North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Suggestion for improved identD

  • From: Brett Frankenberger
  • Date: Fri May 22 14:41:18 1998

:: Tom Perrine writes ::
> 
> I've been following the "need a better IDENT" thread for a bit, and
> have some questions and suggestions.
> 
> Let's see if we can *really* define what it is we really want, and
> figure out if IDENT or "son of IDENT" is really the answer.

My two cents:  IDENT is fundamentally bad for this application for
several reasons, a few of which I will enumerate:
  -- It requires devices in the middle to intercept packets and
masquerade as another device, for the purpose of answering IDENT
requests. I philosophically find this unacceptable.  Some may disagree,
but enough will probably agree to prevent this from ever getting to
100% deployment.   Packets from my IP address should be from me, and
packets to my IP address should get to me.
 -- It provides no way of knowing the source of the information.  That
is, if I IDENT you, I might be getting an easily faked response from
your PC or a not-so-easily-faked response from some device at your ISP. 
I have no way of knowing which is which.
 -- IDENT was indended to provide port level information -- that is,
what user does Machine X think it using Port Y on Machine X.  We have
to give this up if we go with forged IDENT responses.  It would be
better to leave this in place, and implement a new means of getting the
new information that we now want, which is: Who does the owner of IP
address A.B.C.D think is currently using that address.  (Port-level
information is, of course, useless on a multi-user machine ... but the
"Server End" of a connection has no way of knowing if the client-end is
multi-user or single-user.)

ISTM that a much better way to accomplish this would be TXT records
(or, if we want to make this more complicated, some new RR type)
associated with the IN-ADDR.ARPA domain.  Using dynamic updates and
very small TTL, the ISP can change these as the address is assigned to
a new user.  This lets you reasonably get the IP Address Owner's
opinion of who has that IP address, without giving up anything we
already have, and without creating any ambiguity as to the source of
the information -- IDENT comes from whoever owns the machine,
IN-ADDR.ARPA comes from whoever has the IP Address Space.

          - Brett  ([email protected])
 
------------------------------------------------------------------------------
                               ... Coming soon to a      | Brett Frankenberger
.sig near you ... a Humorous Quote ...                   | [email protected]