brett  (brettf () netcom com)
 
------------------------------------------------------------------------------
                               ... Coming soon to a      | Brett Frankenberger
.sig near you ... a Humorous Quote ...                   | brettf () netcom com

Current thread:

Re: Suggestion for improved identD, (continued)
- Re: Suggestion for improved identD Jon Lewis (May 20)
  - Re: Suggestion for improved identD Adrian Chadd (May 20)
    - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 21)
    - Re: Suggestion for improved identD Paul Mansfield (May 21)
    - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 21)
    - Re: Suggestion for improved identD Tom Perrine (May 22)
    - Re: Suggestion for improved identD Manar Hussain (May 22)
    - prosecuted a DoS (smurf) ? Tom Perrine (May 26)
    - Re: prosecuted a DoS (smurf) ? Tim Gibson (May 27)
    - Re: Suggestion for improved identD Derek Balling (May 22)
    - Re: Suggestion for improved identD Brett Frankenberger (May 22)
    - Re: Suggestion for improved identD Adrian Chadd (May 22)
    - Re: Suggestion for improved identD Dean Anderson (May 22)
    - Re: Suggestion for improved identD Edward S. Marshall (May 22)
  - Message not available
    - Re: Suggestion for improved identD Jay R. Ashworth (May 21)
- Re: Suggestion for improved identD Sean Donelan (May 22)